Bowen Buchbinder Vilensky

LEGAL WISE SEMINAR 11 JUNE 2014: PRIVACY POLICIES FOR SCHOOLS

by Leslie Buchbinder
Les Buchbinder

Privacy is the right of natural persons to protect their personal life from invasion and to control the flow of their personal information. However, privacy is not an absolute right; it differs in various contexts and must be balanced against other competing rights and duties such as public interests and the law.

 

1.   INTRODUCTION

Privacy is the right of natural persons to protect their personal life from invasion and to control the flow of their personal information. However, privacy is not an absolute right; it differs in various contexts and must be balanced against other competing rights and duties such as public interests and the law.

 With the proliferation of such phenomena as electronic social media in contemporary society, there has been an upsurge in private or personal information data becoming readily available for collection by third parties.

Recent surveys have shown that an overwhelming majority of Australians want more control over how businesses and others can collect and use their personal information.[1] Moreover, more than 50% of Australians do not approve of having advertising targeted to them based on personal information.[2]

 Most people do not realise that data breaches are not limited to malicious conduct, such as “hacking”, but it can also arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure of personal information.

The advent of various search engines and the use of data mining have created a capability for data about individuals to be easily collected and combined from a wide variety of sources. Commercial entities are increasingly engaging in data collection from the internet and elsewhere, including personal information.

 Examples of this include:

(a)             Google keeps a database of every search made by a registered user in the browser ‘History’ tab.

 (b)             If you visit Youtube regularly, you will find that the site often makes recommendations of what videos you may prefer based on your past views of other Youtube videos.

 (c)             The use of Facebook is now nearly a global phenomenon. Individuals or groups of individuals may be ‘tagged’ in photos or have valuable information exposed about themselves either by choice or most of the time involuntarily by other Facebook users.

 Thus, it is important to be cautious of what information is being transmitted over the internet, including photographs, because such information can be searched across the internet and the internet can potentially be used to access private databases.

 2.   PRIVACY ACT

The Privacy Act 1988 (Cth) (“Privacy Act”) is Commonwealth legislation which regulates the handling of personal information about individuals. It is concerned with protecting personal information (including electronic data) of individuals from unauthorised collection, use and disclosure by Commonwealth agencies and certain private sector organisations (but not individuals acting in a personal capacity).

 

Recent Amendments to the Privacy Act 1988

The Privacy Act 1988 was recently amended with effect from 12 March 2014. In summary, so far as is relevant to this paper, the amendments include: 

  • The new laws apply to both Commonwealth agencies and private sector organizations subject to some exceptions. 
  • The changes will require all Schools to comply with the 13 Australian Privacy Principles ("APP's) unless the school has an annual revenue of less than $3 million and does not provide a health service. In other words, if a school has an annual revenue of less than $3 million but provides a health service, it is not exempted from the Privacy Act.[3] 
  • The new laws include stricter rules on the storage and security of personal information, how personal information is to be sent overseas (ie. out of Australia) complaint handling procedures and the use of personal information for direct marketing. 
  • Schools are now required to have a documented Privacy Policy in place which outlines the procedures, practices and systems in dealing with personal  information and managing privacy queries and complaints so that the School is in compliance with the new laws. 
  • The new laws also include mechanisms for individuals to access personal information about them, request corrections to be made to that information and to make complaints about the handling of their personal information etc.
  • The Privacy Commissioner has increased powers.   These include that the Privacy Commissioner can, amongst other things, require compensation to be paid to the affected individual, require the School to give an undertaking to take or refrain from taking specified action(s) so as to comply with the Privacy Act and seek pecuniary penalties of up to $1.7 million for organisations should he/she deem it warranted.
  • Note that the Privacy Act does not differentiate between adults or children.
  • As a result of changes to the definition of 'credit providers' in the new laws, many Schools may now be 'credit providers'.
  • The question of cloud computing is becoming increasingly relevant to Schools who choose to outsource data storage functions to third party 'cloud providers'.

 Currently, in Australia there is no law that requires breach notifications to be reported to any authority. However, it is recommended that if there is a real risk of serious harm as a result of data breach, the affected individuals and the Office of the Australian Information Commissioner (“OAIC”) should be notified as soon as possible.

 Who Falls Under the Privacy Act?

