Information Privacy

From Term 1 2017, Victorian government and Catholic schools will use the new Victorian Curriculum F-10. Curriculum related information is currently being reviewed and may be subject to change.

For more information on the curriculum, see:
The Victorian Curriculum F–10 - VCAA

Purpose of this policy

To ensure schools maintain privacy of information.


Schools must:

  • have a privacy policy that is endorsed by the school council
  • abide by legislative privacy requirements in relation to how personal and health information is collected, used, disclosed and stored
  • be reasonable and fair in how this information is treated, not only for the benefit of staff and students, but also to protect the school’s reputation.

Note:  The school’s privacy policy must be provided to anyone who requests a copy.


This information outlines the legislation that covers student records, staff files and information held by Victorian Government schools and the Department.

Privacy and Data Protection Act 2014

This Act applies to all forms of recorded information or opinion about an individual who can be identified, including photographs and emails.  It establishes standards for the collection, handling and disposal of personal information and places special restrictions on ‘sensitive information’ such as:

  • racial or ethnic origin
  • political views
  • religious beliefs
  • sexual preference
  • membership of groups
  • criminal record.

Health Records Act 2001

This Act establishes standards for the collection, handling and disposal of health information including a person’s

  • physical, mental or psychological health
  • disability.

Health information can also include access to health services and the nature of these services; however this type of information does not have to be recorded to be classified as health information.

Objectives and principles

The objectives of privacy laws are to:

  • balance the public interest in the free flow of information while protecting personal and health information
  • empower individuals to manage, as far as practicable, how personal and health information is used and disclosed
  • promote responsible, open and accountable information handling practices
  • regulate personal information handling by applying a set of information privacy principles.

Information privacy principles create rights and obligations about personal and health information; however these only apply when they do not contravene any other Act of Parliament.  In most cases there will be no contradiction as the relevant action falls within one of the exceptions within the information privacy principles.  

School compliance strategies

Some strategies school can implement to ensure compliance with the Privacy Acts include:

  • nominating a person to manage and review the school’s information privacy
  • conducting a privacy audit to determine what information the school collects, how information is used and with whom information is shared
  • developing a privacy policy, endorsed by the school council, to address a wide range of issues such as the use of student photographs, electronic devices and confidentiality
  • examining data security arrangements
  • ensuring all staff, including volunteers, are aware and compliant with the school privacy policy
  • establishing a complaints process in liaison with the regional office
  • treating all privacy complaints in the strictest confidence.

Privacy exemptions

Personal and health information can be disclosed for a purpose other than for which it was collected and without the person’s consent when the disclosure is:

  • necessary to lessen or prevent a threat to life, health or safety
  • required, authorised or permitted by law or for law enforcement purposes
  • used for research or compilation of statistics in the public interest, in certain limited circumstances.  Any research in schools must be first approved by the Office for Policy, Research and Innovation.

See: Research in Schools   

Privacy and duty of care

Privacy laws recognise and permit schools collecting, using and disclosing information so that they can comply with their duty of care to students.  A key element of duty of care is that the processes and procedures used are documented and records kept.

SeeDuty of Care   

Privacy and parents/guardians

Providing information to parents/guardians

To assist decision making about a student’s needs, schools inform parents/guardians of the student’s academic progress, behaviour, educational options or special educational requirements.

Privacy laws do not restrict this use of the information, as this is the purpose for which it is collected.

Court orders

Unless a court order is made under the Family Law Act, both parents of a student have the same rights to access information about the student.

See: Decision Making Responsibilities for Students 

Enrolment information

Schools must:

  • provide a privacy notice with the enrolment form explaining to the parents and student why this information is being collected, what it is used for, where it might be disclosed and how they can access information held about them
  • only use the information collected during enrolment for the purposes that it was collected for.  Disclosure for an unrelated purpose requires parental consent or in the case of a secondary student the content of the parent and student, unless the circumstances fall within one of the above privacy exemptions.

See: Admission

Health Information

Health related information can be:

  • kept confidential by the principal, or
  • shared with:
    • selected staff to the extent they need to know to care for the student, or
    • all staff when they need to know in case of emergencies.

Note 1: Counselling services are health services and records are confidential health records.  Confidentiality of information disclosed during a counselling session must be maintained unless the student provides consent or the situation falls into a privacy exemption category.

Note 2: Career counselling is not a health service.

See: First Aid Needs


Transferring student information between Victorian government schools is allowed when:

  • parents/guardians are informed of the process
  • schools meet the Department’s standards in transferring files.


The privacy laws do not change the individual’s right to access their information that is held by a government school. The individual’s right to access remains via a request made under the Freedom of Information Act 1982.

The Privacy and Data Protection Act 2014 and the Health Records Act 2001 encourage organisations to be open and transparent about what personal and health information they hold about individuals. When it is appropriate schools can provide individuals with informal access to their own personal or health information.  However, the person seeking access should make a request under the Freedom of Information Act1982 if records hold information:

  • provided by a third party
  • that identifies a third party or
  • that may cause harm to the individual or others.

See: Freedom of Information


When a complaint is made:

  • that a member of staff has breached privacy then the principal should attempt to resolve the matter.  If required the regional privacy coordinator can provide the principal with assistance.  However schools and regions that receive privacy complaints should contact the Department’s Privacy Officer on (03) 9637- 3141 or for advice.
  • to the Victorian Health Services Commissioner about ‘an interference with health privacy’ by a school, this will be sent to the Department's Privacy Officer who will inform the region and school
  • about a school to the Commissioner for Privacy and Data Protection and the complainant has already approached the school, this will most likely to referred to the Department’s Secretary
  • because the complainant is not satisfied with the Department’s investigation and response, the complaint can then be taken to the Commissioner for Privacy and Data Protection.  In most circumstances the regional director or regional privacy coordinator will be informed about the investigation.

Related policies

Related legislation

  • Health Records Act 2001
  • Privacy and Data Protection Act 2014

Department resources

For more information see: