Privacy and Information Sharing

Policy

The purpose of this policy is to ensure schools follow the Schools’ Privacy Policy when collecting, using, disclosing and managing personal and health information.

Summary

• All schools are required to follow the department’s standardised Schools’ Privacy Policy and must post a link to it on the school’s website.
• Following the policy will ensure your school is complying with current privacy legislation and departmental policy.
• Guidance on implementing the Schools’ Privacy Policy is available in the Guidance tab.
• The Guidance tab also provides information on other privacy-related issues and requirements relevant to schools, including:
  • the provision of collection notices to students and their parents/carers
  • consent requirements
  • appropriate sharing of information
  • privacy impact assessments
  • health information
  • management of privacy incidents and complaints.
• Additional policy advice for schools on when information can and must be shared to promote the wellbeing or safety of children, or to assess or manage family violence risk, is now available at: Child and Family Violence Information Sharing Schemes.

Details

All schools are required to:

• adopt and follow the department’s standardised Schools’ Privacy Policy
• and must post a link to it on the school’s website.

This link replaces any previous local school privacy policy your school may have published. Schools must link to the policy published separately on the department’s website.

Additional policy advice for schools on when information can and must be shared to promote the wellbeing or safety of children, or to assess or manage family violence risk, is now available at Child and Family Violence Information Sharing Schemes.

Definitions

Personal information
Personal information is recorded information or opinion, whether true or not, about a person whose identity is apparent, or can reasonably be ascertained, from the information. The information or opinion can be recorded in any form. A person's name, address, phone number and date of birth (age) are all examples of personal information.

Sensitive information
Sensitive information is a type of personal information with stronger legal protections due to the risk of discrimination. It includes information or opinion about an identifiable person’s racial or ethnic origin, political opinions or affiliations, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record or membership of a trade union.

Personal and sensitive information is regulated in Victoria under the Privacy and Data Protection Act 2014 (Vic).

Health information
Health information is information or opinion about an identifiable person’s physical, mental or psychological health or disability. Health information is a type of personal information which, because of its sensitivity, also has different and stronger legal protections.

Health information is regulated in Victoria under the Health Records Act 2001 (Vic).

Note: De-identified information about individuals can become personal information if it is re-identified or if it is at high risk of being re-identified, for example, if it is released to the public or is a small sample size.

Related policies

• CCTV in Schools – Installation and Management
• Child and Family Violence Information Sharing Schemes
• Cybersafety and Responsible Use of Digital Technologies
• Information Security – InfoSafe
• Photographing, Filming and Recording Staff and Other Adults
• Photographing, Filming and Recording Students
• Privacy Policy (Corporate)
• Privacy Policy (National Law)
• Requests for Information about Students
• Schools Privacy Policy
• Social Media Use to Support Student Learning
• Volunteers in Schools

Relevant legislation

• Health Records Act 2001 (Vic)
• Privacy and Data Protection Act 2014 (Vic)

Guidance on Privacy and Information Sharing

Good privacy practices help schools to build trust with parents and students and meet legal obligations to protect individuals’ personal and health information. All school staff, including contractors, service providers, and volunteers of the department and all Victorian government schools share the responsibility and obligations of protecting privacy.

This guidance contains the following chapters:

• How to implement the Schools' Privacy Policy
• Collection notices
• Consent
• Photographs, filming and recording
• Sharing information
• Privacy impact assessments
• Health information
• Biometric information and technologies
• Information security
• Privacy incidents
• Complaints
• Training and support

How to implement the Schools’ Privacy Policy

Step 1 – link to the policy

Post a link on your school’s public facing website to the Department’s Schools’ Privacy Policy.

Step 2 – share supporting information with staff

Share the Schools’ Privacy Policy FAQs for Staff (login required) to help them understand when they should share ‘need to know’ information.

Step 3 – share supporting information with the school community

Share the Information for Parents – Schools’ Privacy Policy with your school community to help them understand how the school handles their information.

Translations for culturally and linguistically diverse communities are available. Refer to Translations to download and share these resources.

Step 4 – use the new collection notice

The Department has an updated privacy collection notice to match the Schools’ Privacy Policy. This notice must be used by schools during the enrolment process, communicated annually and provided to parents at other times on request: Privacy Collection Notice (DOCX) (staff login required).

