Schools

Schools and the Privacy Act

69.41 School is the most significant institution in the lives of the majority of children and young people. Schools collect and hold a vast array of personal information regarding children and young people, including names, addresses, family information, subjects studied, grades and behavioural information. Schools often will hold health information about children and young people, either collected directly from the child or young person (or their parents or guardians), or collected as part of a service offered within the school, such as visits to a school dentist, nurse or counsellor. Photos and videos of children and young people taken by the school also fall within the definition of personal information.

69.42 With the exception of the ACT, government schools are not covered by the Privacy Act but are subject to any state or territory privacy legislation or scheme covering the public sector. Some states and territories have a privacy policy or privacy code that applies to all of their schools.[40] Further, many schools have developed policies or practices dealing specifically with the publication on their websites of photographs or videos depicting children and young people.[41]

69.43 Private schools are covered by the Privacy Act unless they fall within the small business exemption.[42] Even smaller private schools are likely to be partly covered by the Privacy Act. Information relating to the provision of a health service, which includes physical education classes or fitness instruction, as well as services provided by nurses and other health professionals, is regarded as ‘health information’ and is regulated by the Act.[43] The OPC takes the view that, in most instances, private schools and colleges are covered by the Act and should comply with the National Privacy Principles (NPPs).[44]

69.44 One of the key issues relating to access to the records of a child or young person is whether the school can disclose a record to a parent or guardian. In the private school context, it is generally the parents or guardians who enter into a contract with the school to provide a service. Schools subject to the NPPs, however, must disclose personal information regarding the child or young person only in accordance with the NPPs.

69.45 Advice from the OPC suggests that most personal information collected by a private school may be disclosed to parents under NPP 2.1(a), as in most cases students reasonably would expect disclosure of the information to parents. The OPC indicates that generally students would expect the disclosure of school reports, and also material not related to education, such as health information or counselling records.[45] For older students, however, these expectations may differ in relation to some records containing sensitive information. The OPC suggests that it is good practice, particularly in respect of older students, for schools to have a policy on the disclosure of records to parents.[46] This policy also should be made available to parents and students. A number of policies relevant to government schools suggest that parents should have access to their child’s records, at least until the child turns 18.[47]

Issues regarding handling of personal information by schools

69.46 A number of bodies that act on behalf of children and young people made submissions to the Inquiry highlighting concerns about privacy in schools. The concerns included:

  • inconsistencies in privacy policies and practices at different schools;[48]

  • increasing amounts of personal information being collected by schools for risk management purposes. It has been suggested that while the collection is being done with consent, there are increased dangers of inappropriate disclosure;[49]

  • examples of private schools contracting away a student’s right to privacy in a standard form agreement with fee paying parents for the provision of education to the student;[50]

  • intrusive practices that breach privacy, sometimes supported by school policies;[51]

  • the interpretation of NPP 2 by schools to justify disclosure without consent of personal information about students to parents, on the basis that it is a disclosure reasonably expected by the student. It was submitted that the views, age and maturity of each student should be taken into consideration, and the student should be given the opportunity to object to disclosure in particular circumstances;[52]

  • the need for funding for schools to develop and implement clear privacy policies, including informing parents of the privacy rights of students, and the development of a school privacy audit tool to measure how effectively students’ privacy is being respected and protected;[53] and

  • the need for stronger sanctions for schools failing to adhere to privacy laws.[54]

69.47 The Australian Privacy Foundation raised concerns about the increasing use of technology in schools involving the collection and storage of personal information—such as fingerprinting for school library services, swipe cards for monitoring attendance, and the use of closed-circuit television (CCTV) for security purposes.[55] The Australian Privacy Foundation noted that such technology is often introduced for administrative convenience with little regard for privacy concerns. It argued that further consultation on such developments should be undertaken before such technology is introduced.[56]

69.48 The National Catholic Education Commission (NCEC) and the Independent Schools Council of Australia (ISCA) provided the ALRC with a copy of their Privacy Compliance Manual, which was developed in conjunction with the OPC.[57] The NCEC and ISCA indicated that the Manual has been an effective tool in assisting non-government schools to comply with the Privacy Act, and that there have been very few expressions of concern to those bodies about infringements of privacy.