Generally, all organizations or agencies with an Australian ‘link’ fall under the Privacy Act.

 Those Commonwealth agencies which are already exempt from the Privacy Act will continue to be exempted. Similarly, individuals dealing with personal information will not fall under the Privacy Act. Currently, the exemption for small businesses (businesses with turnover less than $3 million) will also remain but this may change in the future.[4]

 However, the following Schools will still be subject to the Privacy Act: 

  1. A School that provides a health service and holds health information other than in an employee record; 
  2. A School that discloses personal information about another individual to anyone else for benefit, service or advantage (unless it does so with the consent of the individual concerned or is required or authorized to do so under legislation).

 To avoid any doubt, it is prudent for a School to regularly review its status under the Privacy Act to ensure it is fully compliant.

 Personal Information

The Privacy Act defines “personal information” as “information or opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.

 Thus, “personal information” can relate to both human persons and corporate entities as well.

 Personal information is not necessarily factual information. The Privacy Act definition makes it perfectly clear that a statement of opinion about a person can also qualify as personal information. Unfortunately, the Privacy Act does not define the term ‘opinion’ which leaves open the question as to whether or not straight fiction which nobody believes and which nobody asserts to be true or even likely to be true can qualify as personal information.

 Personal information can come into being as personal information by means of a collation of other pieces of information that were not on their own able to identify anyone. That is, a series of separate pieces of information which individually could not identify someone when brought together may be capable of identifying someone and therefore become ‘personal information’ within the meaning of the Privacy Act.

 The following information will likely be considered as "personal information":

  • Personal details of students eg. name, address, phone number, date of birth, birth certificate, conduct reports, next-of-kin details, emergency contact numbers, names of doctors, school reports, assessments, referrals to welfare agencies, photos, current/previous school, health fund details, Medicare number etc. 
  • For parents of a student, this can include their personal details eg. all correspondence with the parents, name, address, email address, phone number, date of birth, vehicle registration details, occupation, marital status/problems, custody details, Medicare number, donation history, maiden name, professional experience etc. 
  • Personal information in Schools is not limited to students and students' parents. It can include information about the School's staff, contractors and other employees and volunteers, such as their personal details (like those listed above); financial details eg. bank accounts and superannuation; employment details, such as their appraisals, reviews, references, former employers; and their professional details such as teacher registration number, membership of professional organisations etc etc. 

Sensitive Information

Sensitive information includes any information or opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record. It also includes health information. 

  • For students, it can include religion, language spoke at home, nationality/race, members of their religious organisations etc. 
  • For parents, it can include the same details as for the students, but adding on to that, the parental education, profession or occupation, socio-economic information required for the purposes such as but not limited to school funding calculations etc. 
  • For potential, current, or past employees, contractors or volunteers, it can include the same information as above, but also additional information like criminal record checks, membership of professional associations, trade union membership etc. 

Health Information

Health information is a subset of sensitive information. It is any information or opinion about the health or disability of an individual, the individual's expressed wishes about the future provision of health services and a health service provided, currently or in the future, to an individual that is also personal information. Health information also includes personal information collected in the course of providing a health service. 

  • For students, health information can include medical background, immunisation records, medical records, medical treatment, accident reports, medical certificates, height and weight measurements, nutrition and dietary requirements, allergies, vision, hearing and speech assessments, physical disabilities, paediatric medical, psychological, psychiatric and psychometric information, development history, diagnosis of disorders, learning details etc. 
  • For parents, it can include genetic and familial disorders, miscellaneous sensitive information contained in medical reports etc. 
  • For potential, current, or past employees, contractors or volunteers, it can include medical conditions affecting work ability, compensation claims, past medical history etc. 

It should be carefully noted that even if a School has an annual turnover of less than $3 million, it will still be governed under the Privacy Act if that school provides a health service. This will usually mean that the School has an infirmary or a registered nurse on staff who provides health services. It may also be applicable to Schools that employ a psychologist to counsel students. 

The Australian Privacy Principles

These 13 Principles regulate the handling of personal information in Australia in relation to Government agencies and many private sector organisations.

