Part 1 - Introduction
1.1 The Commonwealth of Australia and the Australian Capital Territory (ACT) Government have a Memorandum of Understanding (MOU) for the provision of privacy services in relation to ACT Government agencies.
1.2 In June 2013 the Office of the Australian Information Commissioner (the OAIC) conducted an audit of the Australian Capital Territory Education and Training Directorate (ETD) as a part of this agreement, using its powers under section 27(1)(h) of the Privacy Act 1988 (Cth) (the Privacy Act).
Part 2 - Description of audit
2.1 The primary purpose of the audit was to ascertain that records of personal information maintained by ETD are maintained according to the Information Privacy Principles. Specifically, the audit considered the handling of requests for student information and the notification provided at the point of collection of student information (especially in relation to the usual disclosures of the collected information).
2.2 For the purpose of this audit:
- ‘ACT public schools’ refers to primary schools, high schools and secondary colleges administered by the ACT Government through ETD
- ‘Central Office’ refers to the Central Office of ETD
- ‘ETD’ includes both ETD’s Central Office and ACT public schools
- ‘parent/al’ has the meaning given by ETD’s Family Law policy and includes only individuals who have ‘parental responsibility’ for the child or young person.
Objective and scope
2.3 The objective of the audit was to assess ETD’s handling of records of personal information in accordance with its obligations under the IPPs which relate to notices (IPP 2) and disclosure (IPP 11).
2.4 The scope of the audit was an examination of ETD’s notification practices when collecting student’s personal information and the disclosures of student personal information in response to external requests for this information.
2.5 The audit did not assess ETD’s:
- obligations under the IPPs when handling directorate staff (employee) records
- handling of student health information. Privacy issues relating to ACT health records are subject to the requirements of the Health Records (Privacy and Access) Act 1997 (ACT), rather than the Privacy Act
- use of personal information internal to ETD, including transfers of personal information between Central Office and ACT schools or between different ACT public schools
- requests by students to access their own information.
Timing and location
2.6 The audit was conducted on 26 and 27 June 2013 at Central Office headquarters at220 Northbourne Avenue, Braddon, ACT and the Hedley Beare Centre, 51Fremantle Drive, Stirling, ACT.
2.7 Also on these dates, the audit team carried out inspections of three ACT public schools.
2.8 The audit fieldwork included:
- a document review of ETD materials developed to assist staff with the handling of student data requests, including policy and guidance material, privacy training modules and procedural advice to staff
- a review of notices and relevant forms developed by Central Office or selected ACT public schools
- semi-structured interviews with key ETD staff, to assess:
- management and governance arrangements around the collection and disclosure of student information, including any internal review/ audit activities conducted by ETD
- processing of external requests for student information
- semi-structured interviews with key staff from ACT public schools, to assess:
- issues around the practice of responding to external requests for student information.
2.9 The OAIC selected three schools with large student populations spread across different areas of Canberra and with students of different ages.
Information obtained during the audit
2.10 ETD provided several documents prior to and during the fieldwork for this audit. A full list of the information obtained prior to conducting fieldwork is at Appendix A.
2.11 Information and documents gathered from ETD during the audit fieldwork period are listed in Appendix B of this report. This does not include any forms relating to issues outside the scope of this audit.
2.12 The auditors are of the opinion that ETD is generally maintaining its records of personal information in accordance with IPP 2 and IPP 11 within the scope of this audit.
2.13 The auditors identified some privacy risks to ETD’s personal information handling practices and make recommendations in relation to these.
2.14 A recommendation is a suggested course of action or a control measure that, if put in place by the agency, will (in the opinion of the OAIC) minimise the risks identified around how personal information is handled against the relevant criterion.
2.15 To the extent possible, the OAIC publishes final audit reports in full or in an abridged version on its website, http://www.oaic.gov.au/. It is sometimes inappropriate to publish all or part of a report because of statutory secrecy provisions or for reasons of privacy, confidentiality, security or privilege.
Part 3 - Description of auditee
3.1 As outlined in its 2011/12 Annual Report, ACT ETD ‘provides services to children and young people both directly through public schools and indirectly through regulation of non-government schools and home education, and to people of all ages through the planning and co-ordination of vocational education and training in the ACT’.