69.49 The NCEC and ISCA indicated that schools rely on the consent of a parent (regardless of the age of the student) to collect a student’s personal information.[58] On the issue of disclosure of personal information about students to parents, the NCEC and ISCA suggested that schools should be able to use a ‘best interests of the student’ test to determine whether personal information should be disclosed. [59]

69.50 The NCEC and ISCA raised a number of other circumstances in which the Privacy Act and the NPPs makes it difficult for schools to comply with privacy laws. For example, it was suggested that the existing exceptions to allow refusal of access to an individual’s record were too limited to cover the full range of circumstances in which access should be able to be refused.[60] These concerns were considered by the ALRC in developing the ‘Use and Disclosure’ principle.[61]

69.51 The NCEC and ISCA also noted provisions in New South Wales and Queensland legislation that authorise the transfer between schools of personal information about a student, without the consent of the student or the student’s parent or guardian, before enrolment of the student in a new school.[62] The purpose of the provisions is to allow the new school properly to assess behavioural issues and consider the health and safety of the transferring student and other students in the school. In the past, this kind of information was not always disclosed to the new school due to privacy concerns. The NCEC and ISCA suggested that such a provision should be included in the Privacy Act, therefore ensuring the uniform operation across all Australian states and territories. In particular, the provision should cover the interstate transfer of students.[63]

69.52 The ALRC notes that a national protocol has been developed through the Ministerial Council on Education, Employment, Training and Youth Affairs (MCEETYA) to provide for transfer of personal information when students transfer interstate. The protocol covers both government and non-government schools.[64] The protocol provides for transfer of personal information from a government school only with the consent of the parent or guardian and, where the student is aged 16 or over, the consent of the student. Consistent with information privacy laws in most Australian jurisdictions, the protocol suggests that transfer may be possible without consent if required to prevent a serious risk to the student or to public health and safety. The protocol establishes that consent is not required if a non-government school has a data collection notice that complies with the NCEC and ISCA Privacy Compliance Manual advising parents, guardians and students that personal and sensitive information may be disclosed to other schools for administrative and educational purposes.[65]

69.53 School counselling is another area where privacy concerns arise. Most secondary schools provide a school counsellor on a full-time or part-time basis, and most primary schools have access to a school counsellor. While school counsellors are an important resource for young people, research suggests that concerns regarding confidentiality are a key reason why young people do not seek the assistance of a counsellor.[66] Policies regarding the confidentiality of school counselling services vary. Counsellors in any environment are subject to restrictions on the confidentiality of their communications. Such restrictions include mandatory reporting obligations under child protection and communicable diseases laws. As employees of a school or education department, however, many counsellors have to balance the requirement to maintain confidentiality with the demands of principals and teachers who feel they have the right to know what is affecting a particular student.[67]

69.54 Young people involved in the ALRC’s youth workshops were adamant that a visit to a school counsellor should be confidential.[68] Many indicated, however, that their impression or experience of school counselling was that confidentiality was limited, either because of the physical limitations of seeking advice from counsellors situated within the school, or because of what was perceived as ‘a breach of confidence’ occasioned by the disclosure of information to someone else.[69]

69.55 The NCEC and ISCA consider that counsellors employed by schools and related bodies (such as a Catholic welfare agency retained by the school to provide counselling services) have a duty to inform the school principal if the counsellor becomes aware of information that may affect the health or wellbeing of the pupil, and the information is relevant to the school performing its contractual duties to provide schooling. The NCEC and ISCA also believed that the records of school counsellors are the same as any other school record, and that the counsellor could be directed to disclose to the school principal the contents of any record of a discussion.[70] The NCEC and ISCA indicated that some counsellors have suggested that this situation should be changed by legislation to strengthen confidentiality. The NCEC and ISCA noted that they are opposed to any such change.[71]

Discussion Paper proposal

69.56 In DP 72, the ALRC noted that many of the concerns raised about the handling of personal information in schools appear to stem from a combination of poor practices that are inconsistent with privacy principles, and school policies that provide sometimes questionable interpretations of the privacy principles.[72] The ALRC considered that the privacy principles are capable of operating effectively in the school environment and that no specific additional rules were required. The ALRC suggested that there is, however, a need to clarify aspects of the operation of the privacy principles and to ensure appropriate implementation.

