Privacy

Good privacy practices help schools to build trust with parents and students and meet legal obligations to protect individuals' personal and health information. All school staff share the responsibility and obligations of protecting privacy.

Policy

All schools are required to follow the Department's standardised Schools' Privacy Policy and must post a link to it on the school's website. The Schools' Privacy Policy describes how schools collect and manage personal and health information, consistent with Victorian privacy law and Department policy.

How to implement the Schools' Privacy Policy

Step one: link to the policy

Post a link on the school's public facing website to the Department's Schools' Privacy Policy. This policy link replaces any local school policy schools may have previously published.

Step two: share supporting information with staff

Share the School Privacy Policy FAQs for Staff to help them understand when they should share 'need to know' information. 

Step three: share supporting information with the school community

Share the Information for Parents – Schools' Privacy Policy with the school community to help them understand how the school handles their information. Translations for culturally and linguistically diverse communities are also available to download from this site.  

Step four: use the new collection statements

The Department has updated the collection statements to match the Schools' Privacy Policy. Use these standard statements for new enrolments at the school:

Collection statements

It is important to be transparent and communicate with students and their parents about how their personal information will be handled in the school environment. One of the ways we do this is by using collection statements (sometimes referred to as privacy statements or collection notices).

A collection statement is a plain language statement that explains to people what information needs to be collected, why, and how it will be handled after being collected.

Enrolment and annual collection statements

The standard collection statements below must be used by schools during the enrolment process, communicated annually and provided to parents at other times on request. These collection statements cover the standard reasons that schools need to collect and use information in order to perform core functions.

Notifications for online services

For third party online services or applications (online services) which handle student or parent information, e.g. Compass or Mathletics, schools can customise the following templates and use them to notify parents. These notices are used in addition to the standard collection statements.

Sample Notice – single online service in our school

Use this notice to communicate to parents through the usual school communications channels (for example, newsletter or email) before implementing each new service.

Sample Notice – multiple online services in our school

Alternatively, use a consolidated notification about all relevant third party online services currently used in the school. This is sometimes known as a digital learning statement or an online services statement. This removes the need for detailed individual notices to be provided each time a new service is implemented. This statement should be updated regularly and made available to parents on the school's website.

The Department can provide schools with a template tool called a privacy matrix to document and assess third party online services that handle student or parent information. If using a consolidated notification,  schools are encouraged to first complete the privacy matrix. Content from the matrix can then be incorporated into the statement. See: Privacy matrix

Other collection statements

For projects or activities that include collection of personal information that are not covered in the standard collection statement or an online services statement, such as for fundraising purposes, you may need to create a separate statement to inform parents and students.

Any collection statement must include:

  • the identity of the organisation collecting the information and how to contact it
  • the purposes for which the information is collected
  • to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind
  • the fact that the individual is able to gain access to the information
  • any law that requires the particular information to be collected
  • the main consequences (if any) for the individual if all or part of the information is not provided.

Schools can use the collection statement generator to create a plain language collection statement.

School staff needing assistance can contact the Privacy team at: privacy@edumail.vic.gov.au

Consent

Privacy laws refer to consent, which is when someone agrees for their information to be collected, used and/or shared outside of the school or Department. Consent must be informed, specific, current and voluntary, which is especially important when the subject matter or content is sensitive.

Under the relevant privacy laws, consent is required to collect, use and disclose any health information (with certain exceptions prescribed in the law such as when the collection, use or disclosure is necessary to lessen or prevent a serious threat to an individual's life, health, safety or welfare).

In some instances, Department policy also requires schools to obtain consent to collect personal information (in addition to health information) where it is considered good practice to do so.

Both privacy laws and Department policy require consent to use or disclose any personal information that schools have collected, where that use or disclosure is not for the same purpose or a reasonably expected related purpose for which it was collected. However, there are some exceptions in privacy laws that allow schools to use or disclose information without consent in these circumstances, such as sharing personal information with a law enforcement agency to assist in an investigation.

For what must be communicated to parents/carers on the management of student personal and health information, see: Collection statements

For how personal and health information of students, staff and others can be shared, see Sharing information

In cases where consent is required for the collection of information, if consent was granted at the time of collection, it is not necessary to re-seek consent if you plan to use the person's information for the same purpose or a reasonably expected related purpose for which it was collected. However, it is good practice for schools to ensure they have communicated clearly what those purposes are. See: Collection statements

In some circumstances, schools may need to ensure specific consent is obtained, with the most common being photographs and recordings of staff and students, and research in schools.

The following information sets out the Department's policy on when consent must be obtained to collect, use and/or disclose personal and health information.

