Legal matters: Schools and data privacy

Schools collect and receive personal and sensitive information on a daily basis. What are the legal requirements for managing and using this data? Teacher asked three legal experts.

Much of the personal and sensitive information collected by schools is, of course, essential to their day-to-day running.

This information can relate to students, parents and guardians, job applicants, staff members, volunteers and contractors, and others who come into contact with the school.

Following significant changes to the Privacy Act 1988 (Act), which took effect from 12 March 2014, schools need to consider how they use and manage such information, so as to avoid significant penalties.

What is 'personal information'?

It is important for schools to understand the definition of 'personal information'. Previously, for information to be considered personal it had to identify the individual concerned or make the identity apparent, or reasonably ascertainable.

Following changes to the Act, a broader definition now applies. Personal information now includes information about an individual which, when combined with other information (which may not be controlled by the same entity), identifies an individual or renders the individual reasonably identifiable.

Therefore, to ensure compliance with the Act, it is important for schools to understand what type of information is considered personal information and is therefore subject to the Act.

Information that falls within the definition of personal information includes:

  • full name;
  • contact details;
  • birth certificate;
  • school reports; and
  • education details.

Information that is collected by a school that is of a more personal nature falls within the definition of ‘sensitive information'. If sensitive information is collected by a school, the school must comply with stricter rules relating to the use and disclosure of that information.

Sensitive information includes information about:

  • race or ethnicity;
  • political opinions and/or memberships;
  • religious beliefs or affiliations;
  • philosophical beliefs; or
  • memberships of a professional or trade association;
  • sexual orientation;
  • health records;
  • tax file numbers; and
  • criminal records.

Australian Privacy Principles

In addition to expanding the information that is caught by the Act, changes to the Act also introduced 13 new Australian Privacy Principles (APPs). Any business that has one of the following characteristics is now subject to the APPs:

  • a business with an annual turnover of more than $3 million;
  • a Federal Government agency;
  • a provider of a health service (regardless of turnover);
  • a business that is in receipt of payment for collecting or disclosing personal information; (regardless of turnover);
  • a provider of contractual services to the Commonwealth, including all Federal Government contractors (regardless of turnover).

Therefore, all private schools are generally covered by the Act, meaning that they must comply with the APPs. Although public schools are not covered by the Act, they will be subject to state or territory privacy laws.

Whilst it is important for schools to have a detailed understanding of all of the APPs, the following provides an overview of the particularly pertinent aspects.

APP 3: collection of personal information

Pursuant to this APP:

  • A school must only collect personal information if that information is reasonably necessary for one or more of a school's activities. For example, providing schooling to the student.
  • A school must only collect personal information from the individual to whom the information relates, unless the individual consents to information being collected elsewhere, or it is unreasonable or impractical to obtain consent, for example, if dealing with a minor. Consequently, if a school is dealing with older students (for example, students in Years 10-12) it is important that the school obtains that student's consent in circumstances where a parent or guardian signs a document on behalf of the student that discloses personal information. Such consent can be obtained when the student enrols at the school.
  • If a school collects sensitive information, it must only do so with the consent of the individual.

APP 4: unsolicited personal information

Information will be unsolicited if it has not actively been acquired by a school; for example, if the information was not acquired directly from the individual or requested from a third party. If a school could not have collected the information in accordance with APP 3, the school must destroy or de-identify the information as soon as possible.

APP 5: notification of collection of personal information

A school must take reasonable steps to notify the individual of the collection of the information and refer the individual to the school's privacy policy to ensure the individual is aware of how the information will be used.

APP 6: use and disclosure of personal information

A school can only use and disclose personal information for the purpose for which it was collected. It can be used for a secondary purpose only if the individual consents.

To ensure compliance with the APPs, schools should implement procedures which reflect the requirements set out in these APPs and the school's privacy policy.


The reforms give the Australian Information Commissioner increased enforcement powers, which includes, but is not limited to: impose civil penalties in the case of serious or repeated breaches of privacy (up to $340 000 for an individual and $1.7 million for a corporation); impose criminal penalties; and/or conduct assessments of privacy performance for both Australian government agencies and businesses.

So, what do schools need to do?

Given the significant penalties for breaching the Act, participants in the education sector must (if they have not already done so):

  • implement a complying privacy policy;
  • review and update practices, procedures and systems relating to the way in which they collect, manage and use personal information to ensure compliance with the Act; and
  • educate staff on the privacy obligations imposed upon the school and ensure that they are familiar with, and comply with, the school's privacy policy.

If you would like more information about your obligations under the Act, please contact Joanne D'Andrea or Nicole Stornebrink via

Does your school have a privacy policy?

When was the last time it was reviewed?

Are all staff aware of the requirements of the school privacy policy?