The recent anniversary of the commencement of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) provides a timely reminder to schools and other private educational institutions to review their compliance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
Is my school or private tertiary educational institution affected by the privacy regime?
Most private schools and private tertiary educational institutions are APP entities because they:
- are large organisations (with a turnover of more than $3 million);
- are connected to a larger organisation that is covered by the Privacy Act, or
- provide a health service and hold health information, including where providing a health service is not their primary activity.
What are the obligations of private schools and private tertiary educational institutions?
Under the new regime, a school or institution must notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable after becoming aware that there are reasonable grounds to believe an ‘eligible data breach’ has occurred. Eligible data breaches arise when:
- personal information held by the entity is lost or subjected to unauthorised access or disclosure (a ‘data breach’);
- the breach is likely to result in serious harm to individuals to whom the information relates; and
- the entity has not been able to prevent the risk of serious harm with remedial action.
What is serious harm?
‘Serious harm’ is intended to encompass a broad spectrum of harms, including serious physical, psychological, emotional, financial, or reputational harm.
Whether a data breach is likely to result in serious harm will depend on numerous considerations. These include:
- the type of personal information involved
- the persons who have obtained the information
- the sensitivity of the information
- the security measures protecting the information
- the circumstances of the data breach
- the nature of the harm that may result.
Serious harm is more likely if the information is ‘sensitive information’ or is commonly used for identity fraud.
Can private schools and private tertiary educational institutions give personal and sensitive information to parents who request it?
The concept of a ‘data breach’ is wide reaching and has some interesting applications in an educational context. For example, it includes situations where parents request access to a student’s private information.
Providing information such as a report card to a parent would not be considered a ‘data breach’, as in most circumstances a child would expect that information would be provided to their parents. However, schools and institutions should be mindful of other factors that may impact a student’s reasonable expectations in relation to disclosure of a report card, for example, where the parents are not the student’s primary care giver.
Schools and institutions do collect other kinds of personal and sensitive information about their students and disclosing this information to parents could amount to a data breach. For example, a counsellor or other staff member becoming aware that a student is sexually active or being bullied and providing that information to a parent could be a data breach.
In some cases, a teacher or other staff member’s overriding reporting obligations under child protection legislation or their duty of care will mean that they must disclose the information. Disclosure would be required in a situation where a teacher or other staff member suspects that a student is at risk of harm or abuse. Students should be informed about these obligations, so they are aware that information that they have told a trusted staff member may be disclosed. It is important that staff maintain a balance between their legal obligations and maintaining a student’s trust, so that they can effectively perform their duties.
The school or institution should have policies that deal with when counsellors and staff will disclose personal or sensitive information to parents to ensure that students are aware that the information may be disclosed in some circumstances.
When deciding to disclose information about a non-education related matter to a parent, schools and institutions must consider:
- the age of the student
- the best interests of the student
- the school’s duty of care to the student and any other relevant child protection obligations
- whether the parents need to be informed
- whether the student would reasonably expect the information to be disclosed.
School and institutions should have policies in place that outline what non-educational disclosures may be made and to whom the information may be disclosed. These policies should be available to parents and students.
If a school or institution is unsure whether the disclosure of personal or sensitive information could amount to a data breach, it should seek advice before making that disclosure.
What do private schools and private tertiary educational institutions do if there is a data breach?
If an eligible data breach occurs, the school or institution must provide a statement to the OAIC and notify individuals at risk of serious harm as soon as practicable. If it is impracticable to notify the affected individuals, the school or institution must publish a copy of the statement on its website and take reasonable steps to bring its contents to the individuals’ attention.
The statement must include the following information:
- the identity and contact details of the school or institution
- a description of the data breach believed to have occurred
- a description of the kinds of information concerned
- recommendations about the steps individuals should take to avoid or mitigate harm from the data breach.
Importantly, the privacy regime relieves schools or institutions of the need to notify the OAIC if they take prompt action to remedy a data breach and effectively avert the risk of serious harm. This highlights the importance of having strong plans and procedures in place to respond to data breaches, as such plans and procedures may help schools avoid any possible reputational harm.