Emil Ford Lawyers

A costly breach of privacy principles

The Privacy Commissioner has issued a determination with respect to the handling of a complaint of sexual abuse by the religious organisation which operated a Brisbane school.


A former student of the school made anonymous complaints to a newspaper and later to the religious organisation which operated his school. The student then requested compensation from the religious organisation to settle his complaint.

The religious organisation obtained legal advice and confirmed the complaints. Its lawyers drafted a response, which was referred to the school and the school council for its consideration. The school issued the school council with information packs which contained information about the allegations and the identity of the former student. The information pack was also sent, in error, to a member of the school staff who attended the meeting but was not a council member. The purpose of the meeting was to consider the proposed response but not to verify the claims.

The student made a complaint that the religious organisation had breached the National Privacy Principles (NPPs) with respect to his personal information. The NPPs have been replaced by the Australian Privacy Principles (APPs). The matter was referred to the Privacy Commissioner after the APPs came into force. However, the alleged breaches occurred before the APPs came into force. Therefore, the Privacy Commissioner made the determination under the NPPs. The relevant principles are very similar and the change of principles is very unlikely to change any aspect of the determination.

What information was necessary?

The Privacy Commissioner found that it was necessary for the religious organisation to liaise with the school in order to appropriately respond to the allegations and that, given the legal structure of the religious organisation and the school council’s role in that structure, the disclosure of information was a use of information within a single legal entity.

The legal structure of a school and any “parent” organisation may be significant in determining when and how information may be shared.

However, the Privacy Commissioner also found that the religious organisation could have taken further reasonable steps to protect the student’s privacy. The main issues were that the student’s identity was unnecessarily disclosed and that a non-council member was unnecessarily provided with the information pack.

How are your school’s privacy procedures?

Schools need to ensure that they have procedures in place to protect an individual’s privacy. This is particularly important when dealing with information that is highly sensitive and could cause serious distress to an individual if it was misused, lost or disclosed.

Schools should carefully consider whether it is necessary to identify an individual before doing so. In this case, the school did not need to know the identity of the student to consider the proposed response to the student when the religious organisation had verified the allegations. The situation may be different if the religious organisation had asked the school council to consider the veracity of the claims.

Schools also need to ensure that they have appropriate procedures in place to control the disclosure of information. If someone does not need an individual’s personal information, schools should not give it to him or her.

The cost

The Privacy Commissioner ordered the religious organisation to pay the former student $7,500 in damages.

Contact if you have questions regarding privacy.

Suite 4 Level 5
580 George Street
Sydney NSW 2000
Phone: +61 2 9267 9800
Fax: +61 2 9283 2553