3.2 At February 2013, ACT public schools had 40,879 enrolled students: 24,704 at primary school, 9,754 at high school and 6,005 at secondary college level. The selected ACT public schools had around 600, 1,100 and 900 students enrolled, respectively.
3.3 Central Office provides ACT schools with guidance and support to assist their implementation of ETD policies, procedures and staff guidelines and compliance with applicable legislation.
3.4 Following a 2008 audit of the former Department of Education and Training’s (DET) student data handling practices by the former Office of the Privacy Commissioner (OPC), DET drafted new policy and implementation procedures to improve its handling of student data requests.
3.5 In December 2009, the OPC gave advice to DET about its newly revised Access to Student Information policy.
Central Office areas relevant to the audit
3.6 The auditors interviewed staff from five sections in Central Office.
3.7 The Legal Liaison section manages ETD’s responsibilities under administrative law (including privacy and freedom of information) and responds to subpoenas and notices of non-party production. The section also provides advice and is the primary contact point for all privacy-related queries from both ACT public schools and other sections of Central Office. All requests for student information not handled by the Records Management Unit or schools themselves are progressed through Legal Liaison.
3.8 The Risk Management & Audit section is responsible for developing and managing the Directorate’s risk management framework. This includes preparing the annual audit work program. Internal audits can also be conducted on an ad hoc basis.
3.9 The Liaison Unit manages complaints relating to ACT public schools and Central Office and acts as the link between complainants or concerned parties and ETD.
3.10 The Information & Knowledge Services Records Management Unit is responsible for the implementation of the Territory Records Act 2002 (ACT) to ensure ETD meets its legislative requirements for recordkeeping. The Records Management Unit also handles routine requests for student information.
3.11 The Student Wellbeing & Behaviour Support Unit manages requests for student counselling information when referred to them by schools.
Part 4 - Audit issues
The following findings and recommendations relate to the auditors’ consideration of ETD’s handling of personal information in relation to notices and disclosure under the IPPs in the Privacy Act.
The IPPs are available at www.oaic.gov.au.
IPP 2 issues - Notice of collection
IPP 2 sets out the notice requirements, which apply to Australian and ACT Government agencies when collecting personal information directly from an individual, for inclusion in a record or generally available publication. Specifically, IPP 2 states that where:
- a collector collects personal information for inclusion in a record or in a generally available publication; and
- the information is solicited by the collector from the individual concerned;
the collector must take reasonable steps to ensure that, before information is collected or, as soon as practicable after this occurs, the individual is made generally aware of:
- the purpose for which the information is being collected
- any legal authorisation or requirement to collect the information
- any entities to which this information is usually disclosed.
4.1 OPC’s 2008 audit report highlighted the risk that DET may not have been providing individuals with appropriate IPP2 notices at the time they collected their information.
Central Office forms
4.2 This audit reviewed student forms, provided by EDT before and during the fieldwork period. These forms are listed in Appendices A and B of this audit report.
4.3 In the majority of these forms, auditors observed a high level of compliance with the IPP 2 requirements of the Privacy Act.
4.4 Liaison Unit staff tasked with managing interactions with ETD also informed auditors that there have been no complaints received about IPP 2 notice issues in the past 12months.
4.5 Student forms listed in Appendix A may variously be used by schools generally or by areas of Central Office with specific responsibilities. Some forms were prepared or facilitated by Legal Liaison and include those referred to at 4.8..
4.6 Assessment matrix 1, located in Appendix C of this report, provides a general assessment of IPP 2 notices provided by relevant Central Office sections (ie, Legal Liaison and Risk Management & Audit) both before and during the fieldwork period.
4.7 We have provided a description of the ‘best privacy practice’ notices and those requiring further improvement below.
4.8 Some good examples of IPP 2 notices were observed in the:
- Photograph, digital image and media consent form - the IPP2 notice was set out in large script at the bottom of the form and included ETD’s purpose of collection and usual disclosures. The form also sought both parental and student consent to use photographs / digital media acquired at the Minister’s Student Congress, which auditors noted as a best privacy practice measure.