69.57 In DP 72, the ALRC proposed that schools clarify in their Privacy Policies how the personal information of students will be handled, and specified two particular areas of concern: when information will be disclosed to, or withheld from, persons with parental responsibility; and the disclosure of personal information by school counsellors to school management, persons with parental responsibility, and others.[73]

Submissions and consultations

69.58 The ALRC’s proposal to clarify certain matters in the Privacy Policies of schools received general support from stakeholders.[74]

69.59 The NCEC and ISCA supported the requirement to set out privacy issues in school policies, and indicated that this is already done.[75] They were concerned, however, that the ALRC’s proposals in relation to determining the decision-making capacity of students generally were too restrictive and did not provide schools with sufficient flexibility to make appropriate decisions in appropriate cases. The submission from the NCEC and ISCA set out a number of situations where conflicts may arise between the wishes and interests of students and parents, and the school has to make difficult decisions about which approach to take.

The School has to consider the rights and expectations of the parent or parents, who are paying the bills and have legitimate interests as parents, the rights and expectations of the student, and the overriding interest of what is best for the student, bearing in mind the School’s legal obligation to discharge its duty of care.[76]

69.60 A number of stakeholders gave explicit support to ensuring that schools are subject to the Privacy Act and compliance with the privacy principles is improved.[77] For example, the National Children’s and Youth Law Centre (NCYLC) submitted that:

the NCYLC supports the applications of the UPPs to schools. The experience of the teacher-student relationship and the extensive interaction between school and student calls for a high standard of respect for the rights of the child. A school should always be in a position to take the views of each child into account and respect the child’s right to privacy—no matter what age.[78]

69.61 The need for training of teachers and administrative staff was raised by a number of stakeholders as an important element in improving the understanding of privacy practice and ensuring compliance with privacy legislation.[79] The Law Society of New South Wales also suggested that the OPC should be involved in setting criteria for school policies.[80]

69.62 The ALRC’s proposal encompassed all schools, not only schools covered by the Privacy Act. The OPC extended its support for the proposal only in relation to schools currently covered by the Privacy Act, namely private schools.[81] Privacy NSW indicated that the proposal should apply to all Australian schools, and that the issue should be placed on the agenda of the Council of Australian Governments.[82]

ALRC’s view

Privacy policies in schools

69.63 Most schools, education departments and independent bodies representing schools, have privacy policies or more detailed privacy manuals in place. These are essential to provide guidance, and some level of certainty regarding the requirements for the handling of personal information, to individual schools, teachers, students, parents and guardians. The development of a Privacy Policy should be a requirement for every school subject to the Privacy Act. The ALRC supports the development of privacy manuals to provide additional guidance. The ALRC is concerned, however, that some of the content of existing policies and manuals is not wholly consistent with the privacy principles and the Privacy Act.

69.64 In Chapter 68, the ALRC has made recommendations to recognise the decision-making capacity of children and young people, and allow them to make independent decisions where that capacity is demonstrated. These recommendations are consistent with international obligations and the developing law that recognises the evolving decision-making capacities of children and young people, balanced with parental responsibilities. Privacy policies and manuals in schools should reflect the general approach set out in the ALRC’s recommendations that an individual assessment of a child or young person is the most appropriate way to determine his or her decision-making capacity. Some situations in the school environment are suitable for individual assessment, such as in a counselling situation.

