PRIVACY LEGISLATION PRIVACY COMPLIANCE The Privacy Amendment (Private Sector) Act 2000 amends the Privacy Act 1988, so as to also regulate the way private sector organisations, including non-government schools and systems, handle “personal information” of individuals. The purpose of the new provisions is to ensure that organisations that hold information about people handle that information responsibly. St Mary Star of the Sea College is subject to this legislation. A key component of the new legislation is the mandatory requirement for organisations to comply with the National Privacy Principles (NPPs). The NPPs set minimum standards which relate to the collection, security, storage, use, access, correction and disclosure of personal information.
OBLIGATIONS IMPOSED BY THE NPPS
This is a summary only and NOT a full statement of obligations. Only collect personal information that is necessary for your functions or activities. Use fair and lawful ways to collect personal information. Collect personal information directly from an individual if it is reasonable and practicable to do so. Get consent to collect sensitive information unless specified exemptions apply. At the time you collect personal information or as soon as practicable afterwards, take reasonable steps to make an individual aware of: • • •
why you are collecting information about them who else you might give it to and other specified matters.
Take reasonable steps to ensure the individual is aware of this information even if you have collected it from someone else. Only use or disclose personal information for the primary purpose of collection unless one of the exceptions in NPP 2.1 applies (for example, for a related secondary purpose within the individual’s reasonable expectations, you hav e consent or there are specified law enforcement or public health and public safety circumstances). Note that: •
if the information is sensitive, the uses or disclosures allowed are more limited. A secondary purpose within reasonable expectations must be directly related and the direct marketing provisions of NPP 2.1(c) do not apply.
Take reasonable steps to ensure the personal information you collect, use or disclose is accurate, complete and up to date. This may require you to correct the information. Take reasonable steps to protect the personal information you hold from misuse and loss and from unauthorised access, modification or disclosure. St Mary Star of the Sea College – Privacy
Page 1
Take reasonable steps to destroy or permanently de-identify personal information if you no longer need it for any purpose for which you may use or disclose the information. Have a short document that sets out clearly expressed policies on the way you manage personal information and make it available to anyone who asks for it. If an individual asks, take reasonable steps to let them know, generally, what sort of personal information you hold, what purposes you hold it for and how you collect, use and disclose that information. If an individual asks, you must give access to the personal information you hold about them unless particular circumstances apply that allow you to limit the extent to which you give access - these include emergency situations, specified business imperatives and law enforcement or other public interests. Only adopt, use or disclose a Commonw ealth Government identifier if particular circumstances apply that would allow you to do so. If it is lawful and practicable to do so, give people the option of interacting anonymously with you.
HOW TO COMPLY
A “standard collection notice” would be reproduced in enrolment forms, be contained in the school’s Privacy Policy and should be located on the school’s website. All current parents should be sent a copy of the “standard collection notice”. The school should consider placing a “standard collection notice” in other relevant documents. The “standard collection notice” should be distributed with all enrolment forms to pupils’ parents. It could also be placed in each pupil’s school diary. It is suggested that the notice be sent each year to parents of pupils at the same time as other materials are sent. It should be updated annually.
SPECIAL ISSUES FOR SCHOOLS CONSENT AND YOUNG PEOPLE
A parent is recognised by the common law as having the right to make decisions concerning the child’s education and to bring up their child in the religion of their choice. One approach would be for the school to adopt the view that in many circumstances the contract with the parents will govern their relationship with the child in relation to privacy, and thus consents given by parents will act as consents given on behalf of the child and notice to parents will act as a notice given to the child. A school should recognise that young people do have rights under the Act and in some circumstances it would be appropriate to seek consents from them, particularly when they are older. In respect of collecting personal information about pupils from parents, it is suggested that it is sufficient if parents be given a collection notice informing them of the requirements set out in NPP 1.3 and pupils do not have to be specifically informed. St Mary Star of the Sea College – Privacy
Page 2
Another potential concern is that pupils may attempt to claim a right to prevent disclosure of personal information to a parent, such as their school report. The “standard collection notice” seeks to overcome this by informing parents that the school will disclose personal information about a pupil to the pupil’s parents.
DUTY OF CARE AND OBLIGATIONS OF CONFIDENCE
The common law imposes a duty of care on schools which they must exercise in relation to pupils and staff. It can be contended that schools are required by this common law (duty of care) to collect certain personal and sensitive information in order to comply with this duty.
PASSING INFORMATION IN A SCHOOL COMMUNITY
The guiding principle is to show sensitivity in exercising a judgement as to when it is appropriate to disclose personal information.
SCHOOL DIRECTORIES
School directories and class lists which contain students’ and parents’ names and contact numbers, and class lists containing similar information, will involve the disclosure of personal information to others. Such a use of individuals’ personal information may not be reasonably expected by the individual concerned. To avoid any doubt, schools should obtain the consent of parents (on their own and their child’s behalf) to place their details in the school directory or class list.
SCHOOL PUBLICATIONS
School publications such as newsletters, magazines and alumni publications, usually contain personal information obtained either from the relevant individual or from other sources. Personal information which is collected for inclusion in a school publication should be collected directly from the individual, particularly where the information relates to personal or private matter.
RELEVANT EXEMPTIONS EMPLOYEE RECORDS
An act done, or practice engaged in, by an organisation that is or was an employer of an individual is exempt from the scope of the Privacy Act if the act or practice is directly related to: • a current or former employment relationship between the employer and the individual, and • an employee record held by the organisation relating to the individual.
St Mary Star of the Sea College – Privacy
Page 3