Photographing, filming or recording staff and students

Consent must always be considered when taking or publishing photographs and film of staff and students. For information on consent and other considerations when taking photographs or video, see: Photographing, Filming and Recording Students

School-level policy and consent form templates are available on the School Policy Templates Portal at: Photographing, filming and recording students

When taking photos of adults, schools should also consider using the adult consent form: Consent Form - Photography and filming - Adult Verbal consent is also an option for low risk circumstances.

Conducting research in schools

All research conducted in schools requires consent from participants whether staff or students and, for any student under the age of 18, consent from parents/carers. This applies to both research conducted by external researchers and research commissioned or conducted by the Department.

Where the proposed research involves photographing or filming, the researcher must obtain specific agreement from the participants (or their parents/carers, as required). This consent should be defined and included in the consent for participating in the research.

Schools should use the following templates to inform parents of any proposed research activity and to seek their consent for their child/ren to participate in the research. 

Online services and applications

Online services and applications (online services) often handle student or parent information, e.g. Compass or Mathletics. Schools can take different approaches to seeking parental consent when implementing these services, depending on local circumstances or expectations of their school community.

When implementing an online service, schools should consider whether consent for use of the service is required, and if so, whether opt in or opt out consent is most appropriate for the specific situation.

  • Opt in consent can be used when the service is not for a standard school function (e.g. a fundraising event with the local sporting club); and parents may not reasonably expect such use.
  • Opt out consent can be used when the service is for a desirable, but not mandated, school function (e.g. for teaching and learning purposes).
  • No consent is needed when the service is for a school function that is mandated by law (e.g. same day notification of unexplained absences).

Privacy law also allows for student and parent information to be used and shared without consent for specific purposes, such as, when it is necessary to lessen or prevent a serious harm, or for law enforcement purposes.

In all cases, schools should ensure parents are adequately informed about the use of the online service so they are not taken by surprise. See: Notifications for online services

Where an online service uses photographs or videos of a student, the Department's Photographing and Filming Students Policy applies, and parental consent is required. If consent was granted previously for this use or you are using it for a reasonably expected related purpose, the school may decide that no further consent is necessary or use opt out consent.

The Privacy team can provide further advice on consent for use of online services.

Photographs, filming and recording

Photographs, films and other recordings (photographs) of individuals are considered personal information, and as such are protected by privacy law in the same way as other personal information. They may also be protected by copyright law.

The key privacy considerations for taking or publishing photographs are consent, context and risk. If your school is intending to take photographs of students, please refer to the Photographing, Filming and Recording Students for detailed guidance.

Your school will also need to have a school-level policy and consent forms. For templates, see: Photographing, filming and recording students 

Sharing information

Personal and health information of students, staff and others can be shared to carry out school and Department functions, for other related purposes and in other limited circumstances such as where there is a risk to health and safety.

'Need to know' framework

All staff should share information about students, staff and others on a 'need to know' basis, that is, to allow staff to perform their primary function (or for a secondary purpose that would be reasonably expected by the individual whose information is being shared).

See the FAQ for staff for detailed guidance on the 'need to know' framework and the Schools' Privacy Policy for more information on primary and secondary purposes.

Sharing information helps schools and the Department to:

  • educate students, plan for individual needs and address barriers to learning
  • support the students' social and emotional wellbeing and health at school
  • fulfil legal obligations towards students and the community.

Sharing information about students

The 'need to know' framework sets out that school staff can share student information amongst other school staff and relevant members of the Department to enable the school to:

  • provide for and support the student's education
  • support the student's social and emotional wellbeing and health
  • reduce the risk of reasonably foreseeable harm to the student, other students, staff or visitors (duty of care)
  • make a reasonable adjustment for the student's disability (anti-discrimination law)
  • provide a safe and secure workplace (occupational health and safety (OHS) law).

In addition to considering the 'Need to Know' framework, there is detailed guidance on how to respond to specific requests for student information by third parties, see: Requests for Information About Students

For guidance on schools sharing information relating to a student who has been impacted, or is suspected to be impacted, by abuse, see: Child protection privacy and information sharing

School transfers

When a Victorian government school student has been accepted at another Victorian government school, the transferring school will provide the student's information to that next school.

Schools should apply the 'Need to Know' framework when transferring student information stored outside CASES21 and ensure that it is transferred securely.

Parent consent is not required to transfer student information or records (including Student Support Services/Departmental Confidential Student files) to the student's next Victorian government school. For more detail, see: School transfers 

Staff information

Staff information should be shared using the 'Need to Know' framework to allow other staff to perform their function, for example, to recruit and pay staff, support their health and wellbeing, and to comply with the Department's legal obligations, policies and staff codes of conduct. This may include sharing necessary information with the relevant school, regional or central office staff, where permitted.

