Policy last updated
11 July 2025
Scope
- Schools
On this page:
Policy
Policy
This policy provides privacy and information sharing guidance to ensure schools follow the Schools' privacy when collecting, using, sharing and managing personal and health information.
Summary
- All schools must adopt and follow the Schools' privacy and include a link to it on their school’s website.
- Following the policy will ensure schools comply with current privacy legislation and departmental policies.
- Information on how to implement the policy is available in the Guidance tab.
- Advice for when information can and must be shared for the wellbeing or safety of children, or to assess or manage family violence risk can be found on Child and Family Violence Information Sharing Schemes.
Details
The Schools' privacy is a departmental policy which applies to all schools.
All schools must:
- adopt and follow the Schools’ privacy policy
- include a link to the policy on their school’s website
- remove any previous, individualised privacy policies from their website.
In some cases, school staff can and must share personal information to promote the wellbeing or safety of children, or to assess or manage family violence risk.
Advice on sharing information of this nature is available at Child and Family Violence Information Sharing Schemes.
Definitions
Personal information
Personal information is recorded information or an opinion about a person who is identified or could be reasonably identified.
It will be considered personal information regardless of whether it is true or not.
Examples of personal information include a person’s:
- name
- address
- phone number
- date of birth and/or age.
De-identified information about individuals can become personal information if it is re-identified or re-identifiable. For example, if a sample size is very small or enough separate facts about a person are provided then their identity could be guessed.
Sensitive information
Sensitive information is a type of personal information. It has stronger legal protections due to the risk of discrimination.
Sensitive information includes information or opinion that relates to a person’s:
- racial or ethnic origin
- political opinions or affiliations
- religious beliefs or affiliations
- philosophical beliefs
- sexual orientation or practices
- criminal record
- membership of a trade union.
Personal and sensitive information is regulated in Victoria under the Privacy and Data Protection Act 2014 (Vic).
Health information
Health information is a type of personal information. The sensitive nature of this information means that it has different and stronger legal protections.
Health information is information or opinion about an identifiable person’s:
- physical health
- mental or psychological health
- disability.
Health information is regulated in Victoria under the Health Records Act 2001 (Vic).
Related policies
- CCTV in Schools – Installation and Management
- Child and Family Violence Information Sharing Schemes
- Digital Technologies – Responsible Use
- Generative Artificial Intelligence
- Information Security
- Photographing, Filming and Recording Staff and Other Adults
- Photographing, Filming and Recording Students
- Privacy policy
- Privacy policy (National
- Records Management
- Records Management – Employee Information
- Requests for Information about Students
- Schools' privacy
- Software and Administration Systems
- Volunteers in Schools
Relevant legislation
Guidance
Guidance on privacy and information sharing
Adopting and following the Schools’ privacy enables schools to meet their legal obligations.
By implementing the policy and good privacy practices, schools can protect individuals’ personal and health information. This also helps schools to maintain trust with parents and students.
When the term ‘school staff’ is used, it includes:
- contractors
- service providers
- volunteers of the department
- all Victorian government schools.
All school staff share the responsibility and obligations of protecting privacy.
Guidance topics
- How to implement the Schools' privacy policy
- Collection notices
- Consent
- Photographs, filming and recording
- Sharing information
- Privacy impact assessments
- Health information
- Biometric information and technologies
- Information security
- Privacy incidents
- Complaints
How to implement the Schools’ privacy policy
How to implement the Schools’ privacy policy
Step 1 – link to the policy
Schools must include a link on their public facing website to the department’s Schools' privacy .
Step 2 – share supporting information with staff
Send staff a link to the guidance Implementing the Schools' privacy policy. The guidance will help staff understand what they need to do when collecting, sharing and using personal information.
Step 3 – share supporting information with the school community
Send the school community a link to the Schools' privacy policy: information for . This resource helps parents and carers understand how the school handles their information. It also includes translations for culturally and linguistically diverse communities.
Step 4 – share the Schools’ privacy collection notice
During the enrolment process schools must provide parents and carers with a link to the Schools' privacy collection .
Schools must also provide a link to the collection notice annually in Term 1, as part of regular privacy reminders.
For guidance on this process, refer to Collection notices.
Collection notices
Collection notices
It is important that schools are transparent and communicate with students and parents about how their personal information will be handled. A key way the department and schools do this is by providing collection notices.
