Presentation is loading. Please wait.

Presentation is loading. Please wait.

The New Privacy Principles and Schools Charles Alexander Veronica Scott March2014 ME_108620660_3 (PPT)

Published byIsabella Berry Modified over 8 years ago

Similar presentations

Presentation on theme: "The New Privacy Principles and Schools Charles Alexander Veronica Scott March2014 ME_108620660_3 (PPT)"— Presentation transcript:

1 The New Privacy Principles and Schools Charles Alexander Veronica Scott March2014 ME_108620660_3 (PPT)

2 Agenda Introduction A Refresher on Privacy Overview of principal changes Where these are found in the Privacy Manual What Schools need to do to comply Special Issues Consents School Counsellors Health Information Cloud computing Schools as credit providers Family disputes Employee records Discussion Session

3 Introduction Schools collect large amounts of personal information including highly sensitive information It includes information about pupils, parents, staff and others Schools therefore must be particularly careful about privacy Privacy is now a community expectation Consequences of infringing privacy are now greater

4 Introduction (cont.) There are new powers under the Act: Increased power of the Commissioner to conduct investigations including the power to investigate without a complaint being made The Commissioner can accept enforceable undertakings Penalties can be imposed of up to $340,000 for individuals and $1.7million for bodies corporate Changes to the Act commence on 12 March 2014

5 A Refresher on Privacy The Act is concerned withPersonal Information and the Collection Use Disclosure of that information

6 Personal Information Personal information is: Information or an opinion about An identified individual OR An individual who is reasonably identifiable Whether true or not Example:‘The girl in Year 7 with a broken leg’ V ‘The girl with brown hair’

7 Principal Activities which are Regulated? Collection, ie is placing in a record Use Making use of the information in some way for any purpose Example: Determining the average income of parents Disclosure Providing the information to a third party outside of the organisation or giving them access to it

8 Some Principal Requirements Only collect when necessary Notify collection Restrict use and disclosure Maintain quality Keep secure Provide access Destroy or de-identify when no longer needed

9 Overview of principal changes to the Act 10 National Privacy Principles are now 13 Australian Privacy Principles, some with different obligations The Privacy Commissioner has enhanced powers New guidelines are being prepared which are more detailed than previous guidelines. In particular there are detailed guidelines relating to consents

10 The APPs Content of privacy policies and collection statements Management of personal information in an open and transparent way & privacy planning Use and disclosure for direct marketing purposes Cross-border disclosures including local liability for overseas breaches of APPs Positive requirement to take steps to ensure compliance Key changes

11 APP 1.1 Must manage personal information in an open and transparent way APP 1.2 Must take such steps as are ‘reasonable in the circumstances’ to implement practices, procedures and systems relating to functions or activities that will: ensure compliance with the APPs; and enable it to deal with inquiries or complaints about compliance with the APPs APP 1.4 A privacy policy must now also include: how to access and correct personal information how to complain about an APP breach and how it will deal with that complaint whether it is likely to disclose personal information overseas and which countries (if reasonably practicable) Open and transparent management of personal information and privacy planning by entities APP 1 – Manual: Section 7

12 Checklist APP 1 (cont.) – Manual: Section 7 Plan how personal information will be handled [See Annexure 3] Establish Procedures for responding to requests and complaints [See Section 4] Review information provided on privacy including policies [See Annexure 2] Identify risks Train staff Regularly review

13 Personal information (other than sensitive information) can only be collected by an organisation if it is reasonably necessary for its functions or activities Sensitive information can generally only be collected with consent unless an exception applies NB: new misconduct exception Collection of solicited information APP 3 – Manual: Section 9 Collection only occurs when the information is recorded

14 Collection of solicited information Checklist APP 3 (cont.) – Manual: Section 9 Is the collection reasonably necessary for a function or activity at the time of collection? Is sensitive information is being collected? - is there consent? - does an exception apply (including a permitted general or health situation: ss 16A and 16B)?

