Emil Ford Lawyers

Practical Privacy Issues for Schools

Question about privacy issues in Schools?
Contact +61 2 9267 9800

Paper by Nathan Croot

 

Introduction

In 1999 on the television show West Wing, President Bartlett was considering his nomination to the United States Supreme Court. The leading nominee was an outstanding judge, who had an impeccable record and was well respected amongst jurists and politicians. However, late in the process new information came to light that threw the nomination into doubt. The judge, who otherwise was the perfect candidate, had one ideological position that caused a great deal of concern. He did not believe the US Constitution guaranteed a right to privacy. Upon hearing this revelation, the President considered whether he could nominate a judge to the highest court in the country who did not believe in protecting a right that would be the most important issue in the next century. Ultimately, the President nominated another judge, such was his belief about the importance of privacy.


Although West Wing was a fictional program, it was correct in predicting that privacy is looming as one of the most contentious, broadest and important legal issues of the new century. The publicity about privacy involving social networking sites definitely supports this position. There are a range of factors that have contributed to the increased awareness of and emphasis on privacy issues. These can be discussed at length in another forum. There is no short and simple answer. The internet, social networking sites and personal communication devices have made sharing information much quicker and easier. However, that is not to say that the internet is the cause of the problem. Privacy issues existed long before most of the population went online. The internet and speed of communication has only exacerbated the problem, rather than created it. The problem still lies with individual behaviour and individuals need to be more careful with their information and more responsible with the information of others.


The purpose of this paper is not to solve all the issues involving the privacy of students in the virtual world. There is no doubt that there are issues to be addressed in that area. However, for the most part, those are not privacy issues for schools. To the extent that they affect schools, the issues are more likely to be related to a school’s duty of care for its students. There is much more to privacy than what a student may Tweet or post on Facebook. Schools have legal obligations regarding what they may or may not do in collecting and using information. It is vital that school administrators and teachers are aware of their school’s obligations and take the necessary steps to ensure that the school meets its obligations.


What are the privacy obligations of schools?


The topic of this paper is Practical Privacy Issues in Schools. This paper will give some general practical tips for how schools should deal with privacy issues. However, in order to grasp the practical issues, it is necessary to give a brief overview of the legal obligations that are placed on schools.

Many Acts, at both the state and federal level, place obligations on individuals and/or organisations in relation to privacy. In New South Wales alone, the following Acts relate to privacy:

  • Privacy and Personal Information Protection Act 1998
  • Health Records and Information Privacy Act 2002
  • State Records Act 1998
  • Criminal Records Act 1991
  • Workplace Surveillance Act 2005
  • Telecommunications (Interception and Access) (New South Wales) Act 1987
  • Access to Neighbouring Land Act 2000
  • Crimes (Forensic Procedures) Act 20001

As can be seen from the names of the Acts, privacy issues can arise in a variety of situations, and under many different laws. Unfortunately it is not possible to set out all privacy issues for all schools in all situations. Rather, this paper will focus on the privacy principles that schools must follow.


Complicating the issue further is that not every Act applies to every school. The most important distinction is between public and private schools and which privacy principles a school must follow. Public schools must comply with the Information Protection Principles in the Privacy and Personal Information Protection Act 1998 (New South Wales). However, private schools, except in rare cases, must comply with the National Privacy Principles contained in Schedule 3 of the Privacy Act 1988 (Commonwealth).


This paper will focus on the obligations under the NPPs. Public school administrators can use the concepts discussed as a general guideline regarding their responsibilities. However, it should be noted that the principles, although similar, are not identical. If there is ever a specific question or issue, it is important for public, and private, schools to ensure that the applicable principles are followed.
Both the NPPs and the IPPs protect the personal information of individuals. The Privacy Act defines personal information as: 

Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.2

This is a broad definition and includes both written records and visual and/or audio recordings. However, it is the definition of individuals that may cause issues for schools.


The Privacy Policy and Collection Notice


The NPPs only explicitly require schools to have one document, a Privacy Policy. A school must set out in a document clearly expressed policies on its management of personal information and must make the document available to anyone who asks for it3. This requirement is very open and so there is no limit to what the policy may include. However, a school should at least include enough to ensure that its privacy policy will satisfy the requirements of NPP 5.2, which says, “On request by a person, an organisation must take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information”4.


The NPPS do not mention the need for a collection notice. However, whenever the school collects information, it must:
 

At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

  1. the identity of the organisation and how to contact it; and

  2. the fact that he or she is able to gain access to the information; and

  3. the purposes for which the information is collected; and

  4. the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

  5. any law that requires the particular information to be collected; and

  6. the main consequences (if any) for the individual if all or part of the information is not provided.

