Have Your Say - Top Risks for Schools in 2024
Subscribe

Top Seven Privacy Essentials (and then there’s COVID-19 privacy…)

5/05/21
Resources
NSW

To celebrate Privacy Week, we are hitting you with a top seven privacy implementation checklist for schools. This is not meant to be comprehensive-it is designed to be a shot of ‘privacy espresso’. And then we will touch on the COVID issues

 

1. Do you have an up-to-date Privacy Policy?

Is it easily accessible i.e. on your website? Is it linked to all of your collection notices (see item 5)? Does it cover all of the main uses in relation to the personal information that your school collects? Have you removed outdated references to the NPPs (National Privacy Principles) and replaced them with references to the APPs (Australian Privacy Principles)?

 

2. Do you actually know about all the types of personal information that your school collects – both the information formally requested by the school as well as the little lists that are being kept by your front desk staff and teachers?

Do you know how this information is being used and to whom it is being disclosed? Consider conducting a personal information audit to be completed by different departments and sections of the school, and conduct it annually.

 

3. Do you have a privacy officer?

While this is not required under the Privacy Act, it is recommended by the privacy regulator. And it makes a great deal of sense to have someone who can consistently and knowledgeably address tricky questions such as when not to give parents access to some of their child’s personal information, or how much access to give to an unsuccessful job applicant wanting to see their interview and selection reports and, even more importantly, how to respond to a potential data breach.

 

4. Do all of your staff understand the personal information that they collect, hold, or use and their obligations with respect to protecting it and maintaining the appropriate level of confidentiality?

Note that this is not just about communicating the school’s Privacy Policy, but about staff training, specific privacy procedures, and monitoring compliance.

 

5. Do you have collection notices (written on forms or, if oral, gathered over the telephone or face-to-face) whenever it is reasonably practicable to provide them, every time that the school or its staff collect personal information?

Collection notices are a form of consent, so it is not adequate to have a single collection notice on enrolment and rely on that for any and all use of the child’s name and images outside of the normal school curriculum, such as on the school website or Facebook page or for marketing purposes.

 

6. Are all staff aware of what constitutes a data breach and who to notify if that happens?

And does the school have a data breach response plan that includes when and how to notify affected individuals and the privacy regulator, the Office of the Australian Privacy Commissioner (OAIC)? Where an unauthorised disclosure of personal information occurs such as a lost or stolen laptop or USB, emails or letters sent to the wrong person, hacking, or just information given to the wrong parent, the faster the response the greater the chance that no serious harm will result. If there is a risk of serious harm, this becomes a Notifiable Data Breach (NDB) and the affected individuals and the OAIC must be notified, and any mitigating actions must be put in place.

 

7. Does the school’s complaints procedure enable complaints to be made anonymously?

APP 2 requires organisations to provide the option for any interaction with the school to be made anonymously or using a pseudonym, unless it is impracticable to do so. While an enrolment application can obviously not be done anonymously, complaints can and should have an option to be lodged anonymously.  

 

And then there is COVID-19 personal information and privacy…

The OAIC has issued guidance on how organisations should be addressing personal information relating to COVID-19. As information is likely to be health-related and therefore sensitive (Do you have any cough/cold symptoms? Have you been in touch with someone who has COVID-19? Have you had COVID-19/been in quarantine and, if so, have you been cleared to come back to work? etc) there are no surprises that only the minimum amount of information should be collected, it must be used or disclosed on a strict need-to-know basis and it must be stored securely. The same requirements apply to collecting information from contractors, visitors and students.

Of particular interest is the approach that the OAIC takes to privacy obligations relating to staff and COVID-19 vaccinations. The OAIC states that, even though employee records are exempt from the application of the federal Privacy Act, the collection of employee records is not exempt. Consequently, the OAIC advises that an employer must seek the employee’s freely given consent to disclose their COVID-19 vaccination status and be able to justify the collection as reasonably necessary for one or more of its functions and activities. The OAIC warns that this vaccination status information must not be collected ‘just in case’ if the purpose of collecting it can be achieved without collecting the vaccination status information.

In the case of schools, and in particular those with boarding facilities early learning centres or located in cities, it is highly likely that collecting vaccination information will be reasonably necessary to minimise the risk of illness of staff and students, bringing it within both workplace health and safety legislation and student duty of care requirements.

In relation to obtaining an employee’s freely given consent, notice should be paid to the OAIC warning that the imbalance of power between the employer and the employee “may cause employees to feel pressured or obligated to provide their consent”. However, the recent cases* relating to mandating (standard) flu vaccinations for childcare and aged care staff, where it was held by the Fair Work Commission to be a reasonable and lawful direction to direct staff to have flu vaccinations in those specific circumstances provided that there was adequate consultation with staff, lend some hope of a sensible outcome in relation to the collection of COVID-19 information.

Looking at the individual circumstances and risks in your school and addressing the issues and concerns of staff (not only those relating to privacy) will be important in negotiating a safe and sustainable outcome in managing the COVID-19 risks.

*Ms Bou-Jamie Barber v Goodstart Early Learning Limited [2021] FWC 2156

  Arnold v Goodstart Early Learning Limited [2020] FWC 6083

Share this
About the Author

Svetlana Pozydajew

Svetlana is Principal Consultant Workplace Relations at Ideagen CompliSpace. She has over 25 years of experience in strategic and operational human resource management, workplace health and safety, and design and implementation of policies and change management programs. She has held national people management responsibility positions in the public and private sectors. Svetlana holds a LLB, Masters in Management (MBA), Master of Arts in Journalism, and a Certificate in Governance for not-for-profits.

Resources you may like

Article
Sextortion: A Growing Concern for Schools

Trigger warning: This article references sexual assault, child abuse, and suicide.

Read More
Article
Changes to the Australian Consumer Law – What Schools Need to Know

Many schools rely on standard form contracts to avoid the time and cost of drafting and negotiating...

Read More
Article
The SG Wrap: February 29, 2024

The information in the SG Wrap is aggregated from other news sources to provide you with news that...

Read More

Want School Governance delivered to your inbox weekly?

Sign up today!
Subscribe