Privacy Policy

 Under APP 1.1, a School must manage personal information in an open an transparent way. To this end, under APP 1.3, a School must have a Privacy Policy in place dealing with the management of personal information. The Privacy Policy must contain the following information: 

  • the kinds of information the School collects;
  • how it collects and holds the information;
  • the purposes for which it collects, holds, uses and discloses information;
  • how an individual may access and seek correction of their information;
  • how an individual may complain about the breach of the APPs and how the School will deal with that complaint;
  • Whether the School is likely to disclose information overseas, and if so, the countries in which the recipients are likely to be located. 

The Privacy Policy must be available free of charge and in an appropriate form which can become the School’s website.  It must also be explained in plain readily understood language.  It is recommended that this be viewed and updated regularly. 

Collection of Information

APPs 3, 4 and 5 deal with the collection of personal information and sensitive information.

 Under APP 3.2, a School must not collect personal information, including sensitive information, unless the information is reasonably necessary for one or more of its functions or activities. Further, the School must collect personal information only by lawful and fair means and not in an unreasonably intrusive way (APP 3.5). 

Generally, a School must not collect sensitive information unless the individual has consented, or if the consent cannot reasonably or practicably be obtained and the collection was necessary to prevent or lesson a serious health threat, or the collection is required by law (APP 3.3 and 3.4). 

Under APP 5.1, the School should take reasonable steps to inform an individual that personal or sensitive information was collected concerning that individual and provide details of the purpose of that collection and the entities that may be provided with the information. However, where the circumstances of the collection was obvious to the individual, then there is no requirement for the School to take any steps to inform the individual. 

It is recommended that there be a "Standard Collection Notice" included in the Privacy Policy which sets out the purpose of the collection, the relevant laws, the need for disclosure of that information to third parties, the complaint procedures and other relevant information. This notice should be sent out to all students and to their parents whenever information is being collected by the School. 

Disclosure of Information

A School must not use or disclose personal information about an individual other than in the circumstances stated in APP 6. This APP permits disclosure for the primary purpose for which the information was collected, where required or authorised by law, or because the disclosure was necessary to prevent threats to health, life or public safety. 

The information can in certain circumstances be disclosed for a  secondary purpose which is related to the primary purpose and which the individual would reasonably expect. This may include, for example, personal information: for newsletters, magazines, report cards etc. In the case of sensitive information, this may be for health records to the Department of Health, application for education funding/grants, compiling medication lists etc. 

APP 7 deals with disclosure of information for direct marketing purposes. A School may use non-sensitive personal information for direct marketing where, amongst other things, the individual would reasonably expect their information to be used or disclosed for direct marketing, and there is a simple means by which the individual can request not to receive direct marketing material. A School may not use sensitive information for direct marketing unless it has obtained consent to do so. 

It is recommended that Schools consider the disclosure of personal and sensitive information on a case by case basis, and always utilise the suggested Standard Collection Notice when soliciting information. 

Cross-Border Disclosure

Under APP 8, if a School discloses personal information of an individual outside Australia, it must take reasonable steps to ensure that the overseas recipient does not breach any the APPs. The School will be held liable for any acts done or practices engaged in by the overseas recipient which are found to be a breach of the APPs, unless certain exceptions apply. 

APP 8 may be relevant where a School discloses personal information to an overseas recipient for example to facilitate a student exchange or overseas trip, or to outsource data management functions to a third party 'cloud' service provider. 

A School should ensure that the recipient of the information is contractually bound to receive and handle the information in a manner that complies with the APPs, or otherwise obtain the consent of the individual if the School reasonably believes that the APPs will not be adhered to by the overseas or entity in dealing with the information. 

Some considerations to be taken into account include:

  • the sensitivity of the information being stored overseas;
  • the location of the storage server;
  • the reliability and reputation of the storage provider;
  • the type of technology being utilised to secure the information. 

As providers of 'cloud' computing services offer different levels of contractual protection to customers, it is suggested that specialist advice be obtained prior to entering into contracts with such providers. 

Data Quality

A School must take reasonable steps to ensure that the information it collects is accurate, complete and up-to-date with regard to the use or disclosure intended (APP 10). 

Accordingly, Schools should establish standard procedures to ensure that the personal information it collects, uses or discloses is accurate, complete and up-to-date. This may include the checking of sensitive information before being used or relied upon and regular audits of all information being held. 

The reasonableness of the measures taken will depend on whether the information is likely to change over time and the reliability of the information.