- Authority to use photographs (including video) of children for the promotion of public education - this form provided a particularly good outline of the proposed uses of this information and of the privacy implications of providing consent.
- Careers with Animals Day Out - auditors noted that the privacy notice on this consent form was prominently placed, at the beginning of the form. This best privacy practice measure that was only observed in this form.
4.9 Forms that may require further improvement include:
- The Aboriginal and Torres Strait Islander Education Family Support information release form, which does not contain an IPP 2 notice. While the form outlines instances where disclosures may occur, it does not specify to whom. Auditors noted, however, that parental consent is required to disclose student data.
- The ETD Mainstream schooling application form / Short Stay application form/Temporary Residents application form - while these forms all contain IPP 2 notices, the notices are placed at the bottom of each form and are in superscript sized font, which makes them difficult to notice. To fulfil the requirements of IPP2, an individual needs to be ‘generally aware’ of the content of an IPP 2 notice, which means it should be in a form that is easy to understand and to find.
- Expression of interest form - alternative programs - both student and parent are given an opportunity to provide consent for the school to collect photographic information. Auditors noted, however, that this form does not include a privacy notice outlining the purpose of collection, legal authority to collect or usual disclosures, which ETD requires to meet its IPP 2 obligations.
- Interstate Student Data Transfer Note - allows students aged 16 and older to provide consent for the transfer of their records. While information is provided throughout the form about ETD’s purpose for collecting data and the intended disclosure to an interstate school, this form also lacks a formal IPP 2 notice.
Forms collected during the fieldwork period
4.10 Forms listed in Appendix B of this report were mainly gathered by auditors from the schools visited during the fieldwork period. The Risk Management & Audit section also provided auditors with some forms during the fieldwork period.
4.11 This audit report does not include a review of forms provided by the Student Wellbeing & Behaviour Support Unit, as they are used to collect health data.
4.12 Assessment matrix 2, located in Appendix D, provides a general assessment of the IPP 2 notices collected from ACT public schools during the fieldwork period.
4.13 A targeted analysis of notices provided by both the Risk Management & Audit section and by ACT public schools can be found in paragraphs 4.14 - 4.19 and 4.22 - 4.23 below.
Risk Management and Audit forms
4.14 Student Accident / Incident Report, Witness Statement to Student Accident/Incident (Staff Member Witness) and ETD Incident Report forms are used by the Risk & Audit Management team to meet its statutory requirement to provide weekly reports of significant school incidents to Worksafe ACT. Critical incidents involving injury must also be reported to the ACT Insurance Authority for insurance purposes.
4.15 Where incidents of this kind occur, the school decides whether reporting is required and informs Risk Management & Audit within 48 hours of the event.
4.16 Forms such as the Student Accident / Incident Report, Witness Statement to Student Accident/Incident and ETD Incident Report include IPP 2 notices intended for staff who witnessed the event; teachers on roster; principals; or the reporting officer.
4.17 When one of the forms listed in paragraph 4.16 is received, Risk Management & Audit log the report on their Incident and Claims System, which is only accessible to the three staff members of their team.
4.18 Auditors observed that ETD only provides de-identified information to Worksafe ACT and the ACT Insurance Authority, outlining the student’s age, gender, the school they attend and the nature of the injury, without disclosing any personally identifying data.
4.19 Auditors were also informed by ETD staff that the Student Accidents/Incidents policy provides that parents/carers should be informed about the preparation of student accident/incident reports and provides a newsletter item as an attachment to the policy.
ACT School forms
4.20 Legal Liaison and schools advised auditors that schools are responsible for drafting their own forms and notices where collection of personal information occurs. However, Legal Liaison will provide advice to schools on the drafting of their forms, on request.
4.21 Legal Liaison has also developed SLIM, which includes a Privacy Module. The module outlines situations where privacy issues may arise. It provides practical instructions for the handling of student information, including collection and disclosure. In addition, the manual includes pro forma privacy notices and consent forms for ETD use.
4.22 Some good examples of IPP 2 notices collected from schools were observed in the:
- Authority to use photographs (including video) of children for the promotion of public education - this form was noted in paragraph 4.8, as providing a particularly good example of an IPP2 notice. Use of this form also demonstrates that resources prepared by Central Office are being adopted by schools.
