VIC.GOV.AU | Policy and Advisory Library

Policy last updated

11 July 2025

Scope

  • Schools

Date:
January 2020

Policy

Policy

This policy provides privacy and information sharing guidance to ensure schools follow the Schools' privacy policyExternal Link when collecting, using, sharing and managing personal and health information.

Summary

  • All schools must adopt and follow the Schools' privacy policyExternal Link and include a link to it on their school’s website.
  • Following the policy will ensure schools comply with current privacy legislation and departmental policies.
  • Information on how to implement the policy is available in the Guidance tab.
  • Advice for when information can and must be shared for the wellbeing or safety of children, or to assess or manage family violence risk can be found on Child and Family Violence Information Sharing Schemes.

Details

The Schools' privacy policyExternal Link is a departmental policy which applies to all schools.

All schools must:

  • adopt and follow the Schools’ privacy policy
  • include a link to the policy on their school’s website
  • remove any previous, individualised privacy policies from their website.

In some cases, school staff can and must share personal information to promote the wellbeing or safety of children, or to assess or manage family violence risk.

Advice on sharing information of this nature is available at Child and Family Violence Information Sharing Schemes.

Definitions

Personal information
Personal information is recorded information or an opinion about a person who is identified or could be reasonably identified.

It will be considered personal information regardless of whether it is true or not.

Examples of personal information include a person’s:

  • name
  • address
  • phone number
  • date of birth and/or age.

De-identified information about individuals can become personal information if it is re-identified or re-identifiable. For example, if a sample size is very small or enough separate facts about a person are provided then their identity could be guessed.

Sensitive information
Sensitive information is a type of personal information. It has stronger legal protections due to the risk of discrimination.

Sensitive information includes information or opinion that relates to a person’s:

  • racial or ethnic origin
  • political opinions or affiliations
  • religious beliefs or affiliations
  • philosophical beliefs
  • sexual orientation or practices
  • criminal record
  • membership of a trade union.

Personal and sensitive information is regulated in Victoria under the Privacy and Data Protection Act 2014 (Vic).

Health information
Health information is a type of personal information. The sensitive nature of this information means that it has different and stronger legal protections.

Health information is information or opinion about an identifiable person’s:

  • physical health
  • mental or psychological health
  • disability.

Health information is regulated in Victoria under the Health Records Act 2001 (Vic).

Relevant legislation


Guidance

Guidance on privacy and information sharing

Adopting and following the Schools’ privacy policyExternal Link enables schools to meet their legal obligations.

By implementing the policy and good privacy practices, schools can protect individuals’ personal and health information. This also helps schools to maintain trust with parents and students.

When the term ‘school staff’ is used, it includes:

  • contractors
  • service providers
  • volunteers of the department
  • all Victorian government schools.

All school staff share the responsibility and obligations of protecting privacy.

Guidance topics

  • How to implement the Schools' privacy policy
  • Collection notices
  • Consent
  • Photographs, filming and recording
  • Sharing information
  • Privacy impact assessments
  • Health information
  • Biometric information and technologies
  • Information security
  • Privacy incidents
  • Complaints

How to implement the Schools’ privacy policy

How to implement the Schools’ privacy policy

Schools must include a link on their public facing website to the department’s Schools' privacy policyExternal Link .

Step 2 – share supporting information with staff

Send staff a link to the guidance Implementing the Schools' privacy policy. The guidance will help staff understand what they need to do when collecting, sharing and using personal information.

Step 3 – share supporting information with the school community

Send the school community a link to the Schools' privacy policy: information for parentsExternal Link . This resource helps parents and carers understand how the school handles their information. It also includes translations for culturally and linguistically diverse communities.

Step 4 – share the Schools’ privacy collection notice

During the enrolment process schools must provide parents and carers with a link to the Schools' privacy collection noticeExternal Link .

Schools must also provide a link to the collection notice annually in Term 1, as part of regular privacy reminders.

For guidance on this process, refer to Collection notices.


Collection notices

Collection notices

It is important that schools are transparent and communicate with students and parents about how their personal information will be handled. A key way the department and schools do this is by providing collection notices.