A collection notice is a plain language statement that explains:
- what information is being collected
- why it is needed
- how the information will be managed.
Schools’ privacy collection notice
The main collection notice used in schools is the Schools’ privacy collection . It explains why schools need to collect and use information to carry out core functions.
Schools must share a link to the Schools’ privacy collection notice:
- during the enrolment process
- annually as part of the school’s privacy reminders.
Schools must do both to meet their privacy obligations.
Annual privacy reminder (all students)
At the start of each year in Term 1, schools must send a privacy reminder to the school community. These should be included in the first or second school newsletter, or through usual communication channels.
The privacy reminder supports schools to make sure all parents and students continue to understand how their personal information is handled. This helps schools comply with the Privacy and Data Protection Act 2014 (Vic).
Privacy reminders must include links to the:
- Schools’ privacy collection
- Schools’ privacy
- school’s version of the photographing, filming and recording students policy published on the school’s website
- Schools’ privacy policy: information for .
Schools are recommended to use the Privacy reminder newsletter template (DOCX 72 KB) (staff login to include in their school newsletter or as a stand-alone notice.
Notifications for software and new technology use
When schools adopt new software that collects or stores personal information, they are encouraged to inform their school community as part of implementation. This helps avoid surprises and is part of good privacy practice.
If opt-in consent is required, then notice is required to support informed consent.
Schools can use the Notice – new software template (DOCX 55 .
Alternatively, schools can publish or annually communicate a list of all the software it uses that handles personal information. Known as a digital learning statement, schools can use the Notice – software in our school template (DOCX 58 .
For more information on consent and technology, read the guidance on Consent.
Other collection notices
If school staff collect personal information for activities not covered by the schools’ privacy collection notice, or a software collection notice, they may need to create a separate notification. This separate notification must then be sent to parents and carers. An example might include a school collecting personal information for fundraising.
A collection notice must include:
- the name and contact details of the organisation collecting the information
- the purpose for collecting the information
- any individuals or organisations the information might be shared with
- a statement about the person’s right to access to the information collected about them
- any law(s) requiring the collection of the information
- what happens if they don’t provide all or part of the information.
Collection notices used by schools must be written in plain language. Schools can create collection notices using the Collection notice generator (DOCX 76 KB) (staff login .
In some cases, a collection notice alone isn’t sufficient and explicit consent might be required. Refer to Consent.
For advice on collection notices, email the Privacy team at privacy@education.vic.gov.au
Consent
Consent
Consent means someone giving permission for their personal information to be collected, used, and/or shared. In schools, this is often a parent or carer on behalf of a child.
Schools and the department must ask for consent in certain circumstances. For example, consent is generally required for the collection, use or disclosure of health information (unless one of the exemptions under privacy law applies, such as to lessen or prevent a serious threat to someone’s life, health, safety or welfare).
There are some exceptions in privacy law that allow the department and schools to use or disclose personal information without consent, such as sharing with a law enforcement agency to help an investigation. The department and schools are also able to share personal information through both the Child Information Sharing Scheme (CISS) to promote the wellbeing or safety of children and the Family Violence Information Sharing Scheme (FVISS) to assess or manage family violence risk.
More information is also available in the Schools' privacy .
Valid consent
When giving consent, the person must have the capacity to consent. Therefore, consent is usually gained by parents, carers or mature minors.
For consent to be valid, it must be:
- informed: the person or their parent/carer can understand what they are agreeing to
- specific: it is clear what the consent is for
- current: it applies to the situation right now
- voluntary: the person, parent or carer agrees to it freely.
This is especially important when the subject matter or content is sensitive.
Schools must ask for consent again if they want to use or disclose personal information in a way that is different from the primary purpose it was collected or a reasonably expected secondary purpose.
Types of consent
For most purposes, schools must obtain consent through either an opt-in or opt-out process:
- Opt-in consent is when the person actively gives permission.
- Opt-out consent assumes the person has consented unless they take active steps to say no.
Common examples of activities that require consent include:
- implementing new software
- photographing and recording staff and students for non-standard school functions
- research in schools.
When to use opt-in
Opt-in consent must be used when the activity or software collects:
- health or wellbeing information
- photos
- other sensitive information.
Sensitive information can include things such as cultural background and sexual orientation.
Opt-in consent is also advised for any activity or software that has aspects that could increase privacy risk, such as group chats or publishing material online.
