Department of Education privacy policy

This policy sets out how the department collects and manages personal and health information.

The Department of Education and its entities (collectively referred to in this policy as 'the department') is committed to protecting the personal and health information that we collect, hold, manage, use, disclose and transfer.

This policy supports the department's need to collect information and the right of the individual to privacy.

It ensures that the department can collect personal and health information necessary for its services and functions, while recognising the right of individuals to have their information handled in ways that they would reasonably expect and in ways that protect their personal and health information.

This policy supports staff to act in accordance with the Code of Conduct for Public Sector Employees which requires staff to demonstrate the value of respect by maintaining confidentiality and treating private information properly. Staff treat information properly by complying with legislation and policies relating to dealing with personal and health information.

Scope

This policy sets out how personal and health information is to be collected, held, managed, used, disclosed or transferred, in accordance with the Information and Health Privacy Principles contained within the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic).

The policy applies to all corporate staff, contractors, volunteers and organisations acting on behalf of, or providing services to, the department and the following entities:

  • Children’s Services Coordination Board
  • Disciplinary Appeals Boards
  • Independent Office of School Dispute Resolution
  • Merit Protection Boards
  • School Policy Funding Advisory Council
  • Victorian Academy of Teaching and Leadership
  • Victorian Children’s Council

All staff including contractors, service providers and volunteers working in Victorian government schools must act in accordance with the Schools' privacy policy.

In addition to its obligations described in this policy, the department has limited and specific obligations under national applied law schemes which are set out in the department’s Privacy policy (National Law). These additional obligations relate to our role as the early childhood services regulator for Victoria, and also in relation to health practitioners who are governed by the Health Practitioner Regulation National Law (Victoria). Where clarification is required, contact the Privacy team.

Compliance

The department must collect and handle personal information and health information in accordance with the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) unless otherwise required by law.

Accountable Officer

The Accountable Officer for this policy is the Executive Director, Integrity, Assurance and Executive Services Division (IAESD). The Accountable Officer is responsible for the:

  • development of this policy
  • implementation of any supporting protocols, processes and guidelines
  • ongoing monitoring of compliance with this policy.

Review

This policy will be reviewed and updated from time to time to take account of new laws, technology and processes. The review process will be completed by the Privacy team within IAESD, with oversight provided by the Information Management Technology Committee (IMTC).

Key definitions

Throughout this policy:

  • Personal information is recorded information or opinion, whether true or not, about a person whose identity is apparent, or can reasonably be ascertained, from the information. The information or opinion can be recorded in any form.
  • Sensitive information is a type of personal information with stronger legal protections due to the risk of discrimination. It includes information or opinion about an identifiable person’s racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, membership of a political association, professional or trade association, or trade union. Personal and sensitive information is regulated in Victoria under the Privacy and Data Protection Act 2014 (Vic).
  • Health information is information or opinion about an identifiable person’s physical, mental or psychological health or disability. Health information is a type of personal information which, because of its sensitivity, also has different and stronger legal protections. Health information is regulated in Victoria under the Health Records Act 2001 (Vic).
  • Victorian privacy law refers to the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) collectively. There are additional Acts which have privacy implications and are listed in this policy under the under Associated Legislation and Schemes.
  • Privacy impact assessment means an assessment that identifies and assesses the privacy impacts of any system or software that handles personal, sensitive or health information.

Policy

Personal and health information is collected and used by the department for the following purposes:

  • to plan, fund, implement, monitor, regulate and evaluate the department's services and functions
  • to fulfil statutory and other legal obligations
  • to comply with reporting requirements
  • to investigate incidents in schools and/or defend any legal claims against the department, its schools or its employees.

The department has adopted the Information Privacy Principles (IPPs) and Health Privacy Principles (HPPs) in the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) respectively as minimum standards when dealing with personal and health information.

Adopting the IPPs and HPPs means that, subject to some exceptions (see Information and Health Privacy Principles), the department must not commit an act, or engage in a practice, that contravenes an Information and/or Health Privacy Principle in respect of personal and/or health information collected, held, managed, used, disclosed or transferred by the department unless otherwise permitted by law.

Information and health privacy principles

The Information and Health Privacy Principles most relevant to the department are summarised as follows:

Collection of personal information

The department will only collect personal information if the information is necessary for one of its functions or activities as set out in the Education and Training Reform Act 2006 (Vic), relevant Ministerial Orders and other applicable legislation.

Where the personal information of an individual is collected, reasonable steps should be taken to ensure that the individual is aware of:

  • the identity of the department and how to contact it
  • the fact that the individual is able to gain access to the information
  • who the department usually discloses information of that kind to
  • the purposes for which the information is being collected
  • any law that requires the particular information to be collected
  • the main consequence (if any) for the individual if all or part of the information is not provided to the department.

Collection of health information

The department will only collect health information if the information is necessary for one of its functions or activities and:

  • the department has gained consent from the individual; or
  • collection is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of any individual; or
  • collection is necessary to prevent or lessen a serious threat to public health, safety or welfare; or
  • collection is necessary for the establishment, exercise or defence of a legal or equitable claim.