A collection notice is a plain language statement that explains:

  • what information is being collected
  • why it is needed
  • how the information will be managed.

Schools’ privacy collection notice

The main collection notice used in schools is the Schools’ privacy collection noticeExternal Link . It explains why schools need to collect and use information to carry out core functions.

Schools must share a link to the Schools’ privacy collection notice:

  • during the enrolment process
  • annually as part of the school’s privacy reminders.

Schools must do both to meet their privacy obligations.

Annual privacy reminder (all students)

At the start of each year in Term 1, schools must send a privacy reminder to the school community. These should be included in the first or second school newsletter, or through usual communication channels.

The privacy reminder supports schools to make sure all parents and students continue to understand how their personal information is handled. This helps schools comply with the Privacy and Data Protection Act 2014 (Vic).

Privacy reminders must include links to the:

Schools are recommended to use the Privacy reminder newsletter template (DOCX 72 KB) (staff login required)External Link to include in their school newsletter or as a stand-alone notice.

Notifications for software and new technology use

When schools adopt new software that collects or stores personal information, they are encouraged to inform their school community as part of implementation. This helps avoid surprises and is part of good privacy practice.

If opt-in consent is required, then notice is required to support informed consent.

Schools can use the Notice – new software template (DOCX 55 KB)External Link .

Alternatively, schools can publish or annually communicate a list of all the software it uses that handles personal information. Known as a digital learning statement, schools can use the Notice – software in our school template (DOCX 58 KB)External Link .

For more information on consent and technology, read the guidance on Consent.

Other collection notices

If school staff collect personal information for activities not covered by the schools’ privacy collection notice, or a software collection notice, they may need to create a separate notification. This separate notification must then be sent to parents and carers. An example might include a school collecting personal information for fundraising.

A collection notice must include:

  • the name and contact details of the organisation collecting the information
  • the purpose for collecting the information
  • any individuals or organisations the information might be shared with
  • a statement about the person’s right to access to the information collected about them
  • any law(s) requiring the collection of the information
  • what happens if they don’t provide all or part of the information.

Collection notices used by schools must be written in plain language. Schools can create collection notices using the Collection notice generator (DOCX 76 KB) (staff login required)External Link .

In some cases, a collection notice alone isn’t sufficient and explicit consent might be required. Refer to Consent.

For advice on collection notices, email the Privacy team at privacy@education.vic.gov.au


Consent means someone giving permission for their personal information to be collected, used, and/or shared. In schools, this is often a parent or carer on behalf of a child.

Schools and the department must ask for consent in certain circumstances. For example, consent is generally required for the collection, use or disclosure of health information (unless one of the exemptions under privacy law applies, such as to lessen or prevent a serious threat to someone’s life, health, safety or welfare).

There are some exceptions in privacy law that allow the department and schools to use or disclose personal information without consent, such as sharing with a law enforcement agency to help an investigation. The department and schools are also able to share personal information through both the Child Information Sharing Scheme (CISS) to promote the wellbeing or safety of children and the Family Violence Information Sharing Scheme (FVISS) to assess or manage family violence risk.

More information is also available in the Schools' privacy policyExternal Link .

When giving consent, the person must have the capacity to consent. Therefore, consent is usually gained by parents, carers or mature minors.

For consent to be valid, it must be:

  • informed: the person or their parent/carer can understand what they are agreeing to
  • specific: it is clear what the consent is for
  • current: it applies to the situation right now
  • voluntary: the person, parent or carer agrees to it freely.

This is especially important when the subject matter or content is sensitive.

Schools must ask for consent again if they want to use or disclose personal information in a way that is different from the primary purpose it was collected or a reasonably expected secondary purpose.

For most purposes, schools must obtain consent through either an opt-in or opt-out process:

  • Opt-in consent is when the person actively gives permission.
  • Opt-out consent assumes the person has consented unless they take active steps to say no.

Common examples of activities that require consent include:

  • implementing new software
  • photographing and recording staff and students for non-standard school functions
  • research in schools.

When to use opt-in

Opt-in consent must be used when the activity or software collects:

  • health or wellbeing information
  • photos
  • other sensitive information.