 Data Security

Under APP 11, a School must take reasonable steps to protect personal information it holds from misuse, interference, loss and unauthorised access, modification or disclosure. Further, Schools must take reasonable steps to prevent 'interference' with personal information (eg. hacking or unauthorised access). 

Accordingly, to comply with this, Schools need to take into account the physical security and technological security of the data it holds. Further, policies need to be put in place to restrict access of certain information from unauthorised users. 

In particular, the use of electronic databases to store information whether internally or through 'cloud' computing render a School vulnerable to 'interference'. Accordingly, the amendments to the Privacy Act, aside from strengthening technological security, requires schools should take reasonable steps to destroy or permanently de-identify personal information when it is no longer required. 

Other APPs

a)    APP 2 - anonymity and pseudonymity. Individuals must have the option of not identifying themselves or using a pseudonym when dealing with  School, unless it is impracticable to do so, or the law requires the individual to be identified. It is unlikely that APP 2 will have much significance to Schools as they will usually deal with individuals or entities who are already identified. 

b)    APP 9 - adoption of government related identifiers. A government identifier is a unique combination of letters and numbers, such as a Medicare number or driver's license which are allocated to an individual.  Such identifiers cannot be used by a School to identify an individual unless required or authorised by law. It also can be used unless it is reasonably necessary to verify the identity of the individual or to fulfill its obligations to a government authority. 

c)    APP 12 - access to personal information. A School must on request provide the individual within a reasonable period of time with access to his or her own personal information. The exceptions, amongst others are when the School reasonably believes that such access will pose a serious threat to life, health or safety of any individual, or to public health or safety, the request is frivolous or vexatious, the request is unlawful etc. For example, if the information relates to the health of a student, such as a psychiatric report, the School needs to consider if the information ought to be released. 

d)    APP 13 - correction of personal information. If a School is satisfied that the information held is inaccurate, out-of-date, incomplete, irrelevant or misleading, or if the individual requests the information to be corrected, the School must take reasonable steps to ensure that the information is corrected. 

7.   CREDIT REPORTING

Schools may now be recognised as credit providers under the Privacy Act. A School will be treated as such where it provides credit in connection with the supply of goods or services and agrees to defer repayment of the credit, in full or in part, for at least 7 days. 

For example, if a School expressly permits a parent to defer payment of school fees for at least 7 days beyond the due date, or allows the school term fees to be paid at least 7 days after the school term commences, then it may be deemed as a credit provider. 

This will mean that the School will be subject to additional obligations under the Privacy Act and the Credit Reporting Code which attract criminal and civil liability for breaches. 

8.   PREVENTING DATA BREACHES

Data breaches can occur in a number of ways. For example: 

  • When laptops, removable storage devices or paper records containing personal information is lost or stolen - this is particularly prevalent given the thrust by many Schools into utilising technology in the delivery of lessons; 
  • Hard disk drives and other digital storage media (integrated in other devices, for eg. multifunction printers, or otherwise) being disposed of or returned to equipment lessors without the contents first being erased;
  • Databases containing personal information being “hacked” into or otherwise illegally accessed by individuals outside of the School; 
  • Employees accessing or disclosing personal information outside the requirements or authorisation of their employment; 
  • Paper records stolen from insecure recycling or garbage bins; 
  • A School mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address; 
  • An individual deceiving a School into improperly releasing personal information of another person. 

Security of data is a basic element of information privacy. Under APP 11, Schools will be required to protect data from interference, on top of misuse, loss or unauthorised access, modification and disclosure. This means that Schools may be required to take additional reasonable measures to guard against cyber attacks. 