Refer to the chapter on Collection notices for further guidance.

Collection notices

It is important to be transparent and communicate with students and their parents about how their personal information will be handled in the school environment. One of the ways we do this is by using collection notices (sometimes referred to as privacy or collection statements).

A collection notice is a plain language statement that explains to people what information needs to be collected, why, and how it will be handled after being collected.

Privacy collection notice (enrolment)

Schools must publish the standard collection notice below on their public-facing website.

Privacy collection notice (DOCX) (staff login required)

This notice covers the standard reasons that schools need to collect and use information in order to perform core functions. It must be used by schools during the enrolment process, communicated annually via a link in their annual privacy reminder to parents and carers and at other times on request.

Annual privacy reminder

Schools must include a privacy reminder in their first or second school newsletter or usual school communication channel at the start of each year.

This reminder explains to students and parents how their personal information is handled in the school environment and is an important part of schools complying with the Privacy and Data Protection Act 2014 (Vic).

Draft newsletter text is available to help schools share this information with the school community: Privacy reminder draft newsletter text (DOCX) (staff login required).

Before sending the reminder, schools will need to ensure they have published the Privacy collection notice and a link to the Schools’ Privacy Policy on their public-facing website.

Notifications for online services

For third party online services or applications (online services) which handle student or parent information, for example, Compass or Mathletics, schools can customise the following templates and use them to notify parents. These notices are used in addition to the standard privacy collection notice.

Sample notice – single online service in our school (DOCX) (staff login required)

Use this notice to communicate to parents through the usual school communications channels (for example, newsletter or email) before implementing each new service.

Sample notice – multiple online services in our school (DOCX) (staff login required)

Alternatively, use a consolidated notification about all relevant third party online services currently used in the school. This is sometimes known as a digital learning statement or an online services statement. This removes the need for detailed individual notices to be provided each time a new service is implemented. This statement should be updated regularly and made available to parents on the school’s website.

The Department can provide schools with a template tool called a privacy matrix to document and assess third party online services that handle student or parent information. If using a consolidated notification, schools are encouraged to first complete the privacy matrix. Content from the matrix can then be incorporated into the statement. Refer to: Privacy matrix (login required)

Other collection notices

For projects or activities that include collection of personal information that are not covered in the standard collection notice or an online services statement, such as for fundraising purposes, you may need to create a separate notification to inform parents and students.

Any collection notice must include:

• the identity of the organisation collecting the information and how to contact it
• the purposes for which the information is collected
• to whom (or the types of individuals or organisations to which) the organisation usually discloses information of that kind
• the fact that the individual is able to gain access to the information
• any law that requires the particular information to be collected
• the main consequences (if any) for the individual if all or part of the information is not provided.

You can use the collection notice generator (DOCX) (staff login required) to create a plain language collection notice.

School staff needing assistance can contact the Privacy team.

Consent

Consent is when someone voluntarily agrees for their information to be collected, used and/or shared within or outside the school or the Department. Consent must be informed, specific, current and voluntary, which is especially important when the subject matter or content is sensitive.

Under the relevant privacy laws, consent is required to collect, use and disclose any health information (with certain exceptions prescribed in the law such as when the collection, use or disclosure is necessary to lessen or prevent a serious threat to an individual’s life, health, safety or welfare).

In some instances, Department policy also requires schools to obtain consent to collect personal information (in addition to health information) where it is considered good practice to do so.

Both privacy laws and Department policy require consent to use or disclose any personal information that schools have collected, where that use or disclosure is not for the same purpose or a reasonably expected related purpose for which it was collected. However, there are some exceptions in privacy laws that allow schools to use or disclose information without consent in these circumstances, such as sharing personal information with a law enforcement agency to assist in an investigation or as otherwise required or authorised by law.

Refer to the chapter on Collection notices for what must be communicated to parents/carers on the management of student personal and health information.

Refer to the chapter on Sharing information for how the personal and health information of students, staff and others can be shared.

Refer to Child and Family Violence information Sharing Schemes for further information about how information can and must be shared to promote the wellbeing or safety of children, or to assess or manage family violence risk.

In cases where consent is required for the collection of information, if consent was granted at the time of collection, it is not necessary to re-seek consent if you plan to use the person’s information for the same purpose or a reasonably expected related purpose for which it was collected. However, it is good practice for schools to ensure they have communicated clearly what those purposes are, refer to Collection notices.