A school must take reasonable steps under this subclause. In most situations, a written notice is sufficient to meet the requirements. This notice is commonly referred to as a collection notice. Schools would be well advised to have a standard collection notice that can be included in application forms and other documents where information is requested. The collection notice does not need to be long, but it should cover points a-f to the extent that they may be applicable.


Privacy issues with children


An individual under the Privacy Act is any natural person6, in other words a human being. There is no minimum age under the Privacy Act, which means that the NPPs apply to children of all ages just as they apply to adults. This creates issues in the school environment because there is no set age for when students, rather than their parents, may make decisions about:

  • giving consent to the school collecting sensitive information,
  • requesting access to the personal information the school holds,
  • giving consent to the disclosure or use of personal information, and
  • making a complaint against the school.

Although there is no set age under the Privacy Act, schools must decide whether the student in question has “sufficient understanding and maturity to understand what is being proposed”7. This test is very similar to the one adopted by the High Court in deciding whether a minor may give consent to medical treatment8.


A school must not simply base the decision on the student’s age. Rather it must genuinely consider the student’s understanding and maturity. This is a decision that the school must make based on its, or more appropriately its staff’s, knowledge of the student. To the extent that it is possible, administrators should consult with teachers about their knowledge of the student and his or her understanding and maturity. If the school decides that the student lacks sufficient understanding and maturity, parents may make decisions on the student’s behalf.


A complicating factor for private schools is the contractual relationship between the school and the parents. There are circumstances where fee paying parents may request particular information about their child. If the school determines that the student has sufficient understanding and maturity to understand what is being proposed, the school may only disclose the information if permitted to do so under the NPPs. In most cases that means either the student must consent or the student would reasonably expect the school to disclose the information. Such situations may put the school in an awkward position where it may have to deny parents, who are paying the school fees, access to information because their child has refused consent. The enrolment contract with parents does not override the school’s privacy obligations and so the school must ensure that it complies with the legislation.


Privacy in the enrolment process


The enrolment process is one of the most important periods for collecting information. It may also be the period when a school collects most of its information about a student. However, there are some important issues that schools should consider. The following questions, and answers, highlight some of these issues.

  • What do schools need to do?

To enrol a student, a school must have certain information about the child and the child’s parents. This may include sensitive information, which includes health information. A school may collect any information that is necessary for one or more of its functions or activities. However, it must do so in accordance with the NPPs. The most important requirement that schools must comply with is taking reasonable steps to ensure that the individual is aware of the information set out in NPP 1.3. This is the information covered in the collection notice that was discussed earlier. Whenever the school collects information, it must:

At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

  1. the identity of the organisation and how to contact it; and
  2. the fact that he or she is able to gain access to the information; and
  3. the purposes for which the information is collected; and
  4. the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
  5. any law that requires the particular information to be collected; and
  6. the main consequences (if any) for the individual if all or part of the information is not provided.10

A school must take reasonable steps under this subclause. In most situations, a notice, commonly referred to as a collection notice, is sufficient to meet the requirements. Schools would be well advised to have a standard collection notice that can be included in application forms and other documents where information is requested. The collection notice does not need to be long, but it should cover points a-f to the extent that they may be applicable.

  • From whom is the information collected?

Generally, information about prospective students is collected from parents. However, the NPPs say that, “If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual”11. In the vast majority of enrolments, it is not reasonable or practicable to collect information from children because they are too young (that is they lack sufficient understanding and maturity). Most schools also require certain information about parents, and so it may not be reasonable and practical to collect information from two sources when it can be collected from the parents alone. However, if a school is enrolling an older student, it may need to consider whether it should collect information from the parents or directly from the student. If a student is entering year 10, 11 or 12, and as far as the school can determine the student has sufficient understanding and maturity it may be prudent to have him or her sign any form that provides information to the school.


The understanding and maturity of the student will be especially relevant to sensitive information, which the Privacy Act defines as:

a.   information or an opinion about an individual's:

              i.    racial or ethnic origin; or

              ii.   political opinions; or

              iii.   membership of a political association; or

              iv.   religious beliefs or affiliations; or

              v.   philosophical beliefs; or

              vi.   membership of a professional or trade association; or

              vii.  membership of a trade union; or

              viii. sexual preferences or practices; or

      ix.  criminal record; 

      that is also personal information; or

b.    health information about an individual; or

c.    genetic information about an individual that is not otherwise health information.12


Not all the categories of sensitive information will apply to schools and students. However, it is certainly conceivable that schools will collect information about the student’s racial or ethical origin, religious beliefs or affiliations and health information. The NPPs place greater obligations on organisations collecting sensitive information and, in most circumstances, the collection of sensitive information requires the consent of the individual13. Schools need to consider, when collecting sensitive information about older students, whether the student has consented to the collection.


