Schools collect and receive personal and sensitive information on a daily basis. What are the legal requirements for managing and using this data?
Much of the personal and sensitive information collected by schools is, of course, essential to their day-to-day running.
This information can relate to students, parents and guardians, job applicants, staff members, volunteers and contractors, and others who come into contact with the school.
Following significant changes to the Privacy Act 1988 (Act), which took effect from 12 March 2014, schools need to consider how they use and manage such information, so as to avoid significant penalties.
What is ‘personal information’?
It is important for schools to understand the definition of ‘personal information’. Previously, for information to be considered personal it had to identify the individual concerned or make the identity apparent, or reasonably ascertainable.
Following changes to the Act, a broader definition now applies. Personal information now includes information about an individual which, when combined with other information (which may not be controlled by the same entity), identifies an individual or renders the individual reasonably identifiable.
Therefore, to ensure compliance with the Act, it is important for schools to understand what type of information is considered personal information and is therefore subject to the Act.
Information that falls within the definition of personal information includes:
- full name;
- contact details;
- birth certificate;
- school reports; and
- education details.
Information that is collected by a school that is of a more personal nature falls within the definition of ‘sensitive information’. If sensitive information is collected by a school, the school must comply with stricter rules relating to the use and disclosure of that information.
Sensitive information includes information about:
- race or ethnicity;
- political opinions and/or memberships;
- religious beliefs or affiliations;
- philosophical beliefs; or
- memberships of a professional or trade association;
- sexual orientation;
- health records;
- tax file numbers; and
- criminal records.
Australian Privacy Principles
In addition to expanding the information that is caught by the Act, changes to the Act also introduced 13 new Australian Privacy Principles (APPs). Any business that has one of the following characteristics is now subject to the APPs:
- a business with an annual turnover of more than $3 million;
- a Federal Government agency;
- a provider of a health service (regardless of turnover);
- a business that is in receipt of payment for collecting or disclosing personal information; (regardless of turnover);
- a provider of contractual services to the Commonwealth, including all Federal Government contractors (regardless of turnover).
Therefore, all private schools are generally covered by the Act, meaning that they must comply with the APPs. Although public schools are not covered by the Act, they will be subject to state or territory privacy laws.
Whilst it is important for schools to have a detailed understanding of all of the APPs, the following provides an overview of the particularly pertinent aspects.
APP 3: collection of personal information
Pursuant to this APP:
- A school must only collect personal information if that information is reasonably necessary for one or more of a school’s activities. For example, providing schooling to the student.
- A school must only collect personal information from the individual to whom the information relates, unless the individual consents to information being collected elsewhere, or it is unreasonable or impractical to obtain consent, for example, if dealing with a minor. Consequently, if a school is dealing with older students (for example, students in Years 10-12) it is important that the school obtains that student’s consent in circumstances where a parent or guardian signs a document on behalf of the student that discloses personal information. Such consent can be obtained when the student enrols at the school.
- If a school collects sensitive information, it must only do so with the consent of the individual.
APP 4: unsolicited personal information
Information will be unsolicited if it has not actively been acquired by a school; for example, if the information was not acquired directly from the individual or requested from a third party. If a school could not have collected the information in accordance with APP 3, the school must destroy or de-identify the information as soon as possible.
APP 5: notification of collection of personal information
APP 6: use and disclosure of personal information
A school can only use and disclose personal information for the purpose for which it was collected. It can be used for a secondary purpose only if the individual consents.
The reforms give the Australian Information Commissioner increased enforcement powers, which includes, but is not limited to: impose civil penalties in the case of serious or repeated breaches of privacy (up to $340 000 for an individual and $1.7 million for a corporation); impose criminal penalties; and/or conduct assessments of privacy performance for both Australian government agencies and businesses.
So, what do schools need to do?
- Given the significant penalties for breaching the Act, participants in the education sector must (if they have not already done so):
- review and update practices, procedures and systems relating to the way in which they collect, manage and use personal information to ensure compliance with the Act; and
Download a pdf version of this article: Legal matters: Schools and data privacy
If you would like more information about your obligations under the Act, please contact:
This article first appeared in Teacher, published by ACER. Reproduced with kind permission. Visit www.teachermagazine.com.au for more.