Bowen Buchbinder Vilensky

Privacy Law for Schools – Does your School Pass the 10 Point Data Security Checklist?

By Les Buchbinder, Director at Bowen Buchbinder Vilensky Lawyers

25 February 2015

Changes to Australia’s Privacy Act in March 2014 have important implications for all government agencies, including schools, in the way that they collect, store and manage personal information.

Schools should consider the following 10 points relating to personal information and sensitive information which comes into their possession.

  1. Risk assessment – identifying the security risks to personal information held by the school and the consequences of a breach of security;
  2. Privacy impact assessments – evaluating in a systematic way, the degree to which proposed or existing information systems align with the good privacy practice align with good privacy practice and legal obligations;
  3. Policy development – developing a policy or a range of policies that implement measures, practices and procedures to reduce the identified risks to information security;
  4. Staff training – training staff and managers in security and fraud awareness;
  5. The appointment of a responsible person or position – creating a designated position within the school to deal with issues of data security and data security breaches as well as in relation to issues of confidentiality.   This position could have responsibility for establishing policy and procedures, staff training, audits and investigating and responding to alleged breaches or suspected breaches;
  6. Technology – implementing privacy and security technologies to ensure that personal information held by the school, or secured including through such measures as access control, copy protection, intrusion protection and robust encryption systems;
  7. Monitoring and review – monitoring compliance with the security policy, periodic assessment of new security risks and the adequacy of existing security measures and ensuring that effective complain handling procedures are in place;
  8. Appropriate contract management – conducting appropriate due diligence with services (especially data storage services) are contracted particularly in terms of IT Security policies and practices that a service provider has in place and their monitoring compliance with these policies through periodic audits;
  9. Notification as a reasonable security safeguard – this follows from the above measures, especially with regard to policy development and monitoring review.   Whilst it is not a requirement under the Act to notify anybody of a data breach, as part of the obligations to keep personal information secure, it would be prudent to do so.   In some instances it may even be a reasonable or necessary step in the protection of information against mis-use, loss, unauthorized access, modification or disclosure;
  10. Policies and protocols should be developed in relation to what information will be collected by the school from parents and students and possibly any other relevant third parties (such as doctors, hospitals etc) and set out how such information is to be stored and secured, who is to be provided access to it and in what circumstances.   Such policies should also prescribe forms to be completed by parents and guardians of students authorizing the school to release specific or necessary information in urgent or emergency circumstances (such as to a hospital or a doctor) and, where necessary, to provide any necessarily required personal or sensitive information to known third parties.  This will provide clarity to the school, school management and staff and parents as to what information is and is not able to be collected or released by the school and in what circumstances.

All privacy and confidentiality policies, protocols and documents should be carefully and regularly reviewed and updated as required.   Furthermore, there should be a reasonably robust enforcement process implement to ensure that the established policies and protocols are observed because failure to do so can prove extremely stressful and expensive.

The above list is general in nature.  For specific advice on how the Privacy Act may affect your school, contact Bowen Buchbinder Vilensky Lawyers at (08) 9325 9644 or email us at

Leave a comment

If you’d like to receive more blogs on this and related legal matters, please click the red ‘Subscribe’ button at the top, left hand of your page now!


Leave a Reply

Please read the TERMS AND CONDITIONS before posting.

Current day month ye@r *