In some circumstances, schools may need to ensure specific consent is obtained, with the most common being photographs and recordings of staff and students, and research in schools.

The following information sets out the Department’s policy on when consent must be obtained to collect, use and/or disclose personal and health information.

Photographing, filming or recording staff and students

Consent must always be considered when taking or publishing photographs and film of staff and students.

For more information on consent and other considerations when taking photographs or video, refer to the chapter on Photographs, filming and recording.

For the Department’s policies and template consent forms, refer to the:

• Photographing, Filming and Recording Students Policy
• Photographing, Filming and Recording Staff and other Adults Policy

A template school-level policy on photographing, filming and recording students is available on the School Policy Templates Portal at Photographing, filming and recording students (staff login required).

Conducting research in schools

All research conducted in schools requires consent from participants whether staff or students and, for any student under the age of 18, consent from parents/caregivers. This applies to both research conducted by external researchers and research commissioned or conducted by the Department.

Where the proposed research involves photographing or filming, the researcher must obtain specific agreement from the participants (or their parents/caregivers, as required). This consent should be defined and included in the consent for participating in the research.

For the Department’s policy, refer to Research and Evaluation in Schools.

Cover letter and consent form templates for external research are available for schools, refer to:

• Cover letter for external research consent form (DOT) (staff login required)
• External research parent/carer consent form (DOT) (staff login required)

Using online services in schools

Online services and applications (online services) often handle student or parent information, for example, Compass or Mathletics. Schools can take different approaches to seeking parental consent when implementing these services, depending on local circumstances or expectations of their school community.

When implementing an online service, schools should consider whether consent for use of the service is required, and if so, whether opt in or opt out consent is most appropriate for the specific situation.

• Opt in consent can be used when the service is not for a standard school function (for example, a fundraising event with the local sporting club); and parents may not reasonably expect such use.
• Opt out consent can be used when the service is for a desirable, but not mandated, school function (for example for teaching and learning purposes).
• No consent is needed when the service is for a school function that is mandated by law (for example, same day notification of unexplained absences).

Privacy law also allows for student and parent information to be used and shared without consent for specific purposes, such as, when it is necessary to lessen or prevent a serious harm, or for law enforcement purposes.

In all cases, schools should ensure parents are adequately informed about the use of the online service so they are not taken by surprise. Refer to Notifications for online services.

Where an online service uses photographs or videos of a student, the Department’s Photographing and Filming Students Policy applies, and parental consent is required. If consent was granted previously for this use or you are using it for a reasonably expected related purpose, the school may decide that no further consent is necessary or use opt out consent.

The Privacy team can provide further advice on consent for use of online services.

Photographs, filming and recording

Photographs, films and other recordings (photographs) of individuals are considered personal information, and as such are protected by privacy law in the same way as other personal information. They may also be protected by copyright law.

The key privacy considerations for taking or publishing photographs are consent, context and risk.

If your school is intending to take photographs of students, refer to the Photographing, Filming and Recording Students Policy for detailed guidance and template consent forms.

When taking photos of adults, refer to the Photographing, Filming and Recording Staff and other Adults Policy for guidance and a template consent form.

Sharing information

Personal and health information of students, staff and others can be shared to carry out school and Department functions, for other related purposes and in other limited circumstances such as where there is a risk to health and safety.

‘Need to know’ framework

All staff should share information about students, staff and others on a ‘need to know’ basis, that is, to allow staff to perform their primary function (or for a secondary purpose that would be reasonably expected by the individual whose information is being shared).

Refer to the FAQ for staff for detailed guidance on the ‘need to know’ framework and the Schools’ Privacy Policy for more information on primary and secondary purposes.

Sharing information helps schools and the Department to:

• educate students, plan for individual needs and address barriers to learning
• support the students’ social and emotional wellbeing and health at school
• fulfil legal obligations towards students and the community.

Student information

Sharing information about students

The ‘need to know’ framework sets out that school staff can share student information amongst other school staff and relevant members of the Department to enable the school to:

• provide for and support the student’s education
• support the student’s social and emotional wellbeing and health
• reduce the risk of reasonably foreseeable harm to the student, other students, staff or visitors (duty of care)
• make a reasonable adjustment for the student’s disability (anti-discrimination law)
• provide a safe and secure workplace (occupational health and safety (OHS) law).