Health information may be collected if “the information is necessary to provide a health service to the individual”14. Schools have a duty of care to their students and so certain health information should be collected to help the school fulfil its duty of care. This will be important in emergency situations but will also be necessary if a student is taken to the school clinic.


It is also possible that a school may wish to collect information from third parties. The most common form of third party information in the enrolment process is references, either from family associates or teachers from the student’s previous school. If information is collected from a third party, the school must still take reasonable steps to ensure that the student or, if the student lacks sufficient understanding or maturity, the parents are aware of the matters listed above15. As the school will take the name of the referee and other personal information, the school should also consider its privacy obligations to the referee.

  • What information may be collected?

There are no set categories of what schools may or may not collect. However, schools “must not collect personal information unless the information is necessary for one or more of its functions or activities”. As schools have a broad range of functions and activities, there is a wide variety of information that may be necessary for schools to collect. However, that does not give schools free reign to ask for any information. From a practical perspective, schools should review their enrolment forms, and any other document requesting information, and consider what purpose the requested information will serve. If the information is not, and will never be, necessary for a function or activity of the school, the school should not ask for it.


Privacy and information sharing


Although a school has many obligations in regard to collecting information, far more notice seems to be taken, and far more issues arise, in regard to disclosing information. Practically, most individuals are far more worried about the school disclosing their personal information than they are about the school having some pieces of paper locked away in a filing cabinet.


One of the most common privacy requests that lawyers receive from schools is “Can we disclose this information about a student to a particular person?” Any good lawyer’s response should be, “Have you asked them if you can?” Before any privacy issue is considered and any time is spent considering whether the school may use or disclose the information, the school should ask the individual if he or she consents to the use or disclosure of the information. If the individual consents, the school can use or disclose the information. The NPPs are clear that if a person consents, the information may be used or disclosed17. Far too often a school’s first call is to its lawyer to give advice on the school’s obligations. In most cases, the school’s first call should be to the student or the student’s parents as the case may be.


If an individual does not consent, or refuses his or her consent, the school may still use or disclose the information, provided that it is permitted to do so under another subclause of the NPPs.


There are many situations where a school may find itself needing or wanting to use or disclose personal information. A school is always permitted to use or disclose the information for the primary purpose for which it was collected. However, a school must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless one of the exceptions under the NPPs apply18.


The school should establish what the primary purpose of collecting the information is. The context in which the information is collected by the school will give some guidance to make this determination. How broadly the primary purpose can be defined will also depend on the circumstances. For example, the information collected during enrolment may be for the purpose of enrolling the child at the school or it could be for the purpose of educating the child at the school once the child is enrolled. It may not be easy to determine which of these is the primary purpose. However, since educating the child is directly related to enrolling the child at the school, it does not make any practical difference because the school may use or disclose information for a secondary purpose that is related to the primary purpose if it is reasonable that the individual would expect the school to use the information for that purpose19. It is entirely reasonable that the school would use the enrolment information to educate the student.


There are other subclauses that set out when a school may use or disclose information in more specific circumstances, such as direct marketing, the prevention of a serious and imminent threat to an individual or the public, an investigation into or reporting of an unlawful activity, the disclosure being required or authorised by law or disclosing to an enforcement body (such as the police) in certain circumstances20. The circumstances of each situation will need to be considered for each of these exceptions.


Privacy and divided families


One of the toughest positions for a school to be in is the middle of a family dispute. There are many issues that can arise for a school when parents separate. In regard to privacy, the most common issue is what information may be sent to each parent. For private schools, the enrolment contract is vital. A school should include an enrolment condition that requires parents to provide the school with copies of any court orders affecting the family, as such orders often set out what each parent is entitled to receive. There are also non-privacy reasons why schools should have copies of court orders.
 

Usually, issues will be concerned with what the non-custodial parent is entitled to receive. The Office of the Australian Information Commissioner says that in most circumstances, it will be reasonable under the Privacy Act to allow non-custodial parents to have access to their child’s reports. However, there are times when such access will not be reasonable and schools need to be careful. An example of when sending reports is not reasonable is if there is a protection order in place against the parent, which limits the parent’s access to information21. This highlights again the importance of the school collecting copies of court orders.


Another issue that may arise is if a single parent enrols his or her child at a school and sometime in the future, the other parent, or a person purporting to be the other parent, contacts the school asking for information about the student. As has been stated, the Office of the Australian Information Commissioner has given an opinion that a non-custodial parent, which this person may be, may be entitled to the information. However, the school will not know any of the circumstances and so it must not disclose the information until it has made some enquiries and determined what is reasonable. This will most likely involve speaking to the parent who enrolled the child. This will no doubt be a difficult situation and may be met with some resistance. To save having to deal with the issue when it comes up, when emotions may be high, schools should be proactive in making enquiries about the parents of their students.