Privacy impact assessments (PIA)

A privacy impact assessment (PIA) identifies and assesses the privacy impacts of any initiative, project or software that handles personal, sensitive or health information.

Conducting a PIA helps schools identify privacy and security risks, evaluate compliance with the Victorian Privacy and Data Protection Act 2014 and Health Records Act 2001, and document what actions are required to mitigate any identified risk. This also helps schools identify important information to include in parent notifications to ensure parents are better informed.

Privacy law requires all of us to take reasonable steps to implement practices, procedures and systems to protect personal and health information and handle it appropriately. By doing a PIA and building in privacy requirements in initial stages, the school can demonstrate this to parents and, if necessary, the Victorian Information Commissioner and Health Complaints Commissioner.

Schools should consider conducting PIAs for:

  • any third party software (free or purchased) used in the school that handles personal, sensitive or health information, particularly for third party software that is considered high risk; or
  • any existing process, project or software that is modified in a way that changes how personal, sensitive or health information is handled. If a PIA was completed previously, then this may need to be reviewed and updated.

The Department's Privacy team can support schools to conduct a PIA.

Key terms

  • Personal information is recorded information or opinion about an identifiable individual. It can be almost any information linked to an individual, including name, address, sex, age, financial details, marital status, education or employment history. De-identified information about individuals can also be personal information if it has the potential to be re-identified.
  • Sensitive information is recorded information or opinion about an identifiable individual's racial or ethnic origin, political opinions or affiliations, religious beliefs or affiliations, philosophical beliefs, sexual preferences or practices, or criminal record.
  • Health information is information or opinion, whether recorded or not, about an identifiable individual's physical, mental or psychological health, e.g. a person's disability, medical history or workplace accident details.
  • Third party software: is software or an online service purchased from a third party, including Department brokered software such as Google's G Suite, but excluding Department-owned software or systems e.g. CASES21, SOCS.

Conducting a PIA

When to use the PIA template

When procuring new third party software (regardless if free or purchased), schools should consider completing the PIA template as part of their procurement process. At a minimum, the PIA template should be completed for all third party software that is identified as high risk.

Software may be high risk where it:

  • handles sensitive or health information about students, parents or staff
  • handles photos or videos of students
  • offers cloud storage or allows access through the internet or mobile devices
  • has certain kinds of functionality: remote access, video or teleconferencing, unmoderated or unsupervised chats
  • allows users to share content publicly
  • is a new and relatively unknown software that handles personal information.

If unsure about whether a PIA template is needed, please contact the Privacy team.

How to use the PIA template

Download the PIA template

The PIA template consists of: Risk Identification (Part 1), Action Plan (Part 2) and Endorsement (Part 3). Supporting resources can be found in the Appendices.

Risk identification

Part 1 of the PIA template is an analysis of the proposed software or system against the 10 Information Privacy Principles at each stage of the information life cycle (collection to disposal).

Things to consider at each stage of the information life cycle:

  • Prior to or at collection: the type of information collected — Is it necessary? Is it a new collection or existing information? Is a new collection statement needed?
  • Use and disclosure: Does the use and disclosure of existing information fit with the original collection purpose? Is there a reasonable expectation of the use and disclosure? Is consent needed? Who will the information be disclosed to? Do similar privacy protections apply if there are information flows outside Victoria?
  • Holding and storage: How can the currency and quality of personal information be assured? What safeguards will protect against misuse, loss, unauthorised access, modification or disclosure? What procedures enable individuals to access and correct their information?
  • Disposal: Do any mandatory retention periods apply by law? How will information be destroyed or permanently de-identified?

For help in understanding risk identification, please contact the Privacy team.

Action Plan

In Part 2 of the PIA, the school will:

  • identify privacy risks which need to be addressed
  • determine the risk rating for each risk based on processes currently in place
  • specify further action required to further reduce the risk rating to an acceptable level, the responsible person/area and the timeframes for completion.

The PIA template contains a list of suggested privacy risks and actions. However these are not exhaustive and must be amended, deleted or added to in order to ensure that the Action Plan is relevant for the school and the proposed project or software.

Endorsement

In Part 3 of the PIA, the Principal endorses and accepts responsibility for the mitigation actions and residual risk described in the PIA.

  1. After the Privacy Officer has advised that the PIA is ready for signing, the Principal must review Part 1 and Part 2 before signing Part 3.
  2. The staff responsible and Privacy Officer also sign Part 3.