- Request for Secondary Placement form - includes a very well set out IPP 2 notice with a list of usual disclosures, the school’s primary and secondary purposes for collecting the information and any applicable legislation. Auditors noted that the notice was printed in small script. However, the notice is easy to find and is immediately followed by a signature box for parents/carers, which appears to be seeking consent for the disclosures outlined in the notice.
- Permission to publish student’s personal information - this form provides a particularly good outline of the proposed uses for this data and of the privacy implications of providing consent. The form also clarifies that the onus is on the parent to communicate any future revocation of consent, not the school.
- Enrolment Form (Acceptance of Offer of a Placement): Parental Permissions - this form also models itself on the Authority to use photographs (including video) of children for the promotion of public education form, but is distinguished by the separate Yes/ No tick boxes it includes for each permission sought, ie, ‘parental attendance at media events’, ‘publishing work on school/college website’, ‘release information for school/college photographs’, ‘photograph student (Directorate)’, ‘photograph student (media) and Publish name in newsletter/website/ media’. This allows the consenter to provide targeted permissions rather than having to give a bundled consent.
4.23 Forms that may require further improvement, include the:
- Student Statement (Incident Reporting) and the Incident Report form, neither of which includes a notice outlining the purpose/s for collecting information belonging to one or more students. While this data may not be disclosed outside ETD, students should be advised of the reason/s this information is being collected or have this explained to them by the school. While auditors observed that verbal explanations were provided in some schools, schools would benefit by having this information included in the form.
- Libraries ACT College Membership Application - the form does not include a standard IPP 2 notice, however, it does advise borrowers that their information will not be disclosed unless the school has consent or is legally required to do so. No consent form is attached. The form should include the purpose/s of collection and any legal authority for the collection, if relevant.
4.24 Auditors note that schools will sometimes only require a student to provide a verbal report of an incident and staff will record the details on their behalf.
School Data Management System (MAZE)
4.25 The MAZE system is used by schools to manage information on students, families, staff, finances, academic records and general school administrative functions.
4.26 Each ACT public school has access to the MAZE database, with restricted viewing rights. Student data is generally uploaded by school staff from student enrolment forms and any other forms through which schools collect information/seek consents.
4.27 Auditors noted a heavy reliance by schools on the accuracy of the MAZE record, when verifying whether IPP 2 notices or consents for the release of data were provided.
4.28 Furthermore, while some schools implemented yearly updates for notifications to or consents from students/parents, other schools only provide IPP 2 notices and consent forms once, at enrolment.
4.29 Auditors noted, however, that even where consents were recorded on MAZE, schools often confirmed these consents verbally at the point of collection.
4.30 Auditors noted a high level of IPP 2 compliance in most forms used by ACT public schools. However, the audit identified IPP 2 compliance issues in certain forms, which were either missing a privacy notice or which had incomplete privacy notices (please refer to matrices in Appendix C and Appendix D for details).
4.31 Auditors also noted that privacy notices set out in Central Office forms are not always in a standardised format and sometimes fail to include the purpose/s of collection, legal authority to collect the information and/or usual disclosures.
4.32 In certain forms, no privacy notice was provided. In particular, there was a marked difference between incident reporting forms aimed at school staff members and those seeking student statements. As the Privacy Act is silent on the issue of age, operating on the basis that children and young people have the same information rights as adults, this was noted as a risk area.
4.33 The reliance on consents recorded in MAZE that are several years old was also noted as a risk area by auditors, particularly where a student’s legal guardians or authorised representatives may have changed.
Recommendation 1 - Provide comprehensive privacy notices on all relevant forms
4.34 The auditors recommend that ACT public schools and Central Office include a privacy notice on all forms collecting student information, taking note of the auditors’ comments and assessment matrix. The notice must outline the purpose/s for which the information is being collected, any entities to which the information is usually disclosed and any legal authority for collecting the information. The notice should be in a font size and location that is easy to read or find. Where information is collected verbally, or children are considered too young to understand the meaning of a written privacy notice, schools may wish to provide verbal notification.
Recommendation 2 - Renew consents on a regular basis and notifications as required
4.35 The auditors recommend that schools renew consents on an annual basis and may wish to include this as part of the annual MAZE update sent out to parents / legal guardians. Notifications should also be renewed if a student’s authorised representative or legal guardian changes.