Sensitive information can include things such as cultural background and sexual orientation.

Opt-in consent is also advised for any activity or software that has aspects that could increase privacy risk, such as group chats or publishing material online.

When to use opt-out

Opt-out consent can be used when minimal personal information is being collected or used for a school purpose.

This includes for software such as apps that only requires name and year level.

There are specific purposes where the department can collect and manage personal information without specific consent. These are described in the Schools’ privacy policyExternal Link and Schools' privacy collection noticeExternal Link .

As a summary, the specific purposes include:

  • educating students
  • supporting students’ health or social and emotional wellbeing
  • fulfilling legal obligations, including duty of care, anti-discrimination law and occupational health and safety law
  • communicating and engaging with parents
  • undertaking student administration and school management
  • same-day notification of unexplained absences.

There are also some exceptions in privacy laws that allow schools to use or disclose information without consent. These include:

  • when necessary to lessen or prevent serious harm
  • as required for law enforcement purposes.

For advice on sharing personal and health information, including for child safety, refer to Sharing information.

If you require more information on when an exemption may apply, please email the Privacy team at privacy@education.vic.gov.au

Implementing software and new technology in schools

When implementing new software and new technology, schools must consider whether consent is needed for use of the software. If consent is needed, schools will need to identify whether it is an opt-in or opt-out consent situation.

Consent and artificial intelligence

When using new technology such as artificial intelligence (AI), schools should act with caution, as the privacy risks may not be obvious.

A common type of AI is generative AI. Generative AI tools can produce various types of content such as text, imagery, audio and other synthetic data.

Personal information must not be uploaded to generative AI tools. Parents should have the option to opt-out of their child from using or having their information stored in AI tools.

For more guidance on the use of generative AI tools, refer to the Generative Artificial Intelligence policy.

For further advice on consent for use of software, contact the Privacy team by emailing privacy@education.vic.gov.au

For guidance on informing parents and gaining consent, refer to Collection notices.

Conducting research in schools

All research conducted in schools requires consent from participants. For any student under the age of 18, consent must be sought from parents/carers.

This applies to both research conducted or commissioned by the department or research conducted by external researchers.

If the research involves photographing or filming, the researcher must ensure specific consent is gained.

For the department’s policy, refer to Research and Evaluation in Schools.

Cover letter and consent form templates for external research are available for schools, refer to:


Photographs, filming and recording

Photographs, filming and recording

Photos, videos and other recordings of a person are types of personal information and as such are protected by privacy law and sometimes by copyright law.

The main things to consider when taking or sharing photos are consent, context and risk.

There are 2 policies that cover photos, videos and recordings:


Sharing information

Sharing information

School staff can share personal and health information of students, staff and others to carry out school and department functions or related purposes.

Information sharing can also occur in other limited circumstances, such as when there is a risk to health and safety.

‘Need to know’ framework

All staff can, and must, share information about students, staff and others on a ‘need to know’ basis. This means that staff only share information necessary for them to do their job that doesn’t breach the privacy rights of the individual.

It can also be shared for secondary purposes that would be reasonably expected by the person whose information is being shared.

For more information on primary and secondary purposes, refer to the Schools' privacy policyExternal Link .

Sharing information helps schools and the department to:

  • educate students by planning for individual needs and address barriers to learning
  • support the students’ social and emotional wellbeing and health at school
  • fulfil legal obligations towards students and the community.

Examples of the ‘need to know’ framework in practice are available at the end of this guidance chapter.

Student information

Sharing information about students

Under the framework, staff can share student information with other school staff and relevant members of the department.

The ability to share information allows the school to:

  • provide for and support the student’s education
  • support the student’s social and emotional wellbeing and health
  • reduce the risk of reasonably foreseeable harm to students, staff or visitors (duty of care)
  • make reasonable adjustments for the student’s disability (anti-discrimination law)
  • provide a safe and secure workplace (occupational health and safety law).

Sometimes schools can legally share information with others outside the school or the department.

These situations include when:

School transfers

When a student has been accepted at, and is transferring to or from, one school to another, the current school will send the student’s information to the new school. This includes students transferring from any Victorian government, non-government and/or interstate school.