In addition to considering the ‘need to know’ framework, there are occasions where the school may lawfully share information with other parties outside the school or the Department. There is detailed guidance on how to:

• respond to specific requests for student information by third parties, refer to Requests for Information about Students
• request and share confidential information with authorised services to promote child wellbeing or safety, or assess or manage family violence risk, refer to Child and Family Violence Information Sharing Schemes for further information
• support a child who has been impacted, or is suspected to be impacted, by abuse, refer to Child protection privacy and information sharing.

School transfers

When a student has been accepted at, and is transferring to or from, another school (Victorian government, non-government and/or interstate), the current school transfers information about the student to the new school.

This information may include copies of the student’s school records, including any health, wellbeing or safety related information. This enables the new school to continue to provide for the education of the student, to support the student’s social and emotional wellbeing and health, and to fulfil legal requirements.

Parental consent is not required to transfer this information between Victorian government schools. Parental consent is required when the student is transferring to or from a Victorian non-government school, including Catholic schools, or interstate schools.

However, information sharing frameworks such as the Child and Family Violence Information Sharing Schemes allow for information sharing without consent where it is to promote the wellbeing or safety of children or to assess or manage family violence risk. Privacy laws also allow the department to share information without consent when it is necessary to lessen or prevent a serious threat to an individual’s life, health, safety or welfare. This includes the health and safety of school staff and other students.

Further direction on information transfers between schools is available in the guidance under Enrolment – Student transfers between schools.

Staff information

Staff information should be shared using the ‘need to know’ framework to allow other staff to perform their function, for example, to recruit and pay staff, support their health and wellbeing, and to comply with the Department’s legal obligations, policies and staff codes of conduct. This may include sharing necessary information with the relevant school, regional or central office staff, where permitted.

Privacy impact assessments

What is a privacy impact assessment?

A privacy impact assessment (PIA) identifies and assesses the privacy impacts of any initiative, project or software that handles personal, sensitive or health information.

Conducting a PIA helps schools identify privacy and security risks, evaluate compliance with the Victorian Privacy and Data Protection Act 2014 and Health Records Act 2001, and document what actions are required to mitigate any identified risk. This also helps schools identify important information to include in parent notifications to ensure parents are better informed.

Privacy law requires all of us to take reasonable steps to implement practices, procedures and systems to protect personal and health information and handle it appropriately. By doing a PIA and building in privacy requirements in initial stages, the school can demonstrate this to parents and, if necessary, the Victorian Information Commissioner and Health Complaints Commissioner.

Schools should consider conducting PIAs for:

• any third party software (free or purchased) used in the school that handles personal, sensitive or health information, particularly for third party software that is considered high risk or
• any existing process, project or software that is modified in a way that changes how personal, sensitive or health information is handled. If a PIA was completed previously, then this may need to be reviewed and updated.

The Department’s Privacy Team can support schools to conduct a PIA.

Key terms

Personal information
Personal information is recorded information or opinion, whether true or not, about a person whose identity is apparent, or can reasonably be ascertained, from the information. The information or opinion can be recorded in any form. A person's name, address, phone number and date of birth (age) are all examples of personal information.

Sensitive information
Sensitive information is a type of personal information with stronger legal protections due to the risk of discrimination. It includes information or opinion about an identifiable person’s racial or ethnic origin, political opinions or affiliations, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, or membership of a trade union.

Personal and sensitive information is regulated in Victoria under the Privacy and Data Protection Act 2014 (Vic).

Health information
Health information is information or opinion about an identifiable person’s physical, mental or psychological health or disability. Health information is a type of personal information which, because of its sensitivity, also has different and stronger legal protections.

Health information is regulated in Victoria under the Health Records Act 2001 (Vic).

Note: De-identified information about individuals can become personal information if it is re-identified or if it is at high risk of being re-identified, for example, if it is released to the public or is a small sample size.

Third party software is software or an online service purchased from a third party, including Department brokered software such as Google’s G Suite, but excluding Department-owned software or systems e.g. CASES21, SOCS.

Conducting a PIA

When to use the PIA template

When procuring new third party software (regardless if free or purchased), schools should consider completing the PIA template as part of their procurement process. At a minimum, the PIA template should be completed for all third party software that is identified as high risk.