9.   IN SUMMARY: WHAT SCHOOLS NEED TO DO TO COMPLY

Some steps that Schools should consider in order to fulfil their obligations to safeguard personal information at their disposal include: 

  1. Risk assessment – identifying the security risks to personal information held by the School and the consequences of a breach of security; 
  2. Privacy impact assessments – Evaluating, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations; 
  3. Policy development – developing a policy or range of policies that implement measures, practices and procedures to reduce the identified risks to information security; 
  4. Staff training – training staff and managers in security and fraud awareness; 
  5. The appointment of a responsible person or position – creating a designated position within the School to deal with data breaches. This position could have responsibility for establishing policy and procedures, training staff, coordinating reviews and audits and investigating and responding to breaches. 
  6. Technology – implementing privacy enhancing technologies to secure personal information held by the School, including through such measures as access control, copy protection, intrusion detection and robust encryption; 
  7. Monitoring and review – monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures, and ensuring that effective complaint handling procedures are in place; 
  8. Appropriate contract management – conducting appropriate due diligence where services (especially data storage service) are contracted, particularly in terms of the IT security policies and practices that the service provider has in place, and then monitoring compliance with these policies through periodic audits. 
  9. Notification as a reasonable security safeguard – this follows from the above points, especially with regards to policy development and monitoring and review. While it is not a requirement under the Privacy Act to notify anybody of a data breach, as part of the obligation to keep personal information secure, it would be prudent to do so. In some instances, it may even be a reasonable or necessary step in the protection of information against misuse, loss, unauthorised access, modification or disclosure.

 10.   ENFORCEMENT

The changes to the Privacy Act expand the powers of the Privacy Commissioner. Sub-section 27(2) provides that the Commissioner “has power to do all things necessary or convenient to be done for, or in connection with, the performance of the Commissioner’s functions”. These functions are enumerated in sub-section 27(1) of the Amending Act and include any functions conferred on the Commissioner under any Commonwealth legislation. 

The Commissioner may seek heavy monetary penalties on individuals or Entities who breach privacy laws. This is a power that the Privacy Commissioner does not have under the existing Privacy Act. Under the Amending Act, the Commissioner may request an Australian court to levy a civil penalty of up to $1.7 million for organisations found to be in breach of the Privacy Act.[5] 

The Commissioner may make other such as the provision of access or the issue of an apology. These determinations can be enforced by the Federal Court or the Federal Magistrates Court. 

11.   EXTERNAL DISPUTE RESOLUTION SCHEMES

The Amending Act gives the Commissioner the discretion to recognise External Dispute Resolution (“EDR”) schemes to handle privacy-related complaints under section 35A of the Amending Act. 

The Commissioner the discretion to decide not to investigate, or not to investigate further, an act or practice about which a complaint has been made, or which the Commissioner has accepted, if the Commissioner is satisfied that the act or practice is being dealt with by a recognised EDR scheme or would be more effectively or appropriately dealt with by a recognised EDR scheme 

Additionally, a credit provider must be a member of a recognised EDR scheme to be able to participate in the credit reporting system. 

An EDR scheme seeking to be recognised should make a written application which includes all relevant documentation. Relevant documentation, for this purpose, will be dependent on whether the EDR scheme is already recognised under another recognition scheme or has a statutory basis for its operation. 

The Commissioner has discretion whether or not to recognise the EDR scheme. 

13.   CONCLUSION

The aim of this paper has not been to provide a comprehensive treatise on the various areas of Privacy Law or an extensive review of the reforms to the Privacy Act. 

 With the newly-introduced penalty provisions and the possibility of actions for misleading and deceptive conduct under the Australian Consumer Law, all Australian Schools need to be prepared for the effective start date of these new laws in March 2014 by reviewing their privacy policies, data collection and handling policies, and third party IT and data management contracts.

This paper has also provided some tips to deal with data breaches and how to prevent them in future. However, it is not meant to be an exhaustive treatment and all entities involved should perform their own due diligence in respect of data security and protection. 

As a final note, the writer recommends that all privacy policies must be carefully and regularly reviewed, and updated and properly enforced.  Failure to do so may prove very expensive! 

It is recommended that professional advice should always be sought if in doubt.

 

 

APPENDIX A

 

Australian Privacy Principles

The following is brief summary of the APP which will be inserted as Schedule 1 of the amended Privacy Act. 

(a)  APP 1 – Open and Transparent Management of Personal Information

Until the introduction of the APP, it was not compulsory for Australian entities regulated under the Privacy Act (“Entities”) to have a privacy policy in place. 

With the amendments to the Privacy Act and the commencement of the APP on 12 March 2014, for many entities that are regulated under the Privacy Act, the first step on the road to compliance with the APP is to prepare a well thought out and up-to-date internal privacy policy. For those that already have a privacy policy in place, it is necessary to now review and update that policy taking into account the changes to the Privacy Act. 