This information shared can include copies of the student’s school records, including any health, wellbeing or safety related information.

Parental consent isn’t required to transfer this information between Victorian government schools. It is required when the student is transferring to or from a Victorian non-government school, including Catholic schools or interstate schools.

However, information sharing frameworks such as the Child and Family Violence Information Sharing Schemes allow for information sharing without consent where it is to promote the wellbeing or safety of children or to assess or manage family violence risk. Privacy laws also allow the department and schools to share information without consent when it is necessary to lessen or prevent a serious threat to an individual’s life, health, safety or welfare.

For guidance on transferring student information refer to our guide on Enrolment – Student transfers between schools.

Duty of care

School staff have a duty of care to students. All staff working with students must take reasonable steps to minimise the risk of reasonably foreseeable harm to students.

Staff must share pertinent information about students to enable other staff to take steps to reduce the risk of harm.

This could include sharing information about a student’s:

  • behaviour
  • disability
  • family circumstances.

Staff can also share other information relevant to managing the risks, such as information in safety plans.

For example, staff must tell the principal (or other member of the school leadership team) if there is a reasonably foreseeable risk to anyone because a student:

  • displays violent behaviours
  • is a victim or perpetrator of bullying, assault or age-inappropriate sexualised behaviours
  • has emotional, wellbeing or self-harm issues.

The principal can then share relevant information using the ‘need to know’ framework. This might include sharing information with other staff who work with or supervise the student in some capacity.

As soon as a school staff member becomes aware of a risk of harm to any student, they must act on that information. They must share the information with other staff who ‘need to know’, even if the student or parent asks them not to share that information.

For more information, refer to Duty of Care.

Anti-discrimination law

Under anti-discrimination law, schools must make reasonable adjustments for students with disabilitiesExternal Link . This applies regardless of whether a student is eligible for disability funding.

This means that relevant information about a student’s disability and their needs must be shared with all staff who work with or supervise that student.

Sharing of this information allows the school and staff to:

  • understand the student’s disability and how it affects their learning, and social and emotional wellbeing
  • understand all recommendations made by the student’s treating practitioners
  • make informed decisions about what adjustments are reasonable
  • implement the reasonable adjustments at school.

Sharing information may also be required to meet the duty of care to that student. For example, if a student has a medical condition and may need treatment at school.

‘Need to know’ examples

Here are some examples of when school staff should share information with other staff who ‘need to know’. Sharing of information helps schools to provide the best education and support to students while also meeting legal requirements.

These examples don’t describe all steps needed to fulfil legal obligations. Instead, they focus on the appropriate amount of information sharing required for staff to take the necessary steps.

In most cases, schools would need to take steps in addition to sharing information, such as:

  • offering wellbeing supports
  • sharing information and working with parents and carers
  • reporting to relevant agencies and the department's Incident Support and Operations Centre (ISOC).

For guidance on dealing with incidents, refer to Managing and Reporting School Incidents (Including Emergencies).

Student displaying anti-social behaviour

A social worker is working with a student who is displaying anti-social behaviours and acting out.

Over several sessions the social worker learns the student often does dangerous things during lunch, such as climbing onto the school roof and jumping into the sandpit. The social worker tells the principal who then informs all staff due to the level of risk. This helps staff to make sure the student and others stay safe.

Refer to Student Support Services for information on how social workers support schools in assisting students facing barriers to learning.

Student with diagnosis of autism spectrum disorder with sensory sensitivity

A student with a diagnosis of autism spectrum disorder (ASD) experiences sensitivity to loud noises. The schoolyard is often quite noisy during lunchtime.

On a few occasions, the school has found the student trying to leave the school grounds. The student told staff that they were trying to go to the park across the road from the school where it is quieter for them.

The principal tells all school staff about this. This information helps staff to understand the situation and how to help if the student tries to leave without permission. As a result, staff have all the necessary information to keep the student safe.

For guidance on ways to support students with disability, refer to Students with Disability.

Student displaying problematic sexualised behaviour

A student has engaged in age-inappropriate sexualised behaviour with younger students. The school develops a safety plan to ensure the safety of all students.