After the PIA is signed

  • Send a copy of the signed PIA to the Privacy team. Principals may also share a copy of the PIA with the school council if they wish.
  • Keep the signed PIA with other project documentation (e.g. security assessments and contracts).
  • Provide updates to the Privacy Officer at the end of each proposed timeframe until all Action Plan items are completed.
  • The PIA is a live document, and the staff responsible should record any additional actions taken after the PIA template is signed. This can be done by adding pages after Part 3.
  • The PIA may need to be updated if new privacy risks arise from project or software changes.

Privacy matrix

The privacy matrix is a high level summary of all third party software in a school which handles personal, sensitive or health information. It can be used separately from, and in addition to, the PIA template.

When the privacy matrix identifies high-risk software, schools should complete the PIA template for that software to ensure that the risks are fully identified and mitigated. For example, third party digital software that handles a lot of student information, or uses a cloud service provider, tends to be higher risk so a school should complete a PIA template for this.

The information in the matrix helps schools streamline privacy notifications to parents. Schools can publish content from the matrix on their website to keep current and prospective parents informed of systems in use at the school. See: Notifications for online services

How to use the privacy matrix

  1. Download the matrix
  2. List all third party software (purchased and free) used in the school that handles personal, sensitive or health information. (Schools can ask their specialist technicians for the school's ICT inventory, and refer to the software listed in item 7 'Software Licensing'. Please note that not all software listed in the ICT inventory handles personal information and there may be free software used by the school that is not listed.)
  3. Populate the rest of the matrix by following the instructions within the matrix.
  4. Send the completed privacy matrix to privacy@edumail.vic.gov.au for review. The Privacy team can advise what additional actions may be required, for example which software requires a PIA template to be completed.
  5. Update the matrix each time new software is introduced in the school and ensure that the notification to parents is similarly updated. The privacy matrix should be reviewed regularly e.g. annually.

Health care information

Health care information describes the health and wellbeing needs or conditions of an individual. It needs higher protections than other personal information because inappropriate use and disclosure may cause greater harm or discrimination to individuals. Examples of records that may contain health care information are:

  • Individualised Learning Plans (ILPs), educational needs assessments, and behavioural support plans which include health care information provided by Student Support Services (SSS) or allied health professionals
  • reports and assessments from health practitioners provided by parents to the school
  • student support planning forms, which include student health and wellbeing support plans, child abuse concerns, asthma or allergy care plans, individual anaphylaxis management plans, and SSS referrals
  • Program for Students with Disabilities applications.

Responsibilities for providing and collecting health care information

WhoResponsibility
Parents/carers
  • Must ensure the school has relevant health care information about their child
  • May choose to limit the release of information about chronically ill or critically injured students, who are not currently attending school
Schools
  • Exercise sensitivity to the family's needs
  • If parents/carers or adult/independent students wish to limit the release of information, the school must inform them:
    • of the school's need to be aware of the student health conditions and first aid requirements so that plans for support can be put in place
    • how their personal and health information is protected
  • Subject to consent from the parent/carer, assist by providing observations (not interpretations) of the student's behaviour, which can then be used to assist the student's medical/health practitioner in monitoring and planning their health care
Health professionals
  • Must disclose student personal and health information when needed to ensure a student's health, safety or wellbeing
  • Must not divulge a student's personal or health information unless:
    • parent/carer consent is provided
    • they are legally obliged to, or
    • an exemption clause in privacy legislation applies

Note: If seeking to invoke an exemption clause contact the Department's Privacy team for advice

Information security - DET InfoSafe Program

All school and corporate staff must take reasonable steps to ensure that personal and health information they create, handle or have responsibility for is kept secure and protected from misuse and loss, and from unauthorised access, modification, disclosure or destruction.

The DET InfoSafe Program:

  • has been established as part of the Department's commitment to ensuring that the information it holds is managed and shared sensitively and securely to protect staff, students and their families.
  • will implement a number of privacy and information security initiatives to lift both school and corporate staff capabilities.

For information about this program, see: DET InfoSafe Program

Information and communication technology (ICT) security policies

ICT Security Policy sets out the Department's information security requirements for both the corporate and school environments.

ICT Security Incident Policy provides guidance on identifying and reporting ICT security incidents for both school and corporate staff.

Acceptable Use Policy for ICT Resources for direction to corporate and school staff on acceptable use of ICT resources.

Password Policy for direction to corporate and school staff on password security requirements. 

Portable Storage Device Security Policy provides guidance to corporate and school staff on security for portable storage devices containing sensitive or protected information. 