15 Could not have solicited the information It is lawful to destroy it Unsolicited information must be destroyed or de-identified Dealing with unsolicited personal information APP 4 – Manual: Section 9.30

16 Collection only occurs when it is recorded Where information is not relevant or necessary to receive it should not be recorded (see examples at Section 9.30.3) APP 4 (cont.) – Manual: Section 9.30

17 Dealing with unsolicited personal information Checklist APP 4 (cont.) – Manual: Section 9.30 Are there policies and procedures in place to ensure destruction or de-identification of unsolicited personal information which is not necessary for functions or activities? Are there policies in place to prevent recording of information which is not needed?

18 APP 5.1 Take such steps (if any) as are reasonable to: notify the individual of such matters referred to in APP 5.2 as are reasonable in the circumstances otherwise ensure the individual is aware of those matters APP 5.2 Matters to be included in a collection notice: if the school collects personal information from someone other than the individual, or the individual may not be aware the school has collected that information, the fact the school collects the information and circumstances of that collection how an individual may complain about breach of an APP whether information will be disclosed overseas if so, to which countries – if practicable Notification of the collection of personal information APP 5 – Manual: Sections 9.8 to 9.14

19 Collection notices should also include: Details of collections from third parties Where collection required or authorised under law The main purposes of collection To whom the information is usually disclosed APP 5 (cont.) – Manual: Sections 9.8 to 9.14

20 Schools collect from multiple sources Schools may need separate collection notices in respect of: Pupil and parents Alumni Volunteers Employees APP 5 (cont.) – Manual: Sections 9.8 to 9.14

21 Collection notices can be given on: Forms where information is collected School diaries Regular mailouts Website – probably not? APP 5 (cont.) – Manual: Sections 9.8 to 9.14

22 Notification of the collection of personal information Checklist APP 5 (cont.) – Manual: Sections 9.8 to 9.14 Review collection notices What will be included in the collection notice/s? Is it reasonable not to provide that information? How will the collection notice be conveyed?

23 APP 6.1: Must not use or disclose information for another purpose unless the individual has consented or APP 6.2 applies Reasonable expectation of the use or disclosure for the secondary purpose, and the secondary purpose is: Sensitive information: directly related to the primary purpose Not sensitive information: related to the primary purpose Use or disclosure is required/authorised by law (includes common law: s.6) A permitted general situation or permitted health situation exists Common law includes duty of care Use or disclosure of personal information APP 6 – Manual: Section 10

24 Permitted general situations include: It is unreasonable or impracticable to obtain consent It is necessary to lessen or prevent a serious threat to life, health or safety Suspicion of unlawful activity or serious misconduct APP 6 (cont.) – Manual: Section 10

25 Use or disclosure of personal information Checklist APP 6 (cont.) – Manual: Section 10 Consider information handling policies and procedures - ensure no uses or disclosures are inconsistent with APP 6 If a school does need to use or disclose personal information, it should consider whether it falls within one of the exemptions to APP 6 Ensure any likely secondary uses are contained in a collection statement

26 APP 7.1 Prohibition on use and disclosure of personal information for direct marketing unless an exception applies APP 7.4 Sensitive information may only be used or disclosed for direct marketing if the individual has consented to the use or disclosure for that purpose. Direct marketing APP 7 – Manual: Section 11

27 Direct marking is direct communication with a person to promote the sale of goods or services A campaign to increase enrolments by mail, telephone, email or SMS could be a direct marketing campaign If people would not expect their information to be used for direct marketing stronger provisions apply APP 7 (cont.) – Manual: Section 11

28 Information collected from the individual Reasonable expectation of use or disclosure for direct marketing Simple means for individual to request not to receive direct marketing Individual has not availed themselves of this means Information may be used or disclosed for direct marketing Direct marketing: APP 7.2 Collected from individual + reasonable expectation APP 7 (cont.) – Manual: Section 11