69.65 There will be situations, however, where it is not reasonable or practicable to undertake individual assessments. In these situations it will be necessary for schools to apply an across-the-board policy—for example, by issuing a consent form. As discussed in Chapter 68, in the absence of an individual assessment, 15 years should be the age at which it is assumed that a young person has the capacity to make decisions under the Privacy Act. This recommended age, based on research on child development and adolescent decision-making, was considered the appropriate point at which the vast majority of individuals have the relevant decision-making capacity. Requirements for obtaining consent from students aged 15 or over can be built into consent forms as easily as parental consent requirements.

69.66 This is not to say that every student aged 15 or over should be able to withhold all personal information from his or her parents or guardians. Existing privacy policies and privacy manuals note appropriately that much of the personal information held by schools can be disclosed to parents or guardians as this is the expectation of all parties—either as part of the primary purpose of collection, or a related secondary purpose. School reports are a prime example, and guidance from the OPC supports this interpretation of the privacy principles.[83] School privacy policies should describe clearly the kinds of personal information that are collected, the purpose of collection, and situations where the information will be disclosed routinely to parents and guardians.

69.67 This does not mean, however, that the requirements of the Privacy Act can be overridden by a Privacy Policy. The ALRC has particular concerns about suggestions that some schools assume that contracts between parents and a school displace the privacy rights of the student. Any Privacy Policy must be consistent with the law—and in particular privacy principles and the Privacy Act. It is possible that contractual arrangements between parents and a school may contextualise the purpose for which certain information is collected by the school. Use and disclosure practices, however, must be undertaken consistently with the operation of the ‘Use and Disclosure’ principle. Privacy Policies can assist to clarify the purpose of collection and, therefore, the intended use and disclosure of certain types of personal information.

69.68 Some concerns were raised that schools that do not comply with their requirements under privacy legislation are not dealt with effectively under the existing regime. This is of concern if, as has been suggested to the ALRC, some school Privacy Policies and practices are not consistent with the Privacy Act. The ALRC has made a number of recommendations aimed at improving compliance of agencies and organisations subject to the Act.[84]

School counselling

69.69 The obligations on counsellors to disclose personal information to school management and parents is a particular area in which conflict and inconsistencies in approach appear. Counsellors and students want as few limitations as possible on the confidentiality of the service, enabling counsellors to develop a level of trust and confidence with students. This must be balanced, of course, with the needs of the school to meet its obligations to provide support for the individual student, and to protect that student and the broader student body.

69.70 In addition to mandatory reporting requirements imposed by child protection legislation, the Privacy Act should contain appropriate exceptions that allow disclosure of personal information without consent of the individual—including in circumstances where there is a serious threat to an individual’s life, health or safety; or to public health or public safety. The exceptions do not use school-specific language, but they adequately cover situations likely to be encountered in schools.

69.71 School privacy policies should set out clearly the limits of the confidentiality of school counselling services, and indicate circumstances and give examples—consistent with the privacy principles and any additional legislative obligations—in which personal information collected by school counsellors will be disclosed to the school management, persons with parental responsibility, and others. This will include where counsellors are subject to mandatory reporting requirements under child protection legislation, and where disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health or safety, or public health or public safety.

Applying the requirements to state and territory government schools

69.72 The ALRC agrees with stakeholders that the rules and policies regarding handling of personal information in schools should be consistent across all Australian schools. The ALRC, however, has not extended the recommendation to impose obligations on government schools that are not subject to the Privacy Act.

69.73 Elsewhere in this Report the ALRC recommends that the states and territories adopt the model UPPs and key definitions in the Privacy Act. This should ensure that nationally consistent laws relating to the handling of personal information are in force across Australia.[85] In particular, the same principles will apply across all schools, public and private. A further step is required to develop consistent privacy policies.

69.74 As noted above, MCEETYA has developed a national protocol to provide for the transfer of information when students transfer interstate, encompassing both public and private schools. The ALRC considers MCEETYA the appropriate body to develop a nationally consistent approach to the handling of personal information in schools.