APP 1 sets out the types of guidelines which a privacy policy must contain. It maintains the existing obligations to clearly disclose the kind of personal information which an Entity can collect, how that information is collected, the purposes for which it is collected, and how it may be used or disclosed. 

The Entity must also take reasonable steps to implement practices, procedures and systems to ensure compliance with all 13 APP. Such reasonable steps may include: 

  1. Training staff about the Entity’s policies and practices; 
  1. Establishing procedures to receive and respond to complaints and inquiries; and 
  1. Establishing procedures to identify and manage privacy risks. 

In addition it is now mandatory for Entities to have in place a “clearly expressed and up-to-date” privacy compliance program. This program will contain details of include how an individual may complain about a privacy breach, how the Entity will deal with such a complaint, whether or not personal information is likely to be transferred overseas, and if possible the countries to which it is likely that personal information will be transferred. 

According to the Companion Guide to the APP, APP 1 is “part of international moves towards a ‘privacy by design’ approach, that is, ensuring that privacy and data protection compliance is included in the design of information systems from their inception”.[6]

 (b)  APP 2 – Anonymity and Pseudonymity

This principle sets out a new requirement that an Entity provide individuals with the option of deal with it using a pseudonym. This obligation is in addition to the existing requirement that the Entity provide individuals with the option of dealing with them anonymously. 

There are exceptions to this requirement, such as where it is impracticable for the Entity to do so or where the law requires the individual to be identified. 

What amounts to ‘impracticable’ will depend on the circumstances. There may be circumstances where the nature of a business and the service provided by an Entity is not compatible with providing the option to interact anonymously. 

(c)  APP 3 – Collection of and Dealing with Personal Information

An entity must not collect personal information unless the information is reasonably necessary for one or more of the organisation’s functions or activities. Furthermore, sensitive information must only be collected with an individual’s consent, unless there is an emergency which will trigger an exception. 

Personal information is defined in section 6 of the Privacy Act as: information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”. 

Sensitive information is defined in section 6 of the Privacy Act as, amongst other things, an individual’s race, religious beliefs, sexual preference; it will be extended to also include “biometric information” and “biometric templates”. 

(d)  APP 4 – Dealing with Unsolicited Personal Information

Unsolicited personal information must be afforded the same protection as solicited personal information. 

Where an Entity receives unsolicited personal information, it must determine whether it would have been permitted to collect the information under APP 3. If not, the Entity must destroy or de-identify that information as soon as possible. 

If the unsolicited information was one that the Entity would have been eligible to collect under APP 3, then APP 5 to 13 will apply to that information. 

(e)  APP 5 – Notification of collection of Personal Information

An Entity must generally make an individual aware, at the time, or as soon as practicable after, the Entity collects their personal information. The Entity is also required to notify individuals about the access, correction and complaints process in their APP privacy policy, as well as the location of any likely overseas recipients of individual’s information. 

(f)   APP 6 – Use and Disclosure of Personal Information

This principle generally reflects NPP 2. 

If an Entity collects personal information about an individual for a particular purpose (the primary purpose), it must not use or disclose the information for another purpose (the secondary purpose), unless the individual consents to the use or disclosure, or another exception applies. 

There are some exceptions under APP 6 however. These exceptions generally relate to the use of personal information other than for the primary purpose in cases of an emergency, or if required under the law or by court/tribunal order or in relation to legal proceedings. 

(g)  APP 7 – Direct Marketing

The use and disclosure of personal information for direct marketing is now addressed in a discrete privacy principle in APP 7 (rather than as an exception in NPP 2). 

Generally, Entities may only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met. 

However, note that APP 7 does not apply to the extent that other relevant legislations such as the Spam Act 2003 (Cth) apply. 

As APP 7 deals with direct marketing, it has significantly less relevance for government organisations/agencies as compared to commercial entities. 

(h)  APP 8 – Cross-Border Disclosures

Under existing Australian laws, an Entity may only transfer personal information overseas if the individual concerned consents, or if the Entity has taken certain steps to ensure that the overseas recipient will hold and use the information consistently with Australian law. 

