Information and Privacy

Purpose of this policy

To ensure schools maintain privacy of information.


Schools must:

  • adopt the Department's Schools' Privacy Policy (this can be achieved by creating a link to the policy on the school's website)
  • abide by legislative privacy requirements in relation to how personal and health information is collected, used, disclosed and stored
  • be reasonable and fair in how this information is treated, not only for the benefit of staff and students, but also to protect the school’s reputation
  • abide by freedom of information requirements - for details, see: Freedom of Information

Note:  The school’s privacy policy must be provided to anyone who requests a copy.


Victorian privacy law applies to all staff, service providers (contractors) and agents, (whether paid or unpaid) of the Department, and covers student records, staff files and information held by the Department and all government schools. 

The Privacy and Data Protection Act 2014 applies to all forms of recorded information or opinion about an individual who can be identified, including photographs and emails.  It establishes standards for the collection, handling and disposal of personal information and places special restrictions on ‘sensitive information’ such as:

  • racial or ethnic origin
  • political views
  • religious beliefs
  • sexual preference
  • membership of groups
  • criminal record.

The Health Records Act 2001 establishes standards for the collection, handling and disposal of health information including a person’s

  • physical, mental or psychological health
  • disability.

Health information can also include access to health services and the nature of these services; however this type of information does not have to be recorded to be classified as health information.

Objectives and principles

The objectives of privacy laws are to:

  • balance the public interest in the free flow of information while protecting personal and health information
  • empower individuals to manage, as far as practicable, how personal and health information is used and disclosed
  • promote responsible, open and accountable information handling practices
  • regulate personal information handling by applying a set of information privacy principles.

Information privacy principles create rights and obligations about personal and health information; however these only apply when they do not contravene any other Act of Parliament.  In most cases there will be no contradiction as the relevant action falls within one of the exceptions within the information privacy principles.  

School compliance strategies

Some strategies school can implement to ensure compliance with the privacy legislation include:

  • nominating a person to manage and review the school’s privacy practices
  • conducting a privacy audit to determine what information the school collects, how information is used and with whom information is shared
  • examining data security arrangements
  • ensuring all staff, including volunteers, are aware and compliant with the Schools' Privacy Policy and supporting documents
  • treating all privacy complaints in the strictest confidence and seeking advice from the Privacy team as needed, on (03) 8688 7967 or

Privacy exemptions

Personal and health information can be disclosed for a purpose other than for which it was collected and without the person’s consent when the disclosure is:

  • necessary to lessen or prevent a threat to life, health or safety
  • required, authorised or permitted by law or for law enforcement purposes
  • used for research or compilation of statistics in the public interest, in certain limited circumstances.  Any research in schools must be first approved by the Office for Policy, Research and Innovation.

See: Conducting Research   

Privacy and duty of care

Privacy laws recognise and permit schools collecting, using and disclosing information so that they can comply with their duty of care to students.  A key element of duty of care is that the processes and procedures used are documented and records kept.

SeeDuty of Care   

Privacy and parents/guardians

To assist decision making about a student’s needs, schools inform parents/guardians of the student’s academic progress, behaviour, educational options or special educational requirements.

Privacy laws do not restrict this use of the information, as this is the purpose for which it is collected.

Court orders

Unless a court order is made under the Family Law Act, both parents of a student have the same rights to access information about the student. See: Decision Making Responsibilities for Students 

Enrolment information

Schools must:

  • provide a privacy collection notice with the enrolment form explaining to the parents and student why this information is being collected, what it is used for, where it might be disclosed and how they can access information held about them
  • only use the information collected during enrolment for the purposes that it was collected for.  Disclosure for an unrelated purpose requires parental consent or in the case of a secondary student the content of the parent and student, unless the circumstances fall within one of the above privacy exemptions.

See: Admission

Health information

Health related information can be kept confidential by the principal, or shared with:

  • selected staff to the extent they need to know to care for the student, or

  • all staff when they need to know in case of emergencies.

See: Privacy on a page for student health and wellbeing staff

Note 1: Counselling services are health services and records are confidential health records.  Confidentiality of information disclosed during a counselling session must be maintained unless the student provides consent or the situation falls into a privacy exemption category.

Note 2: Career counselling is not a health service.

See: First Aid Needs


Transferring student information between Victorian government schools is allowed when:

  • parents/guardians are informed of the process
  • schools meet the Department’s standards in transferring files.

Access to information

The privacy laws do not change the individual’s right to access their information that is held by a government school. The individual’s right to access remains via a request made under the Freedom of Information Act 1982.

Privacy legislation encourages organisations to be open and transparent about what personal and health information they hold about individuals. When it is appropriate schools can provide individuals with informal access to their own personal or health information.  However, the person seeking access should make a request under the Freedom of Information Act 1982 if records hold information:

  • provided by a third party
  • that identifies a third party or
  • that may cause harm to the individual or others.

See: Freedom of Information


Individuals are able to raise a complaint about the handling of their own personal information, or the personal information of a child for which they have parental or carer's rights.

When a complaint is made to:

  • a school, the principal should attempt to resolve the matter. If needed, regional complaints staff or the Department's Privacy Team can provide the principal with assistance. In all cases, the Privacy Team should be notified of complaints on (03) 8688 7967 or  
  • to a regional office, they will refer the complaint to the Department's Privacy Team for response.

If a complaint is made to the Office of the Victorian Information Commissioner (OVIC) or the Victorian Health Complaints Commissioner (HCC) these Offices will confirm first that the Department has had the opportunity to respond directly. However if an individual is unsatisfied with the Department’s response, they can escalate their complaint to OVIC or HCC.

For more detail on the privacy complaints process, see: Make a privacy complaint

Related policies

Related legislation

  • Health Records Act 2001
  • Privacy and Data Protection Act 2014

Department resources

For further details, see: