170 likes | 265 Views
Privacy Compliance in Schools. Darrebin A/P’s Network 7 May 2009. The Essentials of Information Privacy.
E N D
Privacy Compliance in Schools Darrebin A/P’s Network 7 May 2009
The Essentials of Information Privacy This Training Presentation Contains Statements of Broad Principle. It Does Not Present Either a Comprehensive Analysis of the Privacy Legislation or a Definitive Explanation of It. Independent Legal Advice Should Be Sought About Specific Issues.
What Is Information Privacy? Handling personal information in accordance with the person’s expectations or as allowed by law • Personal information is information that identifies a person, either directly or indirectly, • Health information is personal informationabout a person’s health or disability, the health services they have received, the donation of their body parts, and their genetic information • Must be recorded, whether true or not
Interaction With Other Legislation The privacy legislation does not override other legislation • Specific provisions in other statutes governing the collection, use and disclosure of information override the relevant Privacy Principles to the extent of any inconsistency
Key Non-Compliance Areas • Collection Statements • Use & Disclosure • Data Security
Privacy Collection Statements include: • who is collecting the information; • what it will be used for; • whether the collection is required by law; • how the person can get access to the information; • who else usually has access to the information; &. • what the main consequences, if any, are for the person if they do not provide the information. Likely info collected in schools – enrolment info, school camps & excursions, photos of events, health info, EMA, school council nominations, after school care,
Collection Compliance • Don’t over collect - Collect only personal information that is necessary for the performance of functions. • Anonymity - People should have the option of not identifying themselves when entering transactions, if that is lawful and feasible. • Collect for a pre-determined purpose. • Collect lawfully, fairly and not unreasonably intrusively. • Collect information only from the person themselves, where practicable. • Provide a collection statement to the subject if info collected from third party.
Consent • Individual has the capacity to consent • Voluntary • Informed • Specific • Current • Tip – the Act does not require that consent be in writing. However, as a general rule seek express consent in writing.
Use and disclosure • Use and disclose personal information for the primary purpose for which it was collected; • Or a related purpose a person would reasonably expect; • Or for one of the exceptions in IPP 2; • Otherwise, use or disclosure can only occur with consent.
Use and Disclosure Exemptions • Required or authorised by another law; • Research or statistical analysis; • Serious and imminent threat to individual’s life, health, safety or welfare; • Serious [but not imminent] threat to public health, safety or welfare; and. • Law enforcement and security.
Management of Personal Information IPP 4 – Data Security. • Take reasonable steps to protect personal information from misuse, loss, unauthorised access, modification or disclosure. • Personal information should be destroyed or de-identified when it is no longer needed. (Destruction should be in accordance with disposal schedules of the Public Records Act 1973.).
Management of Personal Information Physical security might include precautions like: • locking filing cabinets; • restricting access to certain areas; • positioning computer terminals so they cannot be seen by unauthorised personnel; • questioning unaccompanied or unrecognised visitors; and. • disposing of paper records effectively.
Management of Personal Information Operational Security might include: • rules on levels of access; • audit trails to detect unauthorised access; • changing of passwords at frequent intervals; • avoiding collecting information in public waiting rooms where possible; • procedures for verifying identity for telephone transactions. • using fictitious information for training; and. • procedures for dealing with employees who leave.
Management of Personal Information Fax: • programming fax machines to avoid risk of misdialling • retaining fax activity history reports • controlling the type of information sent • telephoning intended recipient prior to transmission E-mail: • guidelines for use of e-mail • encrypting files • blind carbon copying address details • e-mail privacy notices Post: • take care not to display contents of letters through window envelope • Periodic reminders and compliance tips to staff.
Transfer of student information • Consent is needed, templates available. • If issue is around Duty of Care, carefully consider what info is required, advise parent of intention and purpose. • Note what has been provided and purpose for doing so. • Guidelines for transfer between Vic Govt schools, non-govt schools and interstate schools • https://www.eduweb.vic.gov.au/privacy/transferstuinfo.htm
Privacy Contacts • Privacy Advisor – 9637 3601 • Online resources at https://www.eduweb.vic.gov.au/privacy/ • EduGate discussion, announcements and document library at: • https://portal.eduweb.vic.gov.au/collaboration/teams/PrivacyContactOfficer/default.aspx?PageView=Shared • The Privacy Officers Network – NMR Contact is John Roberts. • Privacy Victoria - www.privacy.vic.gov.au • Federal Privacy Commissioner - www.privacy.gov.au • Victorian Health Services Commissioner www.health.vic.gov.au/hsc