APP 8 and a new section 16C in the Privacy Act take this a step further, so that even in circumstances where the Entity has taken such steps, a privacy breach by the overseas recipient can be deemed to be a breach by the Australian business, giving rise to liability for the Entity under Australian law. Not only will this require businesses to scrutinise the consent provisions of their privacy policies, it also warrants careful consideration of contracts with third parties, such as out-sourced IT service providers and Cloud computing services. 

The main exceptions in APP 8 are where: 

  1. An individual consents to the cross-border disclosure, after the Entity expressly informs them that APP 8 will no longer apply if he/she give his/her consent; or 
  1. The cross-border disclosure is required or authorised under an Australian law or court/tribunal order. 

(i)    APP 9 – Adoption, Use or Disclosure of Government-Related Identifiers

APP 9 prohibits an Entity from adopting, using or disclosing a government-related identifier unless an exception applies. This principle generally retains the same exceptions as NPP 7 which includes authorising the use of government-related identifiers pursuant to an Australian law or a court/tribunal order.

 Under the amended section 6 of the Privacy Act, the term ‘identifier’ means “a number, letter or symbol, or a combination of any or all of those things, that is used to identify the individual or to verify the identity of the individual”, but does not include, amongst other things, the individual’s name or ABN. 

Under the amended section 6 of the Privacy Act, the term ‘government-related identifier’ means:

an identifier of the individual that has been assigned by:

                     (a)  an agency; or

                     (b)  a State or Territory authority; or

                     (c)  an agent of an agency, or a State or Territory authority, acting in its capacity as agent; or

                     (d)  a contracted service provider for a Commonwealth contract, or a State contract, acting in its capacity as contracted service provider for that contract.” 

(j)   APP 10 – Quality of Personal Information

An Entity must take reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete (as was already required under NPP 3). 

For the use and disclosure, the information must be relevant, accurate, up-to-date and complete, having regard to the purpose of the use or disclosure. 

(k)  APP 11 – Security of Personal Information

An Entity is required to take reasonable steps to protect the personal information it holds from interference, in addition to misuse and loss, and unauthorised access, modification and disclosure (as already required under NPP 4). 

The inclusion of ‘interference’ acknowledges that attacks on personal information may not be limited to misuse or loss and may include interference that does not amount to modification of the content of information. This new element may require additional measures to be taken to protect against computer or cyber attacks. However, this requirement is conditional upon the steps taken as being ‘reasonable in the circumstances’. 

Like NPP 4, APP 11 also requires an organisation to take reasonable steps to destroy or de-identify personal information if the organisation no longer needs it for any authorised purpose. APP 11 introduces two exceptions to this: firstly if the information is already contained in a Commonwealth record, or the Entity is required under law or by court/tribunal order to retain the information. 

(l)    APP 12 – Access to Personal Information

Like NPP 6, APP 12 requires an Entity to give an individual access to the personal information that it holds about that individual, unless an exception applies. 

Under APP 12, there is a new requirement for Entities to respond to requests for access within a reasonable period. Additionally, Entities must give access in the manner requested by the individual if it is reasonable to do so, if not, reasons must be provided for the refusal and the mechanisms available to complain about the refusal. 

(m)  APP 13 – Correction of Personal Information

This principle removes the requirement under NPP 6 for an individual to establish that their personal information is inaccurate, incomplete or is not up-to-date and should be corrected. 

APP 13 now requires an organisation to take reasonable steps to correct personal information to ensure that it is accurate, up-to-date, complete and relevant and not misleading, with regards to the purpose for which it is held, if either: 

(a)  The Entity is satisfied by itself that it needs to be corrected; or 

(b)  An individual requests that his/her personal information be corrected. 

When refusing an individual’s correction request, an Entity must generally provide the individual with written reasons for the refusal, and notify them of available complaint mechanisms.

 

APPENDIX B

 

Dealing with Data Breaches - a Step-by-Step Process

It is recommended that 4 key steps be adopted in response to a data breach or suspected data breach.[7] 

Step 1 – Contain the breach and do a preliminary assessment

For example, stop the unauthorised practice, recover the records or shut down the system that was breached. If that is not practical, then changing computer access privileges or address weaknesses in physical or electronic security may be appropriate. 

Appoint a person or entity with sufficient authority to conduct an initial assessment or investigation and gather the necessary information to determine the cause/source, nature and extent of the breach. Notify the appropriate persons who may be at risk because of the breach. 