Software may be high risk where it:

• handles sensitive or health information about students, parents or staff
• handles photos or videos of students
• offers cloud storage with limited security or allows insecure access through the internet or mobile devices
• has certain kinds of functionality: remote access, video or teleconferencing, unmoderated or unsupervised chats
• allows users to share content publicly
• is a new and relatively unknown software that handles personal information.

Pre-populated PIAs have been developed for systems commonly used in schools which can be tailored to meet your school’s circumstances. Find these at: Pre-populated PIAs (login required).

Schools do not need to complete a PIA or security assessment for systems provided by DET if intending to use the system in prescribed ways. A list of these systems can be found at: FUSE DET Software Suite.

If unsure about whether a PIA template is needed, please contact the Privacy team.

How to use the PIA template

Download the PIA template (login required).

The PIA template consists of:

• Risk Identification (Part 1)
• Action Plan (Part 2) and
• Endorsement (Part 3).

Note: For a small number of PIAs, an implementation checklist will be provided which can replace the Action Plan (Part 2 of the PIA template).

Supporting resources can be found in the PIA Appendices.

Risk identification

Part 1 of the PIA template is an analysis of the proposed software or system against the 10 Information Privacy Principles (login required) at each stage of the information life cycle (collection to disposal).

Things to consider at each stage of the information life cycle:

• Prior to or at collection: The type of information collected – Is it necessary? Is it a new collection or existing information? Is a new collection statement or consent needed?
• Use and disclosure: Does the use and disclosure of existing information fit with the original collection purpose? Is there a reasonable expectation of the use and disclosure? Is consent needed? Who will the information be disclosed to? Do similar privacy protections apply if there are information flows outside Victoria?
• Holding and storage: How can the currency and quality of personal information be assured? What safeguards will protect against misuse, loss, unauthorised access, modification or disclosure? What procedures enable individuals to access and correct their information?
• Disposal: Do any mandatory retention periods apply by law? How will information be destroyed or permanently de-identified?

For help in understanding risk identification, please contact the Privacy team.

Action Plan

In Part 2 of the PIA, the school will:

• identify privacy risks which need to be addressed
• determine the risk rating for each risk based on processes currently in place
• specify further action required to further reduce the risk rating to an acceptable level, the responsible person/area and the timeframes for completion.

The PIA template contains a list of suggested privacy risks and actions. However these are not exhaustive and must be amended, deleted or added to in order to ensure that the Action Plan is relevant for the school and the proposed project or software.

Endorsement

In Part 3 of the PIA, the principal endorses and accepts responsibility for the mitigation actions and residual risk described in the PIA.

1. After the Privacy Officer has advised that the PIA is ready for signing, the principal must review Part 1 and Part 2 before signing Part 3.
2. The staff responsible and Privacy Officer also sign Part 3.

After the PIA is signed

• Send a copy of the signed PIA to the Privacy team. Principals may also share a copy of the PIA with the school council if they wish.
• Keep the signed PIA with other project documentation (e.g. security assessments and contracts).
• Provide updates to the Privacy Officer at the end of each proposed timeframe until all Action Plan items are completed.
• The PIA is a live document, and the staff responsible should record any additional actions taken after the PIA template is signed. This can be done by adding pages after Part 3.
• The PIA may need to be updated if new privacy risks arise from project or software changes.

Privacy matrix

Purpose

The privacy matrix is a high level summary of all third party software in a school which handles personal, sensitive or health information. It can be used separately from, and in addition to, the PIA template.

When the privacy matrix identifies high-risk software, schools should complete the PIA template for that software to ensure that the risks are fully identified and mitigated. For example, third party digital software that handles a lot of student information, tends to be higher risk so a school should complete a PIA template for this.

The information in the matrix helps schools streamline privacy notifications to parents. Schools can use content from the matrix to create their notifications for online services (sometimes known as digital learning statements or an online services statement) and publish this notification on their website. This will keep current and prospective parents informed of systems in use at the school.

How to use the privacy matrix

Download the privacy matrix (login required).