When a child is enrolled at a private school, parents inevitably have to sign a document of some kind (the enrolment contract) agreeing to certain conditions. If only one parent signs the enrolment contract, the school should enquire as to why the other parent has not signed it and make some general enquiries about the other parent. This will at least keep the school from being caught completely off guard. It may even be possible to reach an understanding with the parent enrolling the child about how to deal with the other parent if he or she contacts the school. The school should still consider the situation when it arises.


Future directions in privacy


The Australian Law Reform Commission has reviewed privacy laws in Australia and made many recommendations for changes. Some of these changes may be adopted in the coming years. The Federal Government has published an exposure draft of the new Australian Privacy Principles, which will replace both the National Privacy Principles and the Information Privacy Principles in the Privacy Act. The Information Privacy Principles apply to federal government agencies and should not be confused with the Information Protection Principles that apply to NSW government agencies under the Privacy and Personal Information Protection Act. Unfortunately at this stage, the state government agencies will not be brought under the same principles as other organisations and so there will continue to be two sets of principles for schools in New South Wales.


There is still some time before the APPs are enacted. The exposure draft is only the initial step in the process. The major differences between the NPPs and the APPs for schools relate to the requirements for notices and privacy policies. At the moment, each of these documents are implied in the NPPs without being expressly required. However, the APPs will set out the requirements more clearly and thoroughly. Other areas that will be affected are outsourcing, offshore activities, direct marketing and biometrics. These will be of lesser concern to schools. However, if a school is involved in any of these areas, it would be prudent to get some advice when the APPs are enacted.


Also of interest to schools is the recommendation that the Privacy Act includes a set age where an individual is presumed to have sufficient maturity and understanding to consent to the collection or disclosure of information. The suggested age is 15 years. If this recommendation is ever adopted, it will only be a presumption that an individual has sufficient maturity and understanding. The school will still need to consider whether, in the school’s opinion, the individual actually has sufficient maturity and understanding. However, it will at least give the school better guidance about making the decision.


Conclusion


This paper only touches the surface on one area of a school’s privacy obligations. It is not possible to give thorough and meaningful advice in an area where the facts and circumstances are so important to each situation. However, if one piece of general advice should be taken, it is this. Just as restarting a computer is the first step to take to solve most computer problems, the first step to take to solve most privacy issues is to talk to the individuals involved and check if they will consent.

Question about privacy issues in Schools?
Contact +61 2 9267 9800


1    Office of the Australian Information Commissioner Website,
      http://www.privacy.gov.au/law/states/nsw

2    Privacy Act 1988 (Commonwealth) section 6

3    NPP 5.1, Privacy Act 1988 (Commonwealth) schedule 3 subclause 5.1

4    NPP 5.2, Privacy Act 1988 (Commonwealth) schedule 3 subclause 5.2

5    NPP 1.3, Privacy Act 1988 (Commonwealth) shcedule 3 subclause 1.3

6    Privacy Act 1988 (Commonwealth) section 6

7    Office of the Federal Privacy Commissioner, Guidelines to the National Privacy Principles at 21

8    Department of Health & Community Services v JWB & SMB ("Marion's Case") (1992) 175 CLR 218

   NPP 1.1, Privacy Act 1988 (Commonwealth) Schedule 3 subclause 1.1

10  NPP 1.3, Privacy Act 1988 (Commonwealth) schedule 3 subclause 1.3

11  NPP 1.4, Privacy Act 1988 (Commonwealth) schedule 3 subclause 1.4

12  Privacy Act 1988 (Commonwealth) section 6

13  NPP 10.1, Privacy Act 1988 (Commonwealth) Schedule 3 subclause 10.1

14  NPP 10.2, Privacy Act 1988 (Commonwealth) Schedule 3 subclause 10.2

15  NPP 1.5, Privacy Act 1988 (Commonwealth) Schedule 3 subclause 1.5

16  NPP 1.1, Privacy Act 1988 (Commonwealth) Schedule 3 subclause 1.1

17 NPP 2.1(b), Privacy Act 1988 (Commonwealth) Schedule 3 subclause 2.1(b)

18 NPP 2.1, Privacy Act 1988 (Commonwealth) Schedule 3 subclause 2.1

19 NPP 2.1(a), Privacy Act 1988 (Commonwealth) Schedule 3 subclause 2.1(a)

20 NPP 2, Privacy Act 1988 (Commonwealth) Schedule 3 clause 2

21 The Office of the Australian Information Commissioner, http://www.privacy.gov.au/faq/individuals/q23

 


 

Suite 4 Level 5
580 George Street
Sydney NSW 2000
Phone: +61 2 9267 9800
Fax: +61 2 9283 2553