IPP 11 issues - Disclosures of student personal information
IPP 11.1 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions from (a) to (e) apply. The exceptions include disclosures with the individual’s consent and disclosures for some health, safety or law enforcement reasons.
IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include a note of disclosure in the record containing that information.
IPP 11.3 provides that, where personal information is disclosed under IPP 11.1, the parties who receive that information must not use or disclose the information for a purpose other than the purpose for which the information was given to them.
Policies and procedures around the disclosure of student data by ETD
4.36 Central Office and schools refer to three key internal documents for direction on the handling of requests for student personal information, namely the:
- Access to Student Records policy (2012)
- Accessing Student Records procedures
- Access to Student Records Guidelines for Staff.
4.37 In addition, the SLIM privacy module is available for staff reference and includes responses to Frequently Asked Questions about releasing student information.
4.38 Auditors observed a strong awareness of these privacy resources during interviews with school staff. Staff were aware they could seek advice from Legal Liaison if any doubts or concerns arose and a good relationship existed between all schools and Legal Liaison staff.
4.39 Auditors also noted the high quality of the Access to Student Records policy/procedures and guidelines, in providing accurate information on the operation of the Privacy Act when responding to requests for the release of student information.
Handling requests for student records
4.40 Requests for student records are handled by the Records Management Unit of Information and Knowledge Services, Legal Liaison or by schools.
Requests handled by the Records Management Unit
4.41 All student records must be registered in ETD’s records management system (TRIM). These records may include personal details, examination and test results, reports about student progress, correspondence with parents/carers, copies of accident reports, enrolment records, absence notes, records of suspension, disciplinary records, transfer notes and health records.
4.42 ETD accesses to these records are limited to schools and to specific areas of Central Office, including the Records Management Unit.
4.43 Records Management also provide an archiving facility for the storage of school-leavers’ records.
4.44 The Records Management Unit handles routine requests for information no longer held by schools, including:
- academic and school reports
- progress reports
- individual learning plans & attendance records
- enrolment information.
4.45 Records Management also provide student data to Legal Liaison when it responds to requests for student information.
4.46 Requests to the Records Management Unit are mainly from former students, about their own information.
4.47 External requests for information may include:
- employment agency requests for academic transcripts. These can be handled by Records Management as long as the student has given their consent
- parents requesting routine information belonging to their child, which can also be provided as long as the student is under 18 or student consent has been given
- requests for psychological reports/counselling information, which are referred back to counsellors in the Student Wellbeing and Behaviour Support section of Central Office
- requests under subpoena or from solicitors which are referred to Legal Liaison.
4.48 When Records Management receives a request for student information:
- it creates an internal file
- it asks the applicant to complete a request form. The request form used is based on a template from the Access to Student Records procedures and includes the establishment of identity
- if the student is over 18, information cannot be provided without the written consent of the student, even if the request is made by a parent
- if the student is under 18, routine requests for information by the child’s parents will be met by the Records Management Unit, however, no other requests will be acceded to without consent
- a standard letter is sent to the student, advising them that their information has been disclosed to the applicant
- a copy of the requested information is provided to the applicant
- a photocopy of the information provided is placed on the internal file.
4.49 The above process is in keeping with the Access to Student Records policy and implementation documents, and complies with the requirements of IPP 11.
Requests handled by Legal Liaison
4.50 Student information requests handled by Legal Liaison include requests by:
- courts (subpoenas/notices for non-party production)
- the Australian Federal Police (AFP) and State Police
- ACT and Australian Government, including ACT Community Services Directorate, the ACT Human Rights Commission and the Department of Immigration.
4.51 Legal Liaison is responsible for preparing internal policies and implementation documents such as the Access to Student Records policy/procedures and guidelines. They provide advice to other areas of Central Office and to schools on privacy issues and also handle non-routine requests for information.
4.52 The Access to Student Records Guidelines for Staff lists ETD areas ‘authorised to manage and respond to requests for student records in various contexts’.