1. List all third party software (purchased and free) used in the school that handles personal, sensitive or health information.
   To help with step 1, schools can ask their specialist technicians for the school’s ICT inventory, and refer to the software listed in item 7 ‘Software Licensing’. Please note that not all software listed in the ICT inventory handles personal information and there may be free software used by the school that is not listed.
2. Populate the rest of the matrix by following the instructions included in the matrix.
3. Send the completed privacy matrix to the Privacy team at privacy@education.vic.gov.au for review. The Privacy team can advise what additional actions may be required, for example which software requires a PIA template to be completed.
4. Update the privacy matrix each time new software is introduced in the school and ensure that the notification to parents is similarly updated. The privacy matrix should be reviewed regularly, for example, annually.

Health information

Health information describes the health and wellbeing needs or conditions of an individual. It needs higher protections than other personal information because inappropriate use and disclosure may cause greater harm or discrimination to a person. Examples of records that may contain health information are:

• Individualised Education Plans (also called Individual Learning Plans), educational needs assessments, and behavioural support plans which include health care information provided by Student Support Services (SSS) or allied health professionals
• reports and assessments from health practitioners provided by parents to the school
• student support planning forms, which include student health and wellbeing support plans, child abuse concerns, asthma or allergy care plans, individual anaphylaxis management plans, and SSS referrals
• applications and assessments for disability supports funding
• notes about student behaviour or wellbeing recorded in third party platforms
• information about medical appointments that reveal or suggest a particular service or condition.

Responsibilities for providing and collecting health information

Parents/carers

• Must ensure the school has relevant health information about their child
• May choose to limit the release of information about chronically ill or critically injured students, who are not currently attending school

Schools

Collecting health information

• Exercise sensitivity to the family’s needs
• If parents/carers or adult/independent students wish to limit the release of information, the school must inform them:
  • of the school’s need to be aware of the student health conditions and first aid requirements so that plans for support can be put in place
  • how their personal and health information is protected
• May request relevant information from, or share relevant information with all authorised services under the Child Information Sharing Scheme or the Family Violence Information Sharing Scheme
• Subject to consent from the parent/carer (unless the disclosure is required or authorised by law), assist by providing observations (not interpretations) of the student’s behaviour, which can then be used to assist the student’s medical/health practitioner in monitoring and planning their health care

Using and disclosing health information

Health information must be collected and managed appropriately in accordance with relevant laws and departmental policy. For example, use and/or disclosure of health information should be limited to:

• where it is necessary to carry out school functions
• where it is necessary to lessen or prevent a serious threat to a person or the public’s health, safety or welfare
• where a parent/carer or mature minor consents to the disclosure
• when sharing information outside the Department is required or authorised by law, such as to:
  • meet duty of care, anti-discrimination, occupational health and safety obligations and/or
  • promote the wellbeing or safety of children, or to assess or manage family violence risk - refer to Child and Family Violence Information Sharing Schemes for further information.

Health professionals

• Must disclose student personal and health information when needed to ensure a student’s health, safety or wellbeing
• Must not divulge a student’s personal or health information unless:
  • parent/carer consent is provided or
  • they are legally obliged to or authorised to do so (for example, under privacy legislation, the Child Information Sharing Scheme or the Family Violence Information Sharing Scheme)

Note: If schools are seeking to share health information and are unsure if it is permitted, contact the department's Privacy Team for advice by phoning 03 8688 7967 or email: privacy@education.vic.gov.au

Biometric information and technologies

Biometric information is a record of unique human characteristics, such as facial dimensions, iris scans, finger and palm prints, voice recordings, and even health data such as heart rate and fitness metrics. This kind of information is increasingly being used by organisations to confirm identity.

Some new technologies capture biometric information as part of their standard functionality, for example, check-in kiosks using palm prints or attendance devices that use facial recognition. Other examples include sport and health monitoring devices, or oral/language learning tools which capture voice recordings.

Use of biometric information

Biometric information is unique to an individual and always retains that connection to the person, so the use of this sort of information, particularly that of children, needs to be carefully considered.

Schools must consult with the Department’s Privacy team and their school community when considering using technologies that use biometric information. This will help schools to determine if the intended benefit of using the biometric technology outweighs the risks and ensure that any proposed use is in line with relevant policies.