When to use opt-out
Opt-out consent can be used when minimal personal information is being collected or used for a school purpose.
This includes for software such as apps that only requires name and year level.
When no consent is needed
There are specific purposes where the department can collect and manage personal information without specific consent. These are described in the Schools’ privacy and Schools' privacy collection .
As a summary, the specific purposes include:
- educating students
- supporting students’ health or social and emotional wellbeing
- fulfilling legal obligations, including duty of care, anti-discrimination law and occupational health and safety law
- communicating and engaging with parents
- undertaking student administration and school management
- same-day notification of unexplained absences.
There are also some exceptions in privacy laws that allow schools to use or disclose information without consent. These include:
- when necessary to lessen or prevent serious harm
- as required for law enforcement purposes.
For advice on sharing personal and health information, including for child safety, refer to Sharing information.
If you require more information on when an exemption may apply, please email the Privacy team at privacy@education.vic.gov.au
Implementing software and new technology in schools
When implementing new software and new technology, schools must consider whether consent is needed for use of the software. If consent is needed, schools will need to identify whether it is an opt-in or opt-out consent situation.
Consent and artificial intelligence
When using new technology such as artificial intelligence (AI), schools should act with caution, as the privacy risks may not be obvious.
A common type of AI is generative AI. Generative AI tools can produce various types of content such as text, imagery, audio and other synthetic data.
Personal information must not be uploaded to generative AI tools. Parents should have the option to opt-out of their child from using or having their information stored in AI tools.
For more guidance on the use of generative AI tools, refer to the Generative Artificial Intelligence policy.
For further advice on consent for use of software, contact the Privacy team by emailing privacy@education.vic.gov.au
For guidance on informing parents and gaining consent, refer to Collection notices.
Conducting research in schools
All research conducted in schools requires consent from participants. For any student under the age of 18, consent must be sought from parents/carers.
This applies to both research conducted or commissioned by the department or research conducted by external researchers.
If the research involves photographing or filming, the researcher must ensure specific consent is gained.
For the department’s policy, refer to Research and Evaluation in Schools.
Cover letter and consent form templates for external research are available for schools, refer to:
Photographs, filming and recording
Photographs, filming and recording
Photos, videos and other recordings of a person are types of personal information and as such are protected by privacy law and sometimes by copyright law.
The main things to consider when taking or sharing photos are consent, context and risk.
There are 2 policies that cover photos, videos and recordings:
- when students are the subject, refer to the Photographing, Filming and Recording Students policy
- when adults and staff are the subject, refer to the Photographing, Filming and Recording Staff and other Adults policy.
Sharing information
Sharing information
School staff can share personal and health information of students, staff and others to carry out school and department functions or related purposes.
Information sharing can also occur in other limited circumstances, such as when there is a risk to health and safety.
‘Need to know’ framework
All staff can, and must, share information about students, staff and others on a ‘need to know’ basis. This means that staff only share information necessary for them to do their job that doesn’t breach the privacy rights of the individual.
It can also be shared for secondary purposes that would be reasonably expected by the person whose information is being shared.
For more information on primary and secondary purposes, refer to the Schools' privacy .
Sharing information helps schools and the department to:
- educate students by planning for individual needs and address barriers to learning
- support the students’ social and emotional wellbeing and health at school
- fulfil legal obligations towards students and the community.
Examples of the ‘need to know’ framework in practice are available at the end of this guidance chapter.
Student information
Sharing information about students
Under the framework, staff can share student information with other school staff and relevant members of the department.
The ability to share information allows the school to:
- provide for and support the student’s education
- support the student’s social and emotional wellbeing and health
- reduce the risk of reasonably foreseeable harm to students, staff or visitors (duty of care)
- make reasonable adjustments for the student’s disability (anti-discrimination law)
- provide a safe and secure workplace (occupational health and safety law).
Sometimes schools can legally share information with others outside the school or the department.
These situations include when:
- responding to Requests for Information about Students
- requesting and sharing confidential information with authorised services to promote child wellbeing or safety, or assess and manage family violence risk (Child and Family Violence Information Sharing Schemes)
- supporting a child who has been impacted, or is suspected to be impacted, by abuse (Child protection privacy and information ).
School transfers
When a student has been accepted at, and is transferring to or from, one school to another, the current school will send the student’s information to the new school. This includes students transferring from any Victorian government, non-government and/or interstate school.
This information shared can include copies of the student’s school records, including any health, wellbeing or safety related information.
Parental consent isn’t required to transfer this information between Victorian government schools. It is required when the student is transferring to or from a Victorian non-government school, including Catholic schools or interstate schools.
However, information sharing frameworks such as the Child and Family Violence Information Sharing Schemes allow for information sharing without consent where it is to promote the wellbeing or safety of children or to assess or manage family violence risk. Privacy laws also allow the department and schools to share information without consent when it is necessary to lessen or prevent a serious threat to an individual’s life, health, safety or welfare.
For guidance on transferring student information refer to our guide on Enrolment – Student transfers between schools.
Duty of care
School staff have a duty of care to students. All staff working with students must take reasonable steps to minimise the risk of reasonably foreseeable harm to students.
Staff must share pertinent information about students to enable other staff to take steps to reduce the risk of harm.
This could include sharing information about a student’s:
- behaviour
- disability
- family circumstances.
Staff can also share other information relevant to managing the risks, such as information in safety plans.
For example, staff must tell the principal (or other member of the school leadership team) if there is a reasonably foreseeable risk to anyone because a student:
- displays violent behaviours
- is a victim or perpetrator of bullying, assault or age-inappropriate sexualised behaviours
- has emotional, wellbeing or self-harm issues.
The principal can then share relevant information using the ‘need to know’ framework. This might include sharing information with other staff who work with or supervise the student in some capacity.
As soon as a school staff member becomes aware of a risk of harm to any student, they must act on that information. They must share the information with other staff who ‘need to know’, even if the student or parent asks them not to share that information.
For more information, refer to Duty of Care.
Anti-discrimination law
Under anti-discrimination law, schools must make reasonable adjustments for students with . This applies regardless of whether a student is eligible for disability funding.
This means that relevant information about a student’s disability and their needs must be shared with all staff who work with or supervise that student.
Sharing of this information allows the school and staff to:
- understand the student’s disability and how it affects their learning, and social and emotional wellbeing
- understand all recommendations made by the student’s treating practitioners
- make informed decisions about what adjustments are reasonable
- implement the reasonable adjustments at school.
Sharing information may also be required to meet the duty of care to that student. For example, if a student has a medical condition and may need treatment at school.
‘Need to know’ examples
Here are some examples of when school staff should share information with other staff who ‘need to know’. Sharing of information helps schools to provide the best education and support to students while also meeting legal requirements.
These examples don’t describe all steps needed to fulfil legal obligations. Instead, they focus on the appropriate amount of information sharing required for staff to take the necessary steps.
In most cases, schools would need to take steps in addition to sharing information, such as:
- offering wellbeing supports
- sharing information and working with parents and carers
- reporting to relevant agencies and the department's Incident Support and Operations Centre (ISOC).
For guidance on dealing with incidents, refer to Managing and Reporting School Incidents (Including Emergencies).
Student displaying anti-social behaviour
A social worker is working with a student who is displaying anti-social behaviours and acting out.
Over several sessions the social worker learns the student often does dangerous things during lunch, such as climbing onto the school roof and jumping into the sandpit. The social worker tells the principal who then informs all staff due to the level of risk. This helps staff to make sure the student and others stay safe.
Refer to Student Support Services for information on how social workers support schools in assisting students facing barriers to learning.
Student with diagnosis of autism spectrum disorder with sensory sensitivity
A student with a diagnosis of autism spectrum disorder (ASD) experiences sensitivity to loud noises. The schoolyard is often quite noisy during lunchtime.
On a few occasions, the school has found the student trying to leave the school grounds. The student told staff that they were trying to go to the park across the road from the school where it is quieter for them.
The principal tells all school staff about this. This information helps staff to understand the situation and how to help if the student tries to leave without permission. As a result, staff have all the necessary information to keep the student safe.
For guidance on ways to support students with disability, refer to Students with Disability.
Student displaying problematic sexualised behaviour
A student has engaged in age-inappropriate sexualised behaviour with younger students. The school develops a safety plan to ensure the safety of all students.
The principal provides the safety plan to staff who undertake yard duty. These staff ‘need to know’ about the plan so they can take appropriate steps to protect students.
For further guidance, refer to Student Sexual Offending and Problem Sexual Behaviour.