Where the health information of an individual is collected, reasonable steps are taken to ensure that the individual is aware of:

  • the identity of the department and how to contact it
  • the fact that the individual is able to gain access to the information
  • the purposes for which the information is being collected
  • who the department usually discloses information of that kind to
  • any law that requires the particular information to be collected
  • the main consequence (if any) for the individual if all or part of the information is not provided to the department.

Use and disclosure

The department must only use or disclose personal and health information for the primary purpose for which it was collected, unless it falls within an exception, including where use and disclosure is:

  • for a related secondary purpose and the individual would reasonably expect the department to use or disclose the information for that secondary purpose; or
  • with the consent of the individual; or
  • necessary for research, or the compilation of statistics, in the public interest; or
  • reasonably necessary to carry out a law enforcement function; or
  • otherwise required, permitted or authorised by law. For example, the department may be required to share information to:
    • fulfil its duty of care to students, staff and visitors;
    • provide a safe workplace in accordance with occupational health and safety law; or
    • assess a risk of family violence or for a child wellbeing or safety purpose.

In cases where the use or disclosure is necessary for research or the compilation of statistics in the public interest, the department will seek consent of each of the individuals involved.

Where it is impracticable to seek the individual's consent and when the research or the compilation of statistics cannot be undertaken with de-identified information, the research or compilation of statistics will be carried out in accordance with the National Health Medical Research Council's National Statement on Ethical Conduct in Research Involving Humans, or for health information, in accordance with the Statutory Guidelines on Research.

Data quality

The department values information as an important resource. Accordingly, the department must take reasonable steps to ensure that the personal and/or health information it collects, uses or discloses is accurate, complete, up to date and relevant to the department’s functions or activities.

For example, it is the department’s practice to collect personal information from each individual concerned, rather than relying on other data sources, to ensure that names and other details are accurately recorded.

Data security

The department is guided by the principle that all information is well governed and managed. Accordingly, the department must take reasonable steps to protect the personal and/or health information it holds from misuse and loss, unauthorised access, modification or disclosure. The department will destroy or permanently de-identify personal and/or health information if the department no longer needs the information.

The department requires that a Privacy Impact Assessment is conducted for all new and significantly changed processes that involve personal, sensitive or health information. It also requires that information assets recorded in the department’s Information Asset Register are assigned data classifications. Data classifications determine what level of security is required for each type of information.

Privacy incidents are confirmed or suspected actions of information handling that are inconsistent with the IPPs and/or HPPs. The department’s response to a privacy incident will focus on protecting personal and sensitive information and may require support by the information security team and other areas of the department in order to resolve the incident. To report a suspected privacy incident, please email privacy@education.vic.gov.au.

Openness

To enable greater access to government decisions, the department’s information should be easy to find, access and use. This means that the department must have, and make available, clearly expressed policies on its management of personal and health information.

On request, the department must take reasonable steps to advise individuals, in general terms:

  • what sort of personal information it holds about them
  • for what purposes such information has been collected
  • how it collects, holds, uses and discloses that information.

Access and correction

Individuals have a right to request access to, and to correct, their personal and health information held by the department. Most requests to access and/or correct information held by the department are processed in accordance with the Freedom of Information Act 1982 (Vic).

Parents, guardians and informal carers of students at Victorian government schools are, in most instances, entitled to school reports and other school communications ordinarily provided to a parent, unless a court order restricts this right. For more information, see Requests for information about students.

If a parent, guardian or informal carer wishes to request other types of documents held by Victorian government schools (for example staff diary notes, incident reports, counselling notes) the individual should be advised to make a Freedom of Information request.

In some cases, a student may be determined by a Principal (or nominee) to be a mature minor and able to make decisions independently about their own information. For more information, see Decision making by mature minors.

Unique identifiers

The department limits its adoption and sharing of unique identifiers. The preferred unique identifier for the department is the Victorian Student Number (VSN).

The department will:

  • not assign unique identifiers to individuals unless the assignment is necessary to enable it to carry out its functions efficiently or is otherwise required by law
  • only adopt (as its own unique identifier of an individual), use or disclose a unique identifier assigned by another organisation in limited circumstances.

Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into transactions with the department and the entities covered by the scope of this policy, as long as this does not impede the department’s ability to carry out its functions.

As an example, people can request a policy or other non-sensitive document from the department without having to provide their name, as long as they have supplied a means by which the department can send them the document.

Transfer of information outside Victoria

The department will only transfer personal and/or health information about an individual to someone who is outside Victoria in limited circumstances. Specifically, the department should only transfer personal and/or health information outside Victoria if:

  • the individual consents to the transfer;
  • the department reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which is very similar to the Victorian privacy law; or
  • the department has taken reasonable steps to ensure that the transferred information will not be held, used or disclosed inconsistently with the Victorian privacy law.

In cases where personal and/or health information is being transferred to a jurisdiction whose privacy requirements are inconsistent with Victorian privacy law, the department requires that a Privacy Impact Assessment be undertaken before the data is sent.

