Purpose of this policy
To ensure schools maintain privacy of information.
- abide by legislative privacy requirements in relation to how personal and health information is collected, used, disclosed and stored
- be reasonable and fair in how this information is treated, not only for the benefit of staff and students, but also to protect the school’s reputation
- abide by freedom of information requirements - for details, see: Freedom of Information
Victorian privacy law applies to all staff, service providers (contractors) and agents, (whether paid or unpaid) of the Department, and covers student records, staff files and information held by the Department and all government schools.
The Privacy and Data Protection Act 2014 applies to all forms of recorded information or opinion about an individual who can be identified, including photographs and emails. It establishes standards for the collection, handling and disposal of personal information and places special restrictions on ‘sensitive information’ such as:
- racial or ethnic origin
- political views
- religious beliefs
- sexual preference
- membership of groups
- criminal record.
The Health Records Act 2001 establishes standards for the collection, handling and disposal of health information including a person’s
- physical, mental or psychological health
Health information can also include access to health services and the nature of these services; however this type of information does not have to be recorded to be classified as health information.
Objectives and principles
The objectives of privacy laws are to:
- balance the public interest in the free flow of information while protecting personal and health information
- empower individuals to manage, as far as practicable, how personal and health information is used and disclosed
- promote responsible, open and accountable information handling practices
- regulate personal information handling by applying a set of information privacy principles.
Information privacy principles create rights and obligations about personal and health information; however these only apply when they do not contravene any other Act of Parliament. In most cases there will be no contradiction as the relevant action falls within one of the exceptions within the information privacy principles.
School compliance strategies
Some strategies school can implement to ensure compliance with the privacy legislation include:
- nominating a person to manage and review the school’s privacy practices
- conducting a privacy audit to determine what information the school collects, how information is used and with whom information is shared
- examining data security arrangements
- treating all privacy complaints in the strictest confidence and seeking advice from the Privacy team as needed, on (03) 8688 7967 or firstname.lastname@example.org
Personal and health information can be disclosed for a purpose other than for which it was collected and without the person’s consent when the disclosure is:
- necessary to lessen or prevent a threat to life, health or safety
- required, authorised or permitted by law or for law enforcement purposes
- used for research or compilation of statistics in the public interest, in certain limited circumstances. Any research in schools must be first approved by the Office for Policy, Research and Innovation.
See: Conducting Research
Privacy and duty of care
Privacy laws recognise and permit schools collecting, using and disclosing information so that they can comply with their duty of care to students. A key element of duty of care is that the processes and procedures used are documented and records kept.
See: Duty of Care
Privacy and parents/guardians
To assist decision making about a student’s needs, schools inform parents/guardians of the student’s academic progress, behaviour, educational options or special educational requirements.
Privacy laws do not restrict this use of the information, as this is the purpose for which it is collected.
Unless a court order is made under the Family Law Act, both parents of a student have the same rights to access information about the student. See: Decision Making Responsibilities for Students
- provide a privacy collection notice with the enrolment form explaining to the parents and student why this information is being collected, what it is used for, where it might be disclosed and how they can access information held about them
- only use the information collected during enrolment for the purposes that it was collected for. Disclosure for an unrelated purpose requires parental consent or in the case of a secondary student the content of the parent and student, unless the circumstances fall within one of the above privacy exemptions.
Health related information can be kept confidential by the principal, or shared with:
selected staff to the extent they need to know to care for the student, or
all staff when they need to know in case of emergencies.
Note 1: Counselling services are health services and records are confidential health records. Confidentiality of information disclosed during a counselling session must be maintained unless the student provides consent or the situation falls into a privacy exemption category.
Note 2: Career counselling is not a health service.
See: First Aid Needs
Transferring student information between Victorian government schools is allowed when:
- parents/guardians are informed of the process
- schools meet the Department’s standards in transferring files.
Access to information
The privacy laws do not change the individual’s right to access their information that is held by a government school. The individual’s right to access remains via a request made under the Freedom of Information Act 1982.
Privacy legislation encourages organisations to be open and transparent about what personal and health information they hold about individuals. When it is appropriate schools can provide individuals with informal access to their own personal or health information. However, the person seeking access should make a request under the Freedom of Information Act 1982 if records hold information:
- provided by a third party
- that identifies a third party or
- that may cause harm to the individual or others.
See: Freedom of Information
Individuals are able to raise a complaint about the handling of their own personal information, or the personal information of a child for which they have parental or carer's rights.
When a complaint is made to:
- a school, the principal should attempt to resolve the matter. If needed, regional complaints staff or the Department's Privacy Team can provide the principal with assistance. In all cases, the Privacy Team should be notified of complaints on (03) 8688 7967 or email@example.com
- to a regional office, they will refer the complaint to the Department's Privacy Team for response.
If a complaint is made to the Office of the Victorian Information Commissioner (OVIC) or the Victorian Health Complaints Commissioner (HCC) these Offices will confirm first that the
Department has had the opportunity to respond directly. However if an
individual is unsatisfied with the Department’s response, they can escalate
their complaint to OVIC or HCC.
For more detail on the privacy complaints process, see: Make a privacy complaint
- Health Records Act 2001
- Privacy and Data Protection Act 2014
For further details, see: