Privacy and Information Sharing

Privacy impact assessments

What is a privacy impact assessment?

A privacy impact assessment (PIA) identifies and assesses the privacy impacts of any initiative, project or software that handles personal, sensitive or health information.

Conducting a PIA helps schools identify privacy and security risks, evaluate compliance with the Victorian Privacy and Data Protection Act 2014 and Health Records Act 2001, and document what actions are required to mitigate any identified risk. This also helps schools identify important information to include in parent notifications to ensure parents are better informed.

Privacy law requires all of us to take reasonable steps to implement practices, procedures and systems to protect personal and health information and handle it appropriately. By doing a PIA and building in privacy requirements in initial stages, the school can demonstrate this to parents and, if necessary, the Victorian Information Commissioner and Health Complaints Commissioner.

Schools should consider conducting PIAs for:

• any third party software (free or purchased) used in the school that handles personal, sensitive or health information, particularly for third party software that is considered high risk or
• any existing process, project or software that is modified in a way that changes how personal, sensitive or health information is handled. If a PIA was completed previously, then this may need to be reviewed and updated.

The Department’s Privacy Team can support schools to conduct a PIA.

Key terms

Personal information
Personal information is recorded information or opinion, whether true or not, about a person whose identity is apparent, or can reasonably be ascertained, from the information. The information or opinion can be recorded in any form. A person's name, address, phone number and date of birth (age) are all examples of personal information.

Sensitive information
Sensitive information is a type of personal information with stronger legal protections due to the risk of discrimination. It includes information or opinion about an identifiable person’s racial or ethnic origin, political opinions or affiliations, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, or membership of a trade union.

Personal and sensitive information is regulated in Victoria under the Privacy and Data Protection Act 2014 (Vic).

Health information
Health information is information or opinion about an identifiable person’s physical, mental or psychological health or disability. Health information is a type of personal information which, because of its sensitivity, also has different and stronger legal protections.

Health information is regulated in Victoria under the Health Records Act 2001 (Vic).

Note: De-identified information about individuals can become personal information if it is re-identified or if it is at high risk of being re-identified, for example, if it is released to the public or is a small sample size.

Third party software is software or an online service purchased from a third party, including Department brokered software such as Google’s G Suite, but excluding Department-owned software or systems e.g. CASES21, SOCS.

Conducting a PIA

When to use the PIA template

When procuring new third party software (regardless if free or purchased), schools should consider completing the PIA template as part of their procurement process. At a minimum, the PIA template should be completed for all third party software that is identified as high risk.

Software may be high risk where it:

• handles sensitive or health information about students, parents or staff
• handles photos or videos of students
• offers cloud storage with limited security or allows insecure access through the internet or mobile devices
• has certain kinds of functionality: remote access, video or teleconferencing, unmoderated or unsupervised chats
• allows users to share content publicly
• is a new and relatively unknown software that handles personal information.

Pre-populated PIAs have been developed for systems commonly used in schools which can be tailored to meet your school’s circumstances. Find these at: Pre-populated PIAs (login required).

Schools do not need to complete a PIA or security assessment for systems provided by DET if intending to use the system in prescribed ways. A list of these systems can be found at: FUSE DET Software Suite.

If unsure about whether a PIA template is needed, please contact the Privacy team.

How to use the PIA template

Download the PIA template (login required).

The PIA template consists of:

• Risk Identification (Part 1)
• Action Plan (Part 2) and
• Endorsement (Part 3).

Note: For a small number of PIAs, an implementation checklist will be provided which can replace the Action Plan (Part 2 of the PIA template).

Supporting resources can be found in the PIA Appendices.

Risk identification

Part 1 of the PIA template is an analysis of the proposed software or system against the 10 Information Privacy Principles (login required) at each stage of the information life cycle (collection to disposal).

Things to consider at each stage of the information life cycle:

• Prior to or at collection: The type of information collected – Is it necessary? Is it a new collection or existing information? Is a new collection statement or consent needed?
• Use and disclosure: Does the use and disclosure of existing information fit with the original collection purpose? Is there a reasonable expectation of the use and disclosure? Is consent needed? Who will the information be disclosed to? Do similar privacy protections apply if there are information flows outside Victoria?
• Holding and storage: How can the currency and quality of personal information be assured? What safeguards will protect against misuse, loss, unauthorised access, modification or disclosure? What procedures enable individuals to access and correct their information?
• Disposal: Do any mandatory retention periods apply by law? How will information be destroyed or permanently de-identified?

For help in understanding risk identification, please contact the Privacy team.

Action Plan

In Part 2 of the PIA, the school will:

• identify privacy risks which need to be addressed
• determine the risk rating for each risk based on processes currently in place
• specify further action required to further reduce the risk rating to an acceptable level, the responsible person/area and the timeframes for completion.

The PIA template contains a list of suggested privacy risks and actions. However these are not exhaustive and must be amended, deleted or added to in order to ensure that the Action Plan is relevant for the school and the proposed project or software.

Endorsement

In Part 3 of the PIA, the principal endorses and accepts responsibility for the mitigation actions and residual risk described in the PIA.

1. After the Privacy Officer has advised that the PIA is ready for signing, the principal must review Part 1 and Part 2 before signing Part 3.
2. The staff responsible and Privacy Officer also sign Part 3.

After the PIA is signed

• Send a copy of the signed PIA to the Privacy team. Principals may also share a copy of the PIA with the school council if they wish.
• Keep the signed PIA with other project documentation (e.g. security assessments and contracts).
• Provide updates to the Privacy Officer at the end of each proposed timeframe until all Action Plan items are completed.
• The PIA is a live document, and the staff responsible should record any additional actions taken after the PIA template is signed. This can be done by adding pages after Part 3.
• The PIA may need to be updated if new privacy risks arise from project or software changes.

Privacy matrix

Purpose

The privacy matrix is a high level summary of all third party software in a school which handles personal, sensitive or health information. It can be used separately from, and in addition to, the PIA template.

When the privacy matrix identifies high-risk software, schools should complete the PIA template for that software to ensure that the risks are fully identified and mitigated. For example, third party digital software that handles a lot of student information, tends to be higher risk so a school should complete a PIA template for this.

The information in the matrix helps schools streamline privacy notifications to parents. Schools can use content from the matrix to create their notifications for online services (sometimes known as digital learning statements or an online services statement) and publish this notification on their website. This will keep current and prospective parents informed of systems in use at the school.

How to use the privacy matrix

Download the privacy matrix (login required).

1. List all third party software (purchased and free) used in the school that handles personal, sensitive or health information.
   To help with step 1, schools can ask their specialist technicians for the school’s ICT inventory, and refer to the software listed in item 7 ‘Software Licensing’. Please note that not all software listed in the ICT inventory handles personal information and there may be free software used by the school that is not listed.
2. Populate the rest of the matrix by following the instructions included in the matrix.
3. Send the completed privacy matrix to the Privacy team at privacy@education.vic.gov.au for review. The Privacy team can advise what additional actions may be required, for example which software requires a PIA template to be completed.
4. Update the privacy matrix each time new software is introduced in the school and ensure that the notification to parents is similarly updated. The privacy matrix should be reviewed regularly, for example, annually.