29 Information collected from a third party Either the individual has consented or impracticable to obtain consent Simple means for individual to request not to receive direct marketing and prominent statement that the individual may request not to receive it Individual has not availed themselves of this means Information may be used or disclosed for direct marketing Direct marketing: APP 7.3 Collected from individual + no reasonable expectation OR collected from a third party APP 7 (cont.) – Manual: Section 11 Information collected from the individual + no reasonable expectation

30 APP 7.6 where a school uses or discloses information for direct marketing by that school, or facilitating direct marketing by other entities, the individual may request: Not to receive direct marketing communications That their information not be used by or disclosed to other entities for the purpose of facilitating direct marketing The school provide its source of the information, unless impracticable or unreasonable to do so (APP 7.7(b)) Direct marketing: individual may make certain requests of the school APP 7 (cont.) – Manual: Section 11

31 Direct marketing Checklist APP 7 (cont.) – Manual: Section 11 Ensure there are procedures to allow an individual to make a request to opt-out of receiving direct marketing and remove them from the mailing list within a reasonable period Obtain consent to use sensitive information for direct marketing Keep a record of third-party sources of personal information used for direct marketing

32 APP 8.1 Must take such steps as are reasonable in the circumstances to ensure the overseas recipient does not breach the APPs Section 16C: an Australian disclosing school may be taken to have breached the APPs where its overseas recipient acts or omits to act in a manner which contravenes the APPs where APP 8.1 applies APP 8.2(a) APP 8.1 will not apply where recipient is in a country which the discloser reasonably believes protects personal information in a similar way to the APPs and the individual has mechanisms they can access to enforce the protections offered APP 8.2(b) School may seek consent from the individual to the overseas disclosure. Must first inform individual that the school may not take any steps to ensure that the information will be dealt with by the overseas school in accordance with the APPs Cross border disclosure of personal information APP 8 – Manual: Section 12

33 Examples of cross border disclosures: Disclosure for purpose of student exchange Disclosure for purpose of overseas excursions Cloud providers Take measures to ensure third party overseas recipient does not disclose information APP 8 (cont.) – Manual: Section 12

34 APP 13.2 Where information is corrected but has been disclosed to another entity, upon request, that entity must take such steps as are reasonable in the circumstances to notify the other school of that correction (unless impracticable or unlawful). APP 13.3 Where a school refuses to correct information, it must provide the individual with a notice that sets out matters including reasons for refusal (unless unreasonable to do so) and complaint mechanisms. Correction of personal information by entities APP 13 – Manual: Section 17

35 Correction of personal information Checklist APP 13 (cont.) – Manual: Section 17 Unless it is impracticable to do so, record the entities to whom personal information is disclosed, so you can take such steps as are reasonable in the circumstances to notify those entities of changes to personal information

36 APP 9: adoption, use or disclosure of government related identifiers Manual: Section 13 APP 9: adoption, use or disclosure of government related identifiers Manual: Section 13 Now covers State and Commonwealth government identifiers New exception: APP 9.2(a) May use or disclose a government related identifier where reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisations activities or functions Now covers State and Commonwealth government identifiers New exception: APP 9.2(a) May use or disclose a government related identifier where reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisations activities or functions APP 10 & 11: quality and security Manual: Sections 14 & 15 APP 10 & 11: quality and security Manual: Sections 14 & 15 No substantive changes APP 12: access to personal information Manual: Section 16 APP 12: access to personal information Manual: Section 16 No substantive changes New exception: APP 12.3(h) The organisation is not required to give the individual access to the personal information to the extent that the school has reason to suspect misconduct and giving access would be likely to prejudice the taking of appropriate action in the matter No substantive changes New exception: APP 12.3(h) The organisation is not required to give the individual access to the personal information to the extent that the school has reason to suspect misconduct and giving access would be likely to prejudice the taking of appropriate action in the matter Other APPs

37 What Schools need to do Appoint someone responsible for privacy matters Review information handling practices Identify information flows Identify where there may be: Failure to comply with the APPs Areas of risk

38 What Schools need to do (cont.) Examine documentation: Privacy Policies Collection Notices Make changes as soon as possible Maintain systems and regularly check compliance See summary of obligations at Annexure 1 of the Manual

39 Consents Was the consent voluntarily given (not bundled) Is the consent current and specific Did the individual have capacity to understand what he or she was agreeing to Questions Consider carefully before relying on consent of young people (Manual: Section 18) ???