Privacy obligations do not prohibit the use of biometric technologies in schools, however schools considering use must:

1. contact the Privacy team for support in assessing the benefits of the biometric technology in real terms, in comparison to current practices and weigh them against potential risks. For example, if considering the use of facial recognition to capture attendance data, is there enough additional benefit to this new method to risk exposure and misuse of students’ biometric information?
2. conduct a privacy impact assessment with support from the Department’s Privacy team – the Privacy team may suggest that a security assessment is also done, in consultation with the InfoSafe team
3. work with the Privacy team to check the contract and terms and conditions, and assess how they comply with the following Department policies:
   • Schools’ Privacy Policy
   • Photographing, Filming and Recording Students
   • Information Security – InfoSafe
4. undertake a comprehensive consultation process with parents, students, and other members of the school community, for example, a parent information evening.

The above 4 steps must be completed before progressing with adopting any biometric technology.

Photographs and audio-visual recordings

Extra care must be taken when using and storing images and voice recordings of students. If this information becomes compromised, there can be long term consequences due to the inability to change biometric information.

Before capturing and using images and recordings of students, consider the following:

• Is the image or recording really needed for what you are doing? For example, could an avatar be used instead of a photograph?
• Does the image and recording need to be widely accessible? If not, restrict to only those that need to have access for a clearly defined purpose.
• Does the image or recording need to be in a third-party system or could it be more securely stored in an existing school or departmental system?
• If using a third-party system, ensure your contract with the vendor has the appropriate privacy protections. It is important that the school can instruct the vendor to remove data from the system at any point, if necessary.

Refer to Photographing, Filming and Recording Students and Photographing, Filming and Recording Staff and Other Adults for further guidance.

Information security

All school and corporate staff must take reasonable steps to ensure that personal and health information they create, handle or have responsibility for is securely stored and protected from loss, unauthorised access, modification, disclosure or destruction.

For guidance and resources, refer to Information Security – InfoSafe.

For measures schools must take to support students to engage with digital technology in a safe and responsible way, refer to the Cybersafety and Responsible Use of Digital Technologies Policy.

Information and communication technology (ICT) security policies

Information Security (InfoSafe) Policy:

• sets out the Department’s information security requirements for schools
• provides guidance on identifying and reporting ICT security incidents

Acceptable Use Policy for ICT Resources for direction to corporate and school staff on acceptable use of ICT resources.

Edupass — Identity and Access Management in Schools Policy for direction on password security requirements.

Portable Storage Device Security Policy provides guidance to corporate and school staff on security for portable storage devices containing sensitive or protected information.

Records management

Good records management practices are vital for keeping personal information secure.

For advice and responsibilities relating to the management, storage and disposal of records, refer to Records Management — School Records Policy.

School procurement of ICT systems

For information on the procurement procedure for schools, refer to Procurement — Schools.

When schools procure ICT applications and systems, they need to ensure compliance with a number of legislative obligations, including privacy, data protection, records management and accessibility. To support schools in doing this, the Supplier Compliance process has been established to evaluate ICT suppliers.

For information on this process, refer to Supplier Compliance Process.

Privacy incidents

If you identify or suspect that personal information is not being handled appropriately, notify the appropriate member of your school’s leadership team immediately and contact the Privacy Team.

What is a privacy incident?

A privacy incident is any incident where there is a suspected or confirmed loss, inappropriate access, modification, use or disclosure of personal information. Personal information is information about an individual that may identify them. Privacy incidents include:

• misdirected communications, for example, emailing the wrong recipient, using cc instead of bcc, or attaching the wrong document
• accidental access, for example, applying incorrect access controls to documents, or publishing sensitive documents online
• unauthorised access, for example, a student accessing school systems using staff login details
• loss, for example, theft of a USB containing student files, or misplacing a student file (electronic or hard copy)
• unauthorised disclosure, for example, uploading student photos on social media without parental consent.

What should I do if I think a privacy incident has occurred?

If you believe a privacy incident has occurred, or might occur, contact the Privacy Team by phoning 03 8688 7967 or emailing privacy@education.vic.gov.au

The team can offer immediate advice and work through the incident response process with you.

It is important that the Privacy Team is engaged early, so that they can help you throughout the incident and beyond. The team will ask questions to help remediate the issue, and they will also liaise with any other relevant teams (for example, Information Management and Technology Division and Legal Division) to provide coordinated support.