The principal provides the safety plan to staff who undertake yard duty. These staff ‘need to know’ about the plan so they can take appropriate steps to protect students.

For further guidance, refer to Student Sexual Offending and Problem Sexual Behaviour.

Student victim of sexual assault

A student informs a social worker that they were sexually assaulted on the weekend by another student. The social worker advises the principal and they inform the relevant authorities.

The social worker and the principal develop a safety plan for the student who reported the assault. The staff also prepare a management plan for the other student involved and offer counselling support. The principal shares each plan with all staff who supervise the students to make sure the students are safe and supported at school.

For further guidance, refer to Student Sexual Offending and Problem Sexual Behaviour.

Student experiencing family violence

A student tells a Visiting Teacher (VT) that there is family violence in their home. The VT advises the principal that they have a reasonable belief that the student is at risk of physical abuse.

Together they make a mandatory report as outlined in Protecting Children – Reporting and Other Legal Obligations and Report child abuse in schoolsExternal Link . The VT and principal share their concerns about the possible family violence with other staff who work with or supervise the student. This helps staff to continue to monitor the student and their safety.

For more guidance, refer to Family Violence Support.

Student who has attempted suicide

A student recently left the school grounds during school hours and attempted suicide at a nearby shopping centre. The student was taken to hospital and referred to mental health services for ongoing treatment.

The student’s mother informs the principal about the incident and asks the principal not to tell anyone else at the school. However, the principal decides to share this information with the wellbeing staff so that they can offer support to the student at school.

The principal also informs other staff who supervise the student so they can act quickly if the student goes missing during the school day. The principal explains the decision to the parent and the reasons for sharing the information.

For guidance on responding to an attempted suicide, refer to Self-Harm and Attempted Suicide Response.

Student with a diagnosis of severe language disorder

A speech pathologist receives a referral for a student from the school. The referral notes that the student seems to have limited vocabulary in the classroom based on the teacher’s observations.

After completing a language assessment, the speech pathologist diagnoses the student with a severe expressive language disorder and moderate receptive language disorder. They write a detailed report with recommendations to make reasonable adjustments for the student in class.

The report is given to the principal, who shares only the recommendations with the student's teachers. Additional details from the report aren’t shared unless necessary to implement the adjustments. The principal also sets up a process to share the student’s needs with any future teachers.

If other staff need to support the student, they access information about the adjustments. However, staff who don’t play a role in supporting the student won’t have access to the report or recommendations.

For information on how speech pathologists support schools, refer to Student Support Services.

Student with a diagnosis of conduct disorder

A parent gives the school a medical report showing their child has a diagnosis of conduct disorder. The report also includes recommendations for reasonable adjustments to help the student access their education.

The recommendations include:

  • de-escalation strategies
  • access to a calming space or wellbeing staff when necessary
  • modifications to the curriculum.

The student’s Student Support Group discuss the report and develop an Individual Education Plan (IEP). The principal gives the report recommendations and IEP to the student’s classroom teachers and wellbeing staff. This helps the school to implement the reasonable adjustments for the student at school.

For information about IEPs, refer to Individual Education Plans.

Staff information

Staff information must be shared using the ‘need to know’ framework to allow other staff to carry out their job. This may include sharing necessary information with the relevant school, regional or central office staff.

Examples include:

  • to recruit and pay staff
  • support their health and wellbeing
  • comply with the department’s legal obligations, policies and staff codes of conduct.

Privacy impact assessments

Privacy impact assessments

Overview

A privacy impact assessment (PIA) identifies and assesses the privacy impacts of any initiative or software that handles personal, sensitive or health information.

PIAs help schools identify privacy and security risks, evaluate compliance with Victorian privacy law and document ways to reduce risks. They also help schools identify important information to include in parent notifications.

When a PIA is needed

All software used by schools must meet child safety, privacy, records management and information security requirements.

A PIA is recommended if the school wants to use software not already provided by the department that:

Software may be high risk when it:

  • holds sensitive or health information about students, parents or staff
  • handles photos or videos of students
  • offers cloud storage with limited security or allows insecure access through the internet or mobile devices
  • allows remote access, video or teleconferencing, unmoderated or unsupervised chats
  • allows users to share content publicly
  • is a new and relatively unknown software that handles personal information.