4.53 Non-routine requests for student information are generally handled by Legal Liaison, except where:
- schools handle requests from Centrelink, the Office for Children, Youth and Family Support (OCYFS) and Community Youth Justice, for non-academic school records such as names, date of birth and attendance records.
- schools handle applications for academic records by OCYFS and Community Youth Justice. In addition, schools have mandatory reporting obligations to OCYFS under the Children and Young People Act 2008 (ACT) if neglect, abuse or harm is suspected by teachers or specified professionals.
- the Educational Performance area and the Board of Senior Secondary Studies handle year 10 and year 12 certificate requests respectively.
4.54 Schools and other areas of Central Office will also escalate requests to Legal Liaison, if the request is complex or there is uncertainty on how to approach the issue.
4.55 Auditors observed that Legal Liaison’s approach when releasing information is closely aligned with the guiding principles of IPP 11. Before disclosing data, Legal Liaison:
- confirms the identity of the applicant where requests are made for law enforcement purposes or if authorised/required by law
- checks for imminent threats to life or health, by clarifying the reason for the request. Legal liaison verifies whether parents (if the student is under 18) or the student (if over 18) were aware of or had consented to the disclosure, in cases where none of the above exceptions apply
- ensures that a parent requesting their child’s information is legally authorised to do so and that there are no court orders preventing the disclosure.
4.56 When Legal Liaison receive a request for student information:
- it creates a file and keeps a record of consent/authority on file, where relevant
- requests for student information required or authorised by law must be provided on letterhead and outline the legislative basis for the request
- it verifies emailed law enforcement requests by phone where unclear, as police email addresses do not always follow a consistent format
- it denies requests by relatives with no parental responsibility. They are also informed of the disclosure process and advised that consent from a legal guardian is required prior to a disclosure occurring
- parents seeking student information are often advised that Legal Liaison will be verifying with the other parent that there are no court orders in place to prevent disclosure. Proof of parentage may also be provided.
4.57 Auditors noted Legal Liaison’s clear awareness and appropriate application of the Privacy Act when handling requests for student information.
4.58 Auditors also noted, however, that while Legal Liaison includes notes of disclosure in its own files when responding to requests under IPP 11.1(e), there is no formal process in place for a note of disclosure to be placed on the student record. Some schools did place a note on the student file when receiving a request from Legal Liaison for student information.
4.59 Guideline 47 of the Guidelines to the Information Privacy Principles states that:
- a disclosure note should normally be made on, or attached to the record containing the personal information
- where the personal information is held on computer, the note should be linked, or refer, to the particular personal information disclosed
- the note should outline the exception relied on to make the disclosure (ie IPP11.1 (e))
- the note should state when, by whom, to whom and for what purpose the disclosure was made.
4.60 If the agency considers it impractical or undesirable to attach notes of disclosure to the record, it may rely on a separate disclosure log for IPP 11.1(e) requests, however, the record must specifically refer to the log and how it can be accessed.
Requests handled by Schools
4.61 Auditors observed some variability in the practices adopted by schools when addressing requests for student information.
4.62 While some schools only respond to written requests for information, others more frequently accept verbal requests and provide verbal disclosures of student data.
4.63 Both verbal and written disclosures were greatly reliant on the accuracy of MAZE records, to verify consents and the identity of authorised representatives.
4.64 One school informed auditors that there can be a delay between schools receiving court orders and updating the student record in MAZE.
4.65 While heavy reliance on MAZE represents a possible privacy risk for ETD, auditors note that paragraph 2.7 of the Access to Student Records Guidelines for Staff cautions staff against disclosing any student information where the identity and parental status of the applicant is unclear. ETD may wish to reinforce the message to school staff.
4.66 Auditors noted a very good awareness among school staff of the resources available to them when considering requests for student information, including:
- the school executive (Principals and Deputy Principals)
- Legal Liaison
- School Network Leaders
- informal teacher / principal support networks
- the Access to Student Records policy, procedures and guidelines and SLIM.
4.67 In addition, auditors observed a common awareness across schools that they could refer to Legal Liaison for advice or to escalate challenging requests for student data.
4.68 Across the board, schools adopted a cautious approach to disclosures of student information and were more likely to withhold data than to improperly disclose it.