69.75 Pending the implementation of the ALRC’s recommendations aimed at achieving nationally consistent privacy regulation, there are enough similarities in the privacy principles across the country to enable the development of a consistent protocol to apply in the school context. A consistent protocol for the handling of personal information also would facilitate the transfer of personal information between schools across state and territory borders. This will not require all schools to have identical privacy policies, but individual privacy policies based on the national protocol will ensure greater consistency.

Recommendation 69-1 Schools subject to the Privacy Act should clarify in their Privacy Policies how the personal information of students will be handled, including when personal information:

(a) will be disclosed to, or withheld from, persons with parental responsibility and other representatives; and

(b) collected by school counsellors will be disclosed to school management, persons with parental responsibility, or others.

Recommendation 69-2 The Ministerial Council on Education, Employment, Training and Youth Affairs should consider the handling of personal information in schools, with a view to developing uniform policies across the states and territories consistent with the Privacy Act.

[40] See, eg, South Australian Government Department of Education and Children’s Services, SA Government Schools and Children’s Services: Information Privacy Statement which sets out that the disclosure of personal information is regulated by the South Australian Information Privacy Principles and that access to information about a person may be requested by that person or a parent or guardian of that person.

[41] See, eg, Curriculum Materials Information Services, Protecting Student Privacy Department of Education and Training Western Australia <www.det.wa.edu.au/education/cmis> at 10 April 2008, which suggests that parental consent should be sought when photographs or digital images of students are to be used outside the classroom environment, eg, in the local community newspaper, or on a website or CD-ROM promoting the school. Some schools seek the student’s consent as well, although this is not a uniform policy.

[42] Note that the ALRC recommends the removal of the small business exemption from the Privacy Act: see Rec 39–1.

[43] Office of the Privacy Commissioner, FAQs: Are Private Schools and Colleges Covered by the New Private Sector Provisions <www.privacy.gov.au/faqs/cf/q3.html> at 10 April 2008.

[44] Ibid.

[45] Office of the Privacy Commissioner, FAQs: Can Private Schools Disclose Non-education Related Personal Information about Students to Their Parents? <www.privacy.gov.au/faqs/cf/q6.html> at 10 April 2008; Office of the Privacy Commissioner, FAQs: Can Parents Whose Children Attend a Private School/College Still Get Access to Their Children’s School Reports? <www.privacy.gov.au/faqs/
ypr/q15.html> at 10 April 2008. The Office of the Victorian Privacy Commissioner has given similar advice in relation to school reports in Victoria: Office of the Victorian Privacy Commissioner, Privacy and School Reports: Fact Sheet 02.02 (2002).

[46] Office of the Privacy Commissioner, FAQs: Can Private Schools Disclose Non-education Related Personal Information about Students to Their Parents? <www.privacy.gov.au/faqs/cf/q6.html> at 10 April 2008.

[47] See South Australian Government Department of Education and Children’s Services, SA Government Schools and Children’s Services: Information Privacy Statement; ACT Department of Education & Training and ACT Children’s Youth & Family Services Bureau, School Policy: Access to Student Records: Policy and Implementation Guidelines (2003).

[48] Youth Affairs Council of Victoria Inc, Submission PR 172, 5 February 2007; Youthlaw, Submission PR 152, 30 January 2007.

[49] NSW Commission for Children and Young People, Submission PR 120, 15 January 2007.

[50] National Children’s and Youth Law Centre, Submission PR 166, 1 February 2007.

[51] Youth Affairs Council of Victoria Inc, Submission PR 172, 5 February 2007; Youthlaw, Submission PR 152, 30 January 2007.

[52] National Children’s and Youth Law Centre, Submission PR 166, 1 February 2007.

[53] Youth Affairs Council of Victoria Inc, Submission PR 172, 5 February 2007; Youthlaw, Submission PR 152, 30 January 2007.

[54] Youthlaw, Submission PR 152, 30 January 2007.

[55] Australian Privacy Foundation, Submission PR 167, 2 February 2007. See also H Edwards, ‘The Digital Finger is Pointing at Truants’, Sun Herald (online), 22 October 2006, <www.fairfax.com.au>.