For more information or clarification about whether a PIA needs to be conducted, please contact the Privacy team at privacy@education.vic.gov.au. By engaging with the Privacy team throughout the completion of the PIA, principals can make informed decisions when implementing software in their school.

For more information on requirements for school software, refer to the Technologies and ICT Services policy.

Before implementing any software, schools must refer to and follow the guidance in the Software and Administration Systems policy.

Conducting a PIA

The PIA template is best completed by the person in the school who is most familiar with the software or initiative. Vendors must not complete the PIA on the school’s behalf. However, staff can contact vendors to ask specific questions about security setup and functionality.

PIA templates

Pre-populated PIA templates are available for software commonly used in schools. Schools must adjust these and complete them to reflect how their school plans to use the software to meet their requirements.

Download the templates from Pre-populated PIAs (staff login required)External Link .

For other software, download the PIA template (DOCX 145 KB) (staff login required)External Link .

Completing the template

The PIA template consists of:

  • Part 1: Risk identification
  • Part 2: Action list
  • Part 3: Endorsement.

Part 1: Risk identification

Part 1 of the template is an analysis of the proposed software against the 10 Information Privacy PrinciplesExternal Link covering each stage of the information life cycle (collection to disposal).

Things to consider at each stage of the information life cycle:

  • Collection: What information is being collected. Is it all necessary? Is the school collecting new information or can existing information be used? Is a new collection statement or consent required?
  • Use and disclosure: Does the use and disclosure of existing information fit the original collection purpose? Is there a reasonable expectation of the use and disclosure? Who will the information be shared with?
  • Quality: How will the school keep the information current, accurate and complete?
  • Storage and security: How will the school keep the information safe? Is the data stored outside of Victoria and, if so, will similar privacy protections apply?
  • Disposal: Do any mandatory retention periods apply? How will information be returned, destroyed or permanently de-identified?

Part 2: Action list

Part 2 of the template is a list of actions the school must take to reduce any risks identified in Part 1. The department’s privacy team can help determine these in consultation with the school.

Part 3: Endorsement

Once Part 1 and 2 are completed:

  1. Send it to the Privacy team to review. They may require changes before it can proceed.
  2. The principal’s endorsement is required once any changes are made. By signing the PIA, the principal accepts responsibility for the completion of the action list and any risks described in the PIA.
  3. Send the signed PIA back to a privacy officer who will also endorse it and acknowledge that the PIA has been completed in accordance with department policy and process.

It is important to note that the Privacy team don’t endorse any software. Instead, the Privacy team’s role is to review PIAs and offer recommendations and advice on ways to reduce risks.

Once the PIA is endorsed by all parties, schools must:

  • keep the signed PIA with other project documentation (for example, security assessments and contracts)
  • complete everything in the action list
  • record any additional actions taken after the PIA was signed by adding a page after the endorsement section
  • share a copy of the PIA with the School Council, if requested and with principal approval.

Privacy matrix

Some schools maintain a privacy matrix which is a list of all third-party software at their school that handles personal, sensitive or health information.

Using a privacy matrix is optional but it can be useful to help streamline notifications or communications to parents.

To start creating a privacy matrix, download the Privacy matrix template (XLSX 34 KB) (staff login required)External Link .

If help is required to complete the privacy matrix, please contact the Privacy team at privacy@education.vic.gov.au


Health information

Health information

Health information is a type of personal information and under Victorian law is defined as information or opinion about an identifiable person’s physical, mental or psychological health or disability. It has stronger legal protections because its inappropriate use and disclosure can cause greater harm to or discrimination against a person. Schools typically hold health information about students and other individuals.

Due to its high risk, extra steps must be taken to make sure the information has stronger protections in place. The exact levels of protection needed will depend on the circumstances.

Stronger or higher levels of protection may include:

  • implementing tighter access controls
  • getting valid consent
  • using contracts with third parties.

When managing health information, schools must only collect, use and store what's essential to fulfil the purpose of collection.