Records management

Good records management practices are vital for keeping personal information secure.

For advice and responsibilities relating to the management, storage and disposal of records, see: Archives and Records Management

School procurement of ICT systems

For information on the procurement procedure for schools, see: Schools Procurement Policy and Procedure

When schools procure ICT applications and systems, they need to ensure compliance with a number of legislative obligations, including privacy, data protection, records management and accessibility. To support schools in doing this, the Supplier Compliance process has been established to evaluate ICT suppliers.

For information on this process, see: Supplier Compliance process 

Privacy incidents

A privacy incident is any incident where there is a suspected or confirmed loss, inappropriate access, modification, use or disclosure of personal information.

If it is identified or suspected that personal information is not being handled appropriately, notify the appropriate member of the school's leadership team immediately and contact the Privacy team.

Personal information is information about an individual that may identify them. Privacy incidents include:

  • misdirected communications, e.g. emailing the wrong recipient, using cc instead of bcc, or attaching the wrong document
  • accidental access, e.g. applying incorrect access controls to documents, or publishing sensitive documents online
  • unauthorised access, e.g. a student accessing school systems using staff login details
  • Loss, e.g. theft of a USB containing student files, or misplacing a student file (electronic or hard copy)
  • unauthorised disclosure, e.g. uploading student photos on social media without parental consent.

What should I do if I think a privacy incident has occurred?

If a privacy incident is believed to have occurred, or might occur, contact the Privacy team by phoning 8688 7967 or emailing privacy@edumail.vic.gov.au

The team can offer immediate advice and work through the incident response process with the school. 

It is important that the Privacy team is engaged early, so that they can help you throughout the incident and beyond. The team will ask questions to help remediate the issue, and they will also liaise with any other relevant teams (e.g. Information Management and Technology Division and Legal Division) to provide coordinated support.

NOTE: Where the principal reasonably believes that the privacy incident is insignificant, it is at their discretion as to whether or not to contact the Privacy team. An insignificant incident would include situations in which the personal information was not disclosed outside of the school or Department and did not include any sensitive or health information that would cause any harm or concern to a student or their family as a result of the mistaken disclosure.

Incident response process

The Privacy team will evaluate any incident or suspected incident systematically on a case-by-case basis, following these steps:

  1. Preliminary assessment and containment: this happens very quickly to establish the type and scale of the incident, the kind of information and risk involved, and if containment steps are required. This forms the basis of what action needs to be taken and what needs to be done as soon as possible. The preliminary assessment is about documenting key details and containing the incident if it is still uncontained.
  2. Risk evaluation: this is a more detailed assessment of the privacy consequences of the incident. It assesses the scale and severity of the incident, what information has been compromised and any potential harm to individuals and/or the Department. This often includes reviewing the material involved and asking questions to understand how the incident occurred, how it can be contained and how it can be prevented from occurring again.
  3. Notification: in some cases, notification is required. This may involve engaging other areas of the Department, notifying affected individuals and potentially notifying any regulators. If you are considering notifying affected individuals, please contact the Privacy team for advice.
  4. Prevention: a final incident review should be conducted to identify outstanding risks or opportunities that might be addressed to prevent similar incidents occurring.

For a quick reference guide on what to do in a privacy incident, see:

What is not a privacy incident?

If there is a data breach, loss or inappropriate sharing of information that does not include personal information, this is an information security incident rather than a privacy incident. Examples of information security incidents include:

  • unauthorised access of an information system containing financial information, not personal information
  • loss or theft of a USB containing planning documentation which doesn't include any personal information.

Log these incidents immediately with the IMTD Service Desk, who can be contacted by phoning 1800 641 943 or emailing servicedesk@edumail.vic.gov.au

If the incident involves any commercial or sensitive information, contact the Legal Division for further guidance. 

Complaints

If someone is concerned about the way their personal information, or personal information about their child, has been handled, they are able to make a privacy complaint. Privacy complaints should be directed to the Privacy team.

For information about how the Department manages privacy complaints, see: Make a privacy complaint

Training and Support

For an introduction to privacy in schools, complete the Privacy for Schools eLearning module which can be found in LearnED in eduPay.

For privacy advice or face-to-face training at your school, contact the Privacy team on privacy@edumail.vic.gov.au or 8688 7967.

Training and Support

For an introduction to privacy in schools, complete the Privacy for Schools eLearning module which can be found in LearnED in eduPay. 

For privacy advice or face-to-face training at your school, contact the Privacy team on privacy@edumail.vic.gov.au or 8688 7967.

For useful documents and websites, see:

Related policies