[56] See recent concerns in New South Wales schools over implementation of attendance systems using fingerprint scanning: A Patty, ‘School Forced to Halt Fingerprint Roll Call’, Sydney Morning Herald (online), 4 April 2008, <www.smh.com.au>.

[57] National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 85, 12 January 2007; National Catholic Education Commission and National Council of Independent Schools’ Associations, Privacy Compliance Manual (revised 2004 ed, 2001). Between them, the NCEC and ISCA represent around 2,800 schools in Australia with over 1,000,000 students enrolled in those schools.

[58] National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 85, 12 January 2007.

[59] Ibid.

[60] Ibid.

[61] See Ch 25.

[62] Education Act 1990 (NSW) pt 5A inserted by the Education Legislation Amendment Act 2006 (NSW)—the provisions have not yet been proclaimed and are not in operation at present; Education (General Provisions) Act 2006 (Qld) ss 383–389. The Queensland provisions require that copies of the transferred information be provided to the parent of a student or, in appropriate cases, just to the student, but no consent is required prior to transferring the information: Education (General Provisions) Act 2006 (Qld) s 387.

[63] National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 85, 12 January 2007.

[64] The protocol was developed and agreed on by the Australian Government, state and territory education authorities, the independent and Catholic education sectors through MCEETYA. The requirement to use the Interstate Student Data Transfer Note (ISDTN) is set out in the Schools Assistance (Learning Together—Achieving Through Choice and Opportunity) Act 2004 (Cth) s 31(m). Details of the ISDTN are available at Ministerial Council on Education‚ Employment‚ Training and Youth Affairs, Interstate Student Data Transfer Note <www.mceetya.edu.au/mceetya/default.asp?id=12095> at 8 April 2008.

[65] National Catholic Education Commission and National Council of Independent Schools’ Associations, Privacy Compliance Manual (revised 2004 ed, 2001), [7.10.1]. As indicated in the Privacy Compliance Manual, the standard form data collection notice is intended to ensure that the individual is reasonably aware of the matters specified in NPP 1.3 and to obtain consent for use and disclosure of personal information that may not be regarded as being for primary or secondary related (or directly related) purposes.

[66] W Reid, School Counselling: A Client Centred Perspective (1996) Kids Help Line, 10.

[67] Ibid, 8.

[68] See also S Akgul, Submission PR 380, 6 December 2007.

[69] This issue was also raised at Children and Young People Issues Roundtable, Consultation PC 121, Sydney, 7 March 2007.

[70] This is set out in National Catholic Education Commission and National Council of Independent Schools’ Associations, Privacy Compliance Manual (revised 2004 ed, 2001), 75.

[71] National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 85, 12 January 2007.

[72] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [60.155].

[73]Ibid, Proposal 60–7.

[74] Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007; Youthlaw, Submission PR 390, 6 December 2007; Youth Affairs Council of Victoria Inc, Submission PR 388, 6 December 2007.

[75] National Catholic Education Commission and Independent Schools Council of Australia, Submission PR 462, 12 December 2007.

[76] Ibid. The situations listed included a pregnant teenager asking the school not to tell her parents about her medical condition, a student reporting fighting at home which is having a significant effect on the student, and a student asking for assistance in arranging a meeting with one parent where the other parent has opposed this.

[77] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007; Youthlaw, Submission PR 390, 6 December 2007.

[78] National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007.

[79] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; National Children’s and Youth Law Centre, Submission PR 491, 19 December 2007.

[80] Law Society of New South Wales, Submission PR 443, 10 December 2007.

[81] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[82] Privacy NSW, Submission PR 468, 14 December 2007.

[83] Federal legislation requires, as a condition of federal funding, that schools provide to parents of each student school reports twice a year on the progress and achievements of the student: Schools Assistance (Learning Together—Achieving Through Choice and Opportunity) Act 2004 (Cth) s 32.

[84] See Ch 50.

[85] See discussion in Ch 3.