Types of health information records

Examples of records that may contain health information are:

  • Individual Education Plans, behaviour support plans and other learning or educational assessments
  • health care information provided by allied health professionals
  • Student Support Services (SSS) documentation and referrals
  • health practitioner reports provided by parents to the school
  • support plan forms that describe a student’s health and wellbeing
  • applications and assessments for disability supports funding
  • notes about student behaviour or wellbeing recorded in school systems
  • information about medical appointments that show or suggest specific services or conditions.

Parents and carers rights and responsibilities

Parents and carers:

  • must make sure the school has relevant health information about their child
  • may choose to limit the release of information about chronically ill or critically injured children who are not currently attending school.

Collecting, using and sharing health information in schools

Schools must collect, use, store and share health information in line with relevant laws and departmental policy.

Collecting health information

Schools may collect student health information as needed to carry out their core functions.

When collecting this information, school’s must collect the minimum amount needed to do their job. School staff must always exercise sensitivity towards the family and student’s needs.

When a parent/carer or mature minor student wants to limit the sharing of information, schools must inform them of:

  • the school’s need to know the student’s health conditions and first aid requirements so plans for support can be in place
  • how the school protects their personal and health information.

For guidance when collecting information, refer to Collection notices.

Schools can also request relevant information from authorised services under the Child and Family Violence Information Sharing Schemes.

Using and disclosing health information

Schools’ use and/or disclosure of health information must be limited to when:

  • it is necessary to carry out school functions
  • it is needed to lessen or prevent a serious threat to a person or the public’s health, safety or welfare
  • a parent/carer or mature minor consents to the sharing of information
  • sharing information outside the department is required or authorised by law.

For example, if a parent or carer consents (unless the disclosure is required by law), a school can share observations (not interpretations) of a student's behaviour with the student's medical/health practitioner to help them monitor and plan the student's health care.

For guidance on sharing information with other staff visit Sharing information.

For guidance on disclosing student information externally, visit Requests for Information about Students.

Health professionals

Health professionals must disclose student personal and health information when needed to ensure a student’s health, safety or wellbeing.

They must not disclose this information unless:

  • parent/carer or mature minor consent is provided
  • they legally have to or are authorised to under relevant laws or information sharing schemes.

If schools need to share health information and are unsure if it is allowed, contact the Privacy team by emailing privacy@education.vic.gov.au

Storing health information

Health information must be stored securely and access limited to only those who require it for one of the purposes described in using and sharing health information.

When storing health information schools must:

  • minimise how much information is stored by only storing essential information or top-level summaries
  • take extra care when storing it by considering who has access and whether access can be restricted through system permissions or secure storage locations
  • document strict processes for granting and removing access to the information
  • regularly review access to the information to make sure only the right people have access
  • avoid keeping information for longer than needed in digital or physical systems.

In practice, this may look like:

  • writing a summary of a student’s adjustments, such as listing ‘requires noise reducing headset’ rather than ‘Autism Spectrum Disorder’
  • deleting or disposing of information after it is in an authorised recordkeeping system
  • making sure health information is stored in system locations that only authorised staff can access.

Where to store health information

Department systems such as CASES21, SOCS or HART are recommended for storing health information. A school’s administration server may also be appropriate. For more guidance, refer to Software and Administration Systems.

If a school needs to use third-party software to store health information, it must meet security, privacy and records management requirements.

For guidance on the software assessment process, refer to Software and Administration Systems.

Before replacing or decommissioning any system storing health information, the records must be transferred from third-party software to the school.


Biometric information and technologies

Biometric information and technologies

Biometric information is a record of unique human physiological features or behavioural attributes. Some biometric information can also fall within the definition of health information under the Health Records Act 2001.

Biometric information can include a record of a person’s:

  • ace or facial dimensions
  • iris scans
  • finger and palm prints
  • voice recordings
  • health data such as heart rate and fitness metrics.

Biometric information scanning is increasingly used by organisations to confirm identity. Some new technologies even capture biometric information as part of their standard functionality.

For example, biometric characteristics can be scanned via:

  • check-in kiosks using palm prints
  • attendance devices that use facial recognition
  • sport and health monitoring devices
  • oral/language learning tools that capture voice recordings.