Note: Where the principal reasonably believes that the privacy incident is insignificant, it is at their discretion as to whether or not to contact the Privacy Team. An insignificant incident would include situations in which the personal information was not disclosed outside of the school or Department and did not include any sensitive or health information that would cause any harm or concern to a student or their family as a result of the mistaken disclosure.

Incident response process

The Privacy Team will evaluate any incident or suspected incident systematically on a case-by-case basis, following these steps:

1. Preliminary assessment and containment: this happens very quickly to establish the type and scale of the incident, the kind of information and risk involved, and if containment steps are required. This forms the basis of what action needs to be taken and what needs to be done as soon as possible. The preliminary assessment is about documenting key details and containing the incident if it is still uncontained.
2. Risk evaluation: this is a more detailed assessment of the privacy consequences of the incident. It assesses the scale and severity of the incident, what information has been compromised and any potential harm to individuals and/or the Department. This often includes reviewing the material involved and asking questions to understand how the incident occurred, how it can be contained and how it can be prevented from occurring again.
3. Notification: in some cases, notification is required. This may involve engaging other areas of the Department, notifying affected individuals and potentially notifying any regulators. If you are considering notifying affected individuals, please contact the Privacy Team for advice.
4. Prevention: a final incident review should be conducted to identify outstanding risks or opportunities that might be addressed to prevent similar incidents occurring.

For a quick reference guide on what to do in a privacy incident, refer to:

• Privacy Incident Management for schools (staff login required)
• Privacy Incident Management for schools — accessible version (staff login required).

What is not a privacy incident?

If there is a data breach, loss or inappropriate sharing of information that does not include personal information, this is an information security incident rather than a privacy incident. Examples of information security incidents include:

• unauthorised access of an information system containing financial information, not personal information
• loss or theft of a USB containing planning documentation which doesn’t include any personal information

Log these incidents immediately with the IMTD Service Desk, who can be contacted by phoning 1800 641 943 or emailing servicedesk@education.vic.gov.au

If the incident involves any commercial or sensitive information, you should also contact Legal Division for further guidance.

Complaints

If someone is concerned about the way their personal information, or personal information about their child, has been handled, they are able to make a privacy complaint. Privacy complaints should be directed to the Privacy team.

For information about how the Department manages privacy complaints, refer to Make a privacy complaint.

Training and support

For an introduction to privacy in schools, complete the Privacy for Schools eLearning module which can be found in LearnED in eduPay.

For privacy advice or face-to-face training at your school, contact the Privacy team on privacy@education.vic.gov.au or 03 8688 7967.

Refer to the Resources tab for useful documents and websites.

Resources

Privacy on a page

• Privacy on a page for principals (DOCX) (staff login required)
• Privacy on a page for teachers (DOCX) (staff login required)
• Privacy on a page for student health and wellbeing staff (DOCX) (staff login required)

Useful links

• Office of the Victorian Information Commissioner (OVIC)
• Health Complaints Commissioner

How to implement the Schools’ Privacy Policy

• Schools’ Privacy Policy: frequently asked questions for staff (DOCX) (staff login required)
• Schools’ Privacy Policy: information for parents

Collection notices

• Privacy collection notice (DOCX) (staff login required) – to be provided to parents and carers with the Student Enrolment Form and published on the school website
• Privacy reminder draft newsletter text (DOCX) (staff login required) – to assist schools in preparing their annual privacy reminder for parents and carers
• Sample notice – single online service in our school (DOCX) (staff login required)
• Sample notice – multiple online services in our school (DOCX) (staff login required)
• Collection notice generator (DOCX) (staff login required)

Photographs, filming and consent

Photographing, filming and recording students (staff login required) – for school policy and consent form templates

Sharing information

Schools’ Privacy Policy: frequently asked questions for staff (DOCX) (staff login required)

Privacy impact assessments

• Privacy Impact Assessment (PIA) template (DOCX) (staff login required)
• Privacy Matrix (staff login required)
• Summary of Information Privacy Principles (DOCX) (staff login required)
• OVIC: Privacy by design: Effective privacy management in the Victorian public sector

Incidents

• Privacy Incident Management for Schools (PDF) (staff login required)
• Privacy Incident Management for Schools – accessible version (DOCX) (staff login required)

Training

For an introduction to privacy in schools, complete the Privacy for Schools eLearning module (staff login required) which can be found in LearnED in eduPay.