4.69 The types of requests managed by schools include requests:
- by parents for their child’s information
- from student’s relatives
- under subpoena
- from ACT government agencies, particularly Youth Justice and Care and Protection requests
- from interstate schools, including transfers from Department of Defence families
- from AFP and interstate police
- from charitable organisations
- from Australian government agencies, including DIAC and Centrelink.
4.70 When handling requests for student information by parents or relatives:
- schools took reasonable steps to verify the identity of the applicant, by requesting a face to face appointment or a request in writing, or by relying on previous interactions and familiarity with the parent in question
- schools generally consulted MAZE as a precautionary measure, to ensure there were no court orders in place against the parent
- all schools denied requests from parents who had court orders against them, preventing the release of their child’s information to them
- schools generally denied requests from a student’s relatives (grandparents, aunts/uncles) unless:
- they were listed as an authorised representative on MAZE
- an incident/accident involving the student had occurred and the relative was listed as an emergency contact
- consent was provided by students over 18, prior to disclosing information to a parent/authorised representative
- consent was also sometimes sought from a young person prior to disclosure, depending on the nature of the information requested and/or the maturity level of the student.
4.71 Schools generally do not disclose accident/incident data containing third party student information.
4.72 Requests received from external agencies or bodies such as ACT and Australian Government agencies, courts and police are generally referred to Legal Liaison.
4.73 Some schools gather requested information (eg requests under subpoena) on Legal Liaison’s behalf. The school then forwards the information to Legal Liaison, along with the request without directly disclosing the information.
4.74 Auditors noted that in specific situations, however, schools will provide police attending the school with on the spot information about students. While schools are encouraged to refer any law enforcement related requests to Legal Liaison, Central Office is aware of and supports schools meeting urgent requests directly. Central Office procedures outline this process.
4.75 Where verbal exchanges with law enforcement occur, schools must ensure that the applicant’s identity and the purpose of the application are verified. Any disclosures should also be noted on the file, as outlined in paragraphs 4.60 - 4.62 above.
4.76 Interstate student record transfer requests are only met by schools once they verify student and/or parent consent. As previously outlined in this report, the Interstate Student Data Transfer Note form seeks consent for the transfer, from students aged 16 and above.
4.77 Auditors observed that all schools have a policy for the use and disclosure of photographic material depicting students. All schools had forms seeking parental consent for the disclosure of this information. The auditors note that consent is not required by the Privacy Act as long as a comprehensive IPP 2 notice (including usual disclosures) is provided, however, consent is good privacy practice.
4.78 Where sexual or physical abuse is suspected, school teachers and counsellors have mandatory reporting obligations to the ACT Government Community Services Directorate, under Care and Protection provisions of the Children and Young People Act. Personal information required under this Act includes the name or description of the child or young person whose abuse is suspected. All schools were aware of their reporting obligations and relied on IPP 11.1(d) when disclosing this information.
4.79 The audit did not identify any specific issues of non-compliance with ETD’s obligations under IPP 11.
4.80 However, there is a risk that notes of disclosures made under IPP 11.1 (e) are not being placed on all student files, as there does not appear to be a formal process in place to address this issue. Schools as holders of the record may not be aware of the disclosure that has occurred by Legal Liaison if it was not necessary to contact the school to fulfil the request.
Recommendation 3 - Include notes of disclosure on student records, where relevant
4.81 The auditors recommend that ETD’s Access to Student Records implementation documents provide direction on including notes of disclosure to student records when responding to law enforcement data requests. Legal Liaison may also wish to advise Central Office and schools of their IPP 11.2 obligation in ETD’s weekly Bulletin.
Other identified issues
Staff Training and Development
4.82 A substantial amount of the work around handling requests for student information in schools, is managed by Principals, Deputy Principals and Office / Business Managers.
4.83 Staff privacy refresher training is provided yearly as part of school induction programs. Training is generally rolled out at the start of the academic year for all staff. Principals also participate in the training and are provided with 1 -2 days additional training.
4.84 School feedback on privacy training was positive. Staff described the program as being adequate to their privacy needs and inclusive of the new policies and processes implemented in the preceding year.
4.85 Auditors noted a best privacy practice measure adopted in some schools, where temporary personnel who miss training at the start of the year are trained / mentored by assigned staff before attending the following year’s session.