Use of biometric information

As biometric information is unique to the individual, it has an ongoing identifiable connection to the person. Therefore, schools must consider carefully before biometric technology is introduced and information from children, families and staff is collected and used. Biometrics can be seen as intrusive when Victorian privacy law indicates that the least intrusive method should be preferred.

Privacy obligations do not prohibit the use of biometric technologies in schools. However, if considering using biometric information, schools must complete the following 4 steps first.

Step 1: Contact the Privacy team

Contact the Privacy team by emailing privacy@education.vic.gov.au

The Privacy team will help assess the benefits of the biometric technology prior to procurement. This will include comparing it to current practices and weighing them against potential risks.

Step 2: Check the software on Arc Software

Step 2 requires that schools check the software has been assessed on Arc SoftwareExternal Link .

If not, then schools will need to follow the process to request a security assessment and undertake a privacy impact assessment (PIA).

Step 3: Review contract terms and conditions with Privacy

If the security assessment and PIA have been completed and endorsed, the school and Privacy team need to review the contract of the biometric software to ensure it complies with departmental policies including:

Step 4: Consult the school community

At this point of the process, a comprehensive consultation process with the school community is required.

This includes consultations with:

  • parents and carers
  • students
  • other members of the school community.

This could be done via a parent information evening or similar.

Photographs and video recordings in biometric applications

Some technologies such as generative artificial intelligence can use existing images, videos and audio recording to create biometric information. This combines the risks inherent in both image/audio capture generally, and biometric data, and should be avoided.


Information security

Information security

All school and corporate staff must take reasonable steps to protect personal and health information they create, handle or for which they have responsibility.

Schools must make sure that personal and health information is:

  • stored securely
  • protected from loss
  • protected from unauthorised access, changes or sharing
  • destroyed or disposed of according to department policies when no longer required.

Information and communication technology security policies

Several department policies guide how to use information and communication technology (ICT).

Information Security explains the requirements for protecting school information.

Software and Administration Systems outlines the requirements for schools before buying or renewing software contracts and when auditing existing software.

Portable Storage Device Security Policy (staff login required)External Link explains how to protect portable storage devices that have sensitive or protected information.

Digital Technologies – Responsible Use policy explains how schools should help students to use technology safely and responsibly.

Procurement of ICT systems

When schools procure third-party systems, all legal obligations must be covered in the contract. For example, it should include requirements relating to privacy, data protection and records management.

For details, refer to Software and Administration Systems.


Privacy incidents

Privacy incidents

Defining privacy incidents

A privacy incident is any incident where there is a suspected or confirmed loss, inappropriate access, modification, use or disclosure of personal information.

Examples of privacy incidents include:

  • emailing someone’s personal information to the wrong recipient
  • misappropriation of staff login details to access a school administration system
  • applying incorrect access controls to personal documents
  • publishing sensitive documents online
  • uploading student photos on social media without parental consent
  • theft of a student file (electronic or hard copy)
  • sharing information about a staff member’s health without consent.

If there is a data breach, loss or inappropriate sharing of information that doesn't include personal information, it is an information security incident, not a privacy incident.

For guidance on information security incidents, refer to Information Security.

When a privacy incident occurs

If a privacy incident has occurred, or may have occurred, schools must notify appropriate departmental teams so that they can assist. Schools can contact the Privacy team for advice at privacy@education.vic.gov.au

The school must also raise an eduSafe Plus report (staff login required)External Link and ensure the school’s leadership team is informed.

If the incident involves a data breach, unauthorised access to systems or cyber-attack, schools can also report a cyber security issue (staff login required)External Link .

The Privacy team will help schools evaluate and respond to the incident, and will ensure other key departmental areas are brought in for relevant support.


Complaints

Complaints

If someone is concerned about the way the department or a school has handled their own or their child’s personal information, they can make a privacy complaint. Privacy complaints can be directed to the Privacy team at privacy@education.vic.gov.au

For information, refer to Make a privacy complaintExternal Link .


Resources

Resources

Privacy on a page (staff login required)

Training

Information for parents on school policies

Collection notices

Privacy impact assessments

Incidents and complaints


Reviewed 20 May 2020