Legislation regarding the collection and handling of personal information in the public sector and information relating to health in both the public and private sector, aims to ensure the responsible handling of private and sensitive information collected by schools from pupils, parents and staff.
Schools collect a variety of information from pupils and parents, teaching and non-teaching staff, businesses and other people who work in schools as volunteers or on a contractual basis.
When a child is enrolled in school, parents or guardians are asked to provide personal and health information about the child. This information may include the home address, contact details, relationship status, financial status, medical history, and family history including, custody and access arrangements of the child. The parents or guardians provide this information to the school on an express or implied understanding that it remains confidential and is not disclosed to others.
At the federal level, the Privacy Act 1988 (Cth), Privacy Amendment (Private Sector) Act 2000 (Cth) and the Privacy Amendment Act 2004 (Cth) deal with privacy protection issues by both government and non-government agencies.
In 2012, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) made significant changes to the Privacy Act 1988 (Cth)). These changes commenced on 12 March 2014. The Privacy Regulation 2013, made under the Privacy Act, also commenced on 12 March 2014. The Privacy Act now includes a set of 13 new harmonised privacy principles that regulate the handling of personal information by Australian Government agencies and some private sector organisations. These principles are called the Australian Privacy Principles (APPs). They replace both the Information Privacy Principles that applied to Australian Government agencies and the National Privacy Principles that applied to some private sector organisations.
The Office of the Australian Information Commissioner provides simple information about the changes to the Privacy Act. The information is available at: www.oaic.gov.au/privacy/privacy-act/privacy-law-reform.
In Victoria, two Acts cover how this information is handled. The Information Privacy Act 2000 (Vic) deals with collection and handling of personal information (except health information) in the public sector. The Act provides rights to individuals to access and correct their personal information, and applies to all Victorian state schools and their funded service providers.
The Health Records Act 2001 (Vic) deals with personal information relating to health in both the public and private sectors. Both government and non-government schools are obliged to abide by the provisions of the Act, which appears to protect all identifying information about the health and disability of staff and students, their medical conditions and treatment. (For general information on privacy issues, see Privacy and your rights).
The common law does not specifically provide a right to “protection of personal information”; instead, it protects individual reputations under the general principles of defamation law (see Defamation and your rights). If a school, through its employees, discloses confidential information about any individual without reasonable defence, and the individual’s reputation is damaged by such a disclosure, a case of defamation can be framed against the school. DET can be vicariously liable for the negligent disclosure of the information by its employees if they acted within the scope of their employment.
Confidential information may be disclosed when specific legislation allows or requires it to be disclosed (see The Children’s Court).
At this stage it is not clear whether a child under the age of 18, who provides information to their teachers in confidence, has the right either to have that information withheld from their parents or guardians, or to sue their school or teachers for damages if that information is disclosed. However, the case of MT v Director General, NSW Department of Education & Training  NSWADT 194 shows how educational institutions unintentionally can breach privacy principles enshrined in state and Commonwealth legislation. In this case a teacher had wrongfully disclosed personal information regarding the medical condition of a student to the soccer club for which she was due to play a grand final match.
For more information about privacy, contact the Victorian Information Commissioner (see “Contacts”).
The Victorian Health Complaints Commissioner (see “Contacts”) administers the Health Records Act and receives complaints relating to interference with health privacy, including access to health information.