Student privacy in the digital age

Student privacy in the digital age
Protecting student privacy has become one of the most critical considerations for senior leadership teams at schools. With the rise of BYOD, third-party storage in the cloud, and third-party learning sites, it’s important that school leaders are aware of their legal obligations to ensure the data collected is secure.

John Gallagher, senior associate Clyde & Co, spoke recently at the Education Law Masterclass. He outlined to delegates both the legal landscape regarding data privacy and how schools can protect this data.

Gallagher reminded delegates of their legal obligations by outlining the Privacy Act 1988 (as amended in 2014):
  • The act covers personal and sensitive information only
  • The act outlines the “duty to avoid acts and practices that interfere with privacy of individuals or that would otherwise have adverse affects on privacy of individuals”.
  • The Australian Privacy Principles (APPs) replace Information Privacy Principles and National Privacy Principles.
Most private schools and private tertiary education institutions are covered by the APPs and the Privacy Act either because they:
  • have a turnover of more than $3m;
  • are connected to a larger organisation which is covered under the Privacy Act; or
  • they provide a health service or hold health information. This applies even though the provision of a health service is not an educational facility’s primary activity.
Public schools and universities in NSW have privacy obligations under:
  • the Privacy and Personal Information Protection Act 1998; and
  • the Health Records and Information Privacy Act 2002.
 These requirements substantially mirror the obligations for private schools under the Privacy Act.

Gallagher reiterated that it’s also beneficial to understand in greater detail two key phrases: “personal information” and “sensitive information”.

“Personal information” consists of “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
     (a) whether the information or opinion is true or not; and
     (b) whether the information or opinion is recorded in a material form or not.”

This would typically include information such as name, email/postal/residential address, telephone number, date of birth.

It can include (when couples with the above): school details, school reports, exam results, and educational details.

“Sensitive information” requires an added layer of protection. It consists of:
  • information or an opinion about an individual's including:
racial or ethnic origin; political opinions or membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; criminal record; or
  • health information about an individual; or
  • genetic information about an individual that is not otherwise health information.
How does this apply to schools? Gallagher suggested that as a minimum, the key privacy obligations for schools are:
  • have an up to date privacy policy;
  • only collect and hold information that is reasonably necessary for the school to carry out its activities (the primary purpose) – do not collect ‘nice to have information’;
  • receive parental consent to collect and hold sensitive (including health) information;
  • only use and disclose personal information for the purpose for which it was collected (unless an exception exists);
  • take reasonable steps to protect personal information; and
  • take reasonable steps to destroy or de-identify information which is no longer needed.
Gallagher also suggested some best practice tips:
  • Save electronic files to the appropriate system - not to open drives.
  • Lock any desks or cupboards which house documents containing Personal or Sensitive Information not available to all staff.
  • Lock screens when leaving them unattended.
  • Use strong passwords.
  • Encrypt files, where necessary.
  • Ensure no Personal Information or documents containing Personal Information are left in common areas without adequate security in place.
  • Regularly liaise with the Privacy Officer if you have questions.
In part 2, The Educator will explore privacy obligations around BYOD and wearable technology, and third-party learning sites.