4.86 Other policy and procedural updates are provided to schools through weekly Bulletins. The Bulletin is often shared with Deputy Principals to ensure tasks are completed.
4.87 Auditors observed that the privacy training materials provided to school staff are of a high quality and relevance to the situations encountered by staff in schools.
Utilising internal resources
4.88 Auditors observed strong awareness among staff of the resources available to them if they came across any privacy-related issues in the course of their work. These included the Access to Student Records policy and implementation procedures, the Student Legal Information Manual (SLIM), staff working in the Legal Liaison unit and School Network Leaders.
4.89 Auditors also noted the high quality of available privacy resources within ETD.
4.90 The Risk Management and Audit section of the Information, Communications and Governance has been instrumental in developing a Risk Management / Audit toolkit. This resource is available to all ETD staff on their intranet.
4.91 Risk Management and Audit also manages an annual audit programme, consisting of 15 - 20 school audits a year. In addition, each new ACT school is audited within the first 6 months of operations. Audits focus on financial, administrative and governance issues.
4.92 Auditors noted that the Risk Management and Audit section does not currently perform internal privacy audits, nor were they involved in scoping risk as part of the implementation process around the Access to Students Records policy.
4.93 ETD has a valuable resource in its Audit and Risk Management area and may not be taking full advantage of this resource from a privacy point of view.
Recommendation 4 - privacy component to annual audit program
4.94 The auditors recommend that ETD include a privacy component to its annual audit program, to ensure ongoing compliance with its privacy obligations. A privacy component as part of the annual compliance checklist may also assist in keeping key privacy issue on the agenda for schools.
Part 5 - Summary of recommendations
Recommendation 1 - Provide comprehensive privacy notices on all forms
5.1 The auditors recommend that schools and Central Office include a privacy notice on all forms collecting student information. The notice must outline the purpose/s for which the information is being collected, any entities to which the information is usually disclosed and any legal authority/ies for collecting the information. The notice should be in a font size and location that is easy to read or find. Where information is collected verbally, or children are considered too young to understand the meaning of a written privacy notice, schools may wish to provide a verbal explanation.
The auditee accepted this recommendation and made the following comment:
The Directorate has been working progressively to support schools to include appropriate IPP2 statements on all forms collecting personal student information. The Directorate appreciates the advice provided by the OAIC Audit Team.
Recommendation 2 - Renew consents regularly and notifications as required
5.2 The auditors recommend that schools renew consents on a yearly basis and may wish to include this as part of the annual MAZE update sent out to parents/legal guardians. Notifications should also be renewed if a student’s authorised representative or legal guardian changes.
The auditee accepted in part this recommendation and made the following comment:
Annual renewal of consents may be onerous for schools and parents. Schools send out MAZE updates each year and ask parents to advise any changes. However the Directorate will work with schools to clarify if there is a way to facilitate annual updating and to ensure review of consents where a student’s parental care circumstances change.
Recommendation 3 - Include notes of disclosure on relevant student records
5.3 The auditors recommend that ETD’s Access to Student Records implementation documents provide direction on including of notes of disclosure to student records when responding to law enforcement data requests. Legal Liaison may also wish to advise Central Office and schools of their IPP 11.2 obligation in ETD’s weekly Bulletin.
The auditee accepted in part this recommendation and made the following comment:
The Directorate prefers the approach suggested at 4.60 of a disclosure log which would be held centrally by Legal Liaison with the relevant student file having a form which refers to the disclosure log and how to access it. The Directorate would advise schools through the weekly Schools Bulletin.
Recommendation 4 - privacy component to annual audit program
5.4 The auditors recommend that ETD include a privacy component to its annual audit program, to ensure ongoing compliance with its privacy obligations. A privacy component as part of the annual compliance checklist may also assist in keeping key privacy issue on the agenda for schools.
5.5 The auditee accepted this recommendation and made the following comment:
The Directorate appreciates the value of this recommendation of a privacy component in the annual audit program and has taken steps to include references in the 2014 compliance checklist to the Access to Student Records procedures.
1. Information sheets / handouts
2. Student forms
3. Internal Reference Materials