Sensitive information

The department will only collect sensitive information in limited circumstances. For example, the department can collect sensitive information if the individual has consented or if the collection is required or authorised by law.

Charter of Human Rights and Responsibilities

When any decision is made in relation to personal, health or sensitive information, such as to use or disclose of that information, the decision-maker should give proper consideration to the Charter of Human Rights and Responsibilities Act 2006.

Guidance on how to apply the Charter when making a decision is available in the The Charter of Human Rights and Responsibilities – A guide for Victorian public sector workers and other departmental guidance.

Associated legislation and schemes

In 2021, prescribed programs/services within the department became an information sharing entity (ISE) in accordance with the Child Wellbeing and Safety (Information Sharing) Amendment Regulations 2020 (Vic) which enable ISEs to collect, use and disclose information with other ISEs for the purpose of promoting the wellbeing or safety of a child/group of children, subject to meeting a legislative threshold.

The Child Information Sharing Scheme (CISS) broadens the circumstances in which information may be shared to support the wellbeing or safety of children. In doing so, the CISS aims to:

  • improve early identification of issues/risks and enable earlier support for children and families
  • promote a shared responsibility for children’s wellbeing and safety across the service system
  • increase collaboration and support integration between services involved with children and families
  • support children's participation in services.

The Child Link Register (the Register) was developed to support the Child Information Sharing Scheme. The Register contains limited but critical information about every child in Victoria, including a unique identifier that is used across government service systems. Information displayed on the Register is only accessible to authorised users who have responsibility for child wellbeing and safety.

Complaints about the handling of personal information on the Child Link Register will be responded to by the department’s privacy team. For all other complaints relating to Child Link email childlink@education.vic.gov.au or contact the Child Link Enquiry Line at 1800 549 646.

The Child Wellbeing and Safety (Information Sharing) Regulations are available from the Victorian Legislation website and the Child Information Sharing Scheme Ministerial Guidelines are also available online. Further information is also available online about the Child Information Sharing Scheme.

Family Violence Protection Act 2008 – Part 5A Information Sharing and Family Violence Information Sharing Guidelines

In 2021, prescribed programs/services within the department became an information sharing entity (ISE) in accordance with the Family Violence Protection (Information Sharing and Risk Management) Amendment Regulations 2020 (Vic) which enable ISEs to collect, use and disclose information with other ISEs for the purpose of assessment or management of family violence and to hold perpetrators to account.

The Family Violence Information Sharing Scheme (FVISS) is designed to minimise the legislative barriers that have previously prevented the timely and effective sharing of information in cases of family violence or in circumstances where the risk of family violence is present. FVISS helps authorised organisations to assess and manage family violence risk.

A Multi-Agency Risk Assessment and Management Framework (MARAM) has been developed to help service practitioners to assess and manage family violence risk, including how to understand the appropriate application of the FVIS and CIS schemes in family violence situations. This framework applies to the department in its entirety as a ‘framework organisation’.

The Family Violence Protection Act and the Family Violence Protection (Information Sharing and Risk Management) Regulations 2018 are available from the Victorian Legislation website. Guidance on sharing information in the context of family violence can be found in the Child Information Sharing Scheme Ministerial Guidelines and further information is also available online about the Family Violence Information Sharing Scheme and MARAM.

The Notifiable Data Breaches scheme

The Notifiable Data Breaches (NDB) scheme came into effect on 22 February 2018 and requires entities captured by the scheme to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of any data breach which are likely to result in serious harm to individuals whose personal information is involved in the breach.

The NDB scheme applies to entities that have obligations to protect the personal information they hold under the Privacy Act 1988 (Cth). This includes Australian Privacy Principle (APP) entities, credit reporting bodies, credit providers and tax file number (TFN) recipients. As a Victorian government agency, the department and the entities covered in the scope of this policy are subject to this scheme only in the case of breaches involving TFNs.

Further information is available at: Office of the Australian Information Commissioner.

General Data Protection Regulation (GDPR)

The European Union (EU) General Data Protection Regulation (GDPR) is designed to align data privacy laws across the EU and offer enhanced privacy protections for individuals in the EU. The GDPR came into effect on 25 May 2018.

The GDPR applies to the data processing activities of businesses, regardless of the size or location of the business, that are data processors or controllers with an establishment in the EU or that process or control the personal data of data subjects that reside in the EU, including Australian citizens located within the EU. The GDPR also applies to international students from the EU.

Queries regarding the GDPR as it applies to the department’s activities can be directed to international@education.vic.gov.au(opens in a new window).

Further information is available at Office of the Victorian Information Commissioner, Office of the Australian Information Commissioner and EU GDPR(opens in a new window).

Complaints

The department will be efficient and fair when investigating and responding to information privacy complaints. The department will investigate and respond to complaints in accordance with the department's information privacy complaints handling process.

More information

For more information about this policy, contact the department’s Privacy team on privacy@education.vic.gov.au(opens in a new window) or (03) 8688 7967.

Updated