Step 2 – Evaluate the risks associated with the breach

With information gathered, it is necessary to evaluate the risks that can materialize as a result of the data breach. 

For example, some breaches of data such as bank account or credit card details may pose a greater risk of harm than details such as name or address. Or certain details may work in combination to increase the risk of harm. If the data breach had been systematic or ongoing for a period of time, then there is a huge risk of severe harm to individuals or entities. 

The harm that may eventuate may include identity theft, financial loss, threat to physical/mental wellbeing or loss of business or employment opportunities. At a larger scale, it may cause loss of confidence or trust in the School, or even legal liabilities.  

Therefore, it is necessary to understand those risks so that appropriate steps can be taken immediately to mitigate those risks. 

Step 3: Notification

After Steps 1 and 2 are completed, Schools should consider whether the affected individuals should be notified and when they should be notified. There will need to be consideration as to what information should be included in the notification to the affected individual or any 3rd parties such as the OAIC or other authorities. 

The key consideration remains whether notification is necessary to avoid or mitigate serious harm to an individual. It may be the case that sometimes, notification should occur immediately upon discovery of the breach before all the relevant facts have been established. If law enforcement authorities are involved, check with the relevant law enforcement agency whether notification should be delayed so as not to compromise investigations. The School's data management or privacy policy should be sufficiently comprehensive and robust to deal with such emergencies. 

Currently, there is no law that requires data breaches to be reported to any authority. However, it is strongly encouraged that serious data breaches be reported to the OAIC. The OAIC can provide general information or advice as to how the breach can be better managed and advise on appropriate steps to prevent future similar breaches. It can also be a medium to which public enquiries can be directed to with regards to a particular incident. However, the OAIC cannot provide legal or detailed advice on how to manage a data breach. 

In most cases, when the OAIC receives a complaint about a breach or receives notification about a breach, it will investigate the matter. It can also do so on the Commissioner’s “own” motion. 

Step 4 – Prevent further breaches

Once the above steps have been taken to mitigate the risks associated with the data breach, the School will have to review their existing data protection and privacy policy. If there are no policies in place, then it will necessary to start the process of developing one. 

This plan may include a review or addition of:

  • Security audits of both physical and technical security;
  • Publishing or disseminating to relevant employees or individuals the lessons learnt from this data breach;
  • Employee training policies and practices;
  • Service delivery partners (eg. offsite data storage providers);
  • All current contracts or sub-contracts to ensure that the Amending Act is complied with. 

Other steps a School can take to prevent future breaches are:

  • Develop a breach response plan;
  • Establishing breach response team, including the appointment of a senior manager to lead this team. The team can include representatives from various areas in the School such as IT, public relations, HR, legal etc); 

Other practical tips include:

  • Implementing and enforcing a ban on bulk transfers of data onto removable electronic storage units without adequate security protection (such as encryption);
  • Disabling downloads on computers or electronic devices that are in use in the School;
  • Periodic removal of unused or unwanted data from electronic storage units;
  • Upgrading of the requirements for passwords and frequently changing passwords
  • Reviewing any existing insurance cover to identify any gaps to ensure that the business is adequately indemnified against liability.


[1] University of Queensland, “Australians concerned for online privacy”, Press Release 14 March 2012.

[2] University of Canberra, “Australians demand online data breach notification: UC survey reveals”, Press Release 1 May 2012.

[3] A summary of the APPs can be found in Appendix A of this paper.

[4] For more information on the exemption to small businesses, see section 6D of the Privacy Act, and http://www.oaic.gov.au/privacy/privacy-topics/business-and-small-business/

[5] In October 2013, the Australian internet service provider AAPT was found to have breached the Privacy Act for failing to adequately protect customer data from unauthorised access. The Commissioner held that AAPT failed to comply with its obligation to destroy or permanently de-identify information no longer in use. But the Commissioner was unable to impose any penalties as the Privacy Act did not give him that power prior to when the amendments to the Privacy Act commenced on 12 March 2014.

[6] Cabinet Secretary, Senator the Hon Joe Ludwig, “Companion Guide, Australian Privacy Principles”, Australian Government, June 2010.

[7] Ibid.

Leslie Buchbinder

Leslie Buchbinder
Director