40 School Counsellors and confidentiality Is the counsellor an employee What is the School’s policy regarding confidentiality What has the counsellor been told about confidentiality What has the student been told about confidentiality Is the counsellor required to observe a Code and what Code prevails ?????

41 Health information Requires particular care Information or opinion about: Physical, mental or psychological health; or Disability; or An individual’s wishes about the future provision of their health services; or Health services provided in the past. Consent Authorised by law (duty of care) Some other special circumstances

42 Health Information - Victoria Health Records Act 2001 (Vic) Privacy Act 1988 (Cth) Commonwealth and ACT public sectors; Private sector. Victorian public sector; Private sector.

43 Are Schools Health Service Providers? A school will be considered a ‘health service provider’ where it provides a health service and/or holds health related information. This may include: Counselling Dentist Nurse Physical Education classes or fitness instruction?

44 Health Privacy Principles HPP 1: Collection HPP 1: Collection Only collect health information if it is necessary for the performance of one or more of the activities or functions of the school. Information must be collected in a lawful, fair and nonintrusive way. Only collect health information if it is necessary for the performance of one or more of the activities or functions of the school. Information must be collected in a lawful, fair and nonintrusive way. HPP 2: Use and Collection HPP 2: Use and Collection Only use or disclose health information for the primary purpose for which it was collected; or For a secondary purpose that directly relates to the primary purpose where an individual would reasonably expect the school to use or disclose the information Only use or disclose health information for the primary purpose for which it was collected; or For a secondary purpose that directly relates to the primary purpose where an individual would reasonably expect the school to use or disclose the information HPP 4: Data Security & Retention HPP 4: Data Security & Retention The school must take reasonable steps to protect the health information it holds from misuse, loss, unauthorised access, modification or disclosure.

45 Cloud computing issues Cloud Obtain warranties and indemnities re security If very ‘sensitive’ consider whether should be in the cloud Ensure provider is reputable Is it situated offshore? If no-one else can access and control maintained, may not be a ‘disclosure’ (see Guidelines B47- 51 & B107-109)

46 Family disputes Who can access students’ personal information? Privacy law

47 Employee records No changes Act or practice exempt from the Privacy Act if related to: current or former employment relationship; and an employee record. Exemption only applies to employer, not related bodies corporate/other Schools. Employee health records are regulated by specific legislation in ACT and Vic

48 ME_108620660_2

Download ppt "The New Privacy Principles and Schools Charles Alexander Veronica Scott March2014 ME_108620660_3 (PPT)"

Similar presentations

Data Protection Information Management / Jody McKenzie.

Data Protection Information Management / Jody McKenzie.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
CHARTERED SECRETARIES AUSTRALIA New Privacy Laws 6 June 2013.

CHARTERED SECRETARIES AUSTRALIA New Privacy Laws 6 June 2013.
Privacy An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Privacy An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
The Australian Privacy Principles Protecting information rights –­ advancing information policy.

The Australian Privacy Principles Protecting information rights –­ advancing information policy.
Information Systems Unit 3 – Outcome 3 Legal Obligations of Programmers Student Lecture.

Information Systems Unit 3 – Outcome 3 Legal Obligations of Programmers Student Lecture.
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
FERPA 2008 New regulations enact updates from over a decade of interpretations.

FERPA 2008 New regulations enact updates from over a decade of interpretations.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Volunteers and the Law Riverland Community Legal Service Inc.

Volunteers and the Law Riverland Community Legal Service Inc.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)

Protecting information rights –­ advancing information policy Privacy law reform for APP entities (organisations)
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
Practical Information Management

Practical Information Management

Similar presentations

Ads by Google