It is apparent that the days are long gone of insisting that a school’s duty of care to its staff and students ends when the bell rings and everyone leaves the school grounds. The boundaries between what is and what is not a risk that a school needs to take responsibility for have become less clear. Duty of care used to be determined by when a ‘relationship’ existed between student and staff/school, or in the case of health and safety, between staff and the school. Social media use by students and staff can blur the boundaries between what is personal and professional (in relation to staff) and what is personal and in a student capacity (in relation to students). Social media use that occurs after hours and outside of the school can have a significant effect on the school and relationships within the school and school community. This means that schools are increasingly being drawn into matters that used to be considered well outside their jurisdiction but for which they are now being held responsible or even legally liable.

There is no doubt that the online vulnerability for schools is considerable and growing. It can take just one poorly phrased comment, one re-tweet of an inappropriate post or one bad choice of image selection by a staff member or student for a situation to spiral out of control. The risk to a school can be significant. The impact of these ill-judged decisions can severely affect the person concerned and affect the school’s brand and reputation; both operationally and financially.

Using examples of strategic risks taken from the CompliSpace paper “12 Key Risks for School Boards to Consider in 2019” the more common risks that arise in relation to social media use relate to:

• privacy and confidentiality
• IT systems and security failures
• brand and reputation
• staff or student harassment, discrimination and bullying
• child safety and maintaining a child safe culture.

Boards and school leaders need to proactively consider their school’s social media risks.  The consequences of failing to manage these risks may be social (affecting trust and relations among students, staff, parents or volunteers); operational (reduced productivity); industrial-related (formal warnings or a termination of employment); legal (where there are breaches of privacy or occupational health and safety legislation) or the risk may have the potential to affect a school’s reputation and therefore its ability to attract and retain students.   Maybe not tomorrow, or next week, but it’s only a matter of time before most schools will have to respond to an incident resulting from social media usage.

Privacy and Confidentiality

Privacy

A school is considered to hold personal information if it has possession or control over a record that contains the information including a record that the school has the right or power to deal with. All networks, including those associated with billing, student information, parent information, marketing databases, remote devices and paper files must be protected.

Since 2014, with the major changes to the Privacy Act 1988 (Cth) (Privacy Act) and again in 2018 with the passing of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), most schools now have a public facing privacy policy and some privacy collection notices.

However, nearly five years later, there are still some schools that do not have any other policies, procedures or systems to support compliance with the Australian Privacy Principles (APPs). There are significant financial penalties arising from a failure by a school to take measures to protect the data it holds and discloses, with maximum penalties for data breaches causing significant harm in the vicinity of $2 million for an organisation and in the hundreds of thousands of dollars for individuals within those organisations.

School-sanctioned social media usage that is not closely monitored opens the door for possible data breaches. For example, the act of posting a student image online, without formal written consent, could be considered to be a breach of the Privacy Act. A Notifiable Data Breach (NDB) arises when there is unauthorised access to, unauthorised disclosure of, or loss of, personal information that a school holds and where it is likely to result in serious harm to affected individuals. The serious harm can be physical, psychological, emotional, financial or reputational.

Some steps that schools should seriously consider in addressing risks associated with privacy include:

• ensuring that they have a properly implemented and documented privacy program that sets out how to manage each of the 13 APPs
• ensuring that all staff understand their obligations under the Privacy Act and, in particular, their obligations in relation to disclosing information and when to seek consent to use images or names in social media
• developing a data breach response plan and ensuring that staff are trained to recognise data breaches that may trigger the NDB requirements.

Confidentiality

Staff must also be made aware of what constitutes confidential information that must not be disclosed without authorisation by the school. While staff may be justifiably proud of work they have developed as part of their teaching role, even where it goes beyond the normal expectations of their particular job, this is intellectual property which is usually owned by the school. This means that the staff member cannot publish this information on social media without authorisation by the school.

IT Systems and Security Failures

In the context of protecting school information from unauthorised disclosure on social media, it goes without saying that the school should ensure that systems are secure, and that there are appropriate protocols in place to protect passwords and establish firewalls. However, the next critical step is to provide teachers and other staff, students, volunteers and contractors with information about the consequences of lax social media security, guidance on how to protect their own data and social media accounts and support in relation to privacy settings and password protection.

Students must be educated about the privacy expectations regarding online usage to protect the school’s information but even more importantly to protect the students themselves from online predators. Hopefully this will also protect them from engaging in harmful behaviours such as stalking, sexting, bullying and harassment. School Governance published a suggested list of activities that schools may wish to investigate in relation to student IT access and use.

Brand and Reputation

It is difficult to estimate the severity and impact of a school social media faux pas, particularly when it enters the wider media.  However, it is clear that reputational damage can be significant. Schools take an immense amount of time and effort to develop both their brand and their good reputation. It can take just one negative social media issue to result in many years of hard work and cultural change coming crashing down in an instant.

While it is impossible to stop parents entirely from engaging with or about the school on social media, particularly if they use social media to voice a complaint or concern, this can be mitigated if the school has clear informal and formal channels within the school for raising complaints and grievances, where those grievances will be assured of a fair hearing.

A Parent Code of Conduct with respect to social media use by parents, should make it clear that, when parents use social media in relation to the school, staff, and students, they must communicate in a manner that is respectful and consistent with the school values. Making parents aware of these requirements at the time of enrolment would serve to entrench this requirement.

As with parents, having robust, transparent and fair internal grievance procedures for staff can reduce the incidence of staff venting on social media. A clear and well-communicated Social Media Personal Usage Policy is key to setting expectations in relation to what will be considered inappropriate conduct on personal social media accounts.

Many schools will have established some sort of presence on social media to more proactively manage their online branding. Once again, there are risks involved in well-intentioned but short-sighted online activity by staff. Schools should, therefore, develop and implement a Social Media Business Usage Policy (in addition to a Social Media Personal Usage Policy) whose purpose is to set guidelines with respect to the administration and/or publication of content on the school’s preferred social media platforms, as well as how to respond to certain issues.  This should be supported by a training program designed by the school for staff that must be undertaken before the staff are authorised to publish content on the school’s social media platforms or on the school’s behalf.

New White Paper: Managing Social Media Risks in Schools

Next week, CompliSpace is releasing a new White Paper: Managing Social Media Risks in Schools. To download a preview copy of this White Paper, click here.

In part two of this article, we look at the social media risks associated with harassment, discrimination and bullying and child safety and maintaining a child-safe culture.

Authors

Craig D’cruz

With 37 years of educational experience, Craig D’cruz is the National Education Lead at CompliSpace. Craig provides direction on education matters including new products, program/module content and training. Previously Craig held the roles of Industrial Officer at the Association of Independent Schools of WA, he was the Principal of a K-12 non-government school, Deputy Principal of a systemic non-government school and he has had teaching and leadership experience in both the independent and Catholic school sectors. Craig currently sits on the board of a large non-government school and is a regular presenter on behalf of CompliSpace and other educational bodies on issues relating to school governance, school culture and leadership.

Svetlana Pozydajew

Svetlana is a Senior Consultant at CompliSpace. She has over 20 years of experience in strategic and operational human resource management, occupational health and safety, and design and implementation of policies and change management programs. She has held national people management responsibility positions in the public and private sectors. Svetlana holds a LLB, Masters in Management (MBA), Master of Arts in Journalism, and a Certificate in Governance for not-for-profits.