Student victim of sexual assault
A student informs a social worker that they were sexually assaulted on the weekend by another student. The social worker advises the principal and they inform the relevant authorities.
The social worker and the principal develop a safety plan for the student who reported the assault. The staff also prepare a management plan for the other student involved and offer counselling support. The principal shares each plan with all staff who supervise the students to make sure the students are safe and supported at school.
For further guidance, refer to Student Sexual Offending and Problem Sexual Behaviour.
Student experiencing family violence
A student tells a Visiting Teacher (VT) that there is family violence in their home. The VT advises the principal that they have a reasonable belief that the student is at risk of physical abuse.
Together they make a mandatory report as outlined in Protecting Children – Reporting and Other Legal Obligations and Report child abuse in . The VT and principal share their concerns about the possible family violence with other staff who work with or supervise the student. This helps staff to continue to monitor the student and their safety.
For more guidance, refer to Family Violence Support.
Student who has attempted suicide
A student recently left the school grounds during school hours and attempted suicide at a nearby shopping centre. The student was taken to hospital and referred to mental health services for ongoing treatment.
The student’s mother informs the principal about the incident and asks the principal not to tell anyone else at the school. However, the principal decides to share this information with the wellbeing staff so that they can offer support to the student at school.
The principal also informs other staff who supervise the student so they can act quickly if the student goes missing during the school day. The principal explains the decision to the parent and the reasons for sharing the information.
For guidance on responding to an attempted suicide, refer to Self-Harm and Attempted Suicide Response.
Student with a diagnosis of severe language disorder
A speech pathologist receives a referral for a student from the school. The referral notes that the student seems to have limited vocabulary in the classroom based on the teacher’s observations.
After completing a language assessment, the speech pathologist diagnoses the student with a severe expressive language disorder and moderate receptive language disorder. They write a detailed report with recommendations to make reasonable adjustments for the student in class.
The report is given to the principal, who shares only the recommendations with the student's teachers. Additional details from the report aren’t shared unless necessary to implement the adjustments. The principal also sets up a process to share the student’s needs with any future teachers.
If other staff need to support the student, they access information about the adjustments. However, staff who don’t play a role in supporting the student won’t have access to the report or recommendations.
For information on how speech pathologists support schools, refer to Student Support Services.
Student with a diagnosis of conduct disorder
A parent gives the school a medical report showing their child has a diagnosis of conduct disorder. The report also includes recommendations for reasonable adjustments to help the student access their education.
The recommendations include:
- de-escalation strategies
- access to a calming space or wellbeing staff when necessary
- modifications to the curriculum.
The student’s Student Support Group discuss the report and develop an Individual Education Plan (IEP). The principal gives the report recommendations and IEP to the student’s classroom teachers and wellbeing staff. This helps the school to implement the reasonable adjustments for the student at school.
For information about IEPs, refer to Individual Education Plans.
Staff information
Staff information must be shared using the ‘need to know’ framework to allow other staff to carry out their job. This may include sharing necessary information with the relevant school, regional or central office staff.
Examples include:
- to recruit and pay staff
- support their health and wellbeing
- comply with the department’s legal obligations, policies and staff codes of conduct.
Privacy impact assessments
Privacy impact assessments
Overview
A privacy impact assessment (PIA) identifies and assesses the privacy impacts of any initiative or software that handles personal, sensitive or health information.
PIAs help schools identify privacy and security risks, evaluate compliance with Victorian privacy law and document ways to reduce risks. They also help schools identify important information to include in parent notifications.
When a PIA is needed
All software used by schools must meet child safety, privacy, records management and information security requirements.
A PIA is recommended if the school wants to use software not already provided by the department that:
- isn’t listed onArc
- stores personal, sensitive or health information
- is identified as high risk.
Software may be high risk when it:
- holds sensitive or health information about students, parents or staff
- handles photos or videos of students
- offers cloud storage with limited security or allows insecure access through the internet or mobile devices
- allows remote access, video or teleconferencing, unmoderated or unsupervised chats
- allows users to share content publicly
- is a new and relatively unknown software that handles personal information.
For more information or clarification about whether a PIA needs to be conducted, please contact the Privacy team at privacy@education.vic.gov.au. By engaging with the Privacy team throughout the completion of the PIA, principals can make informed decisions when implementing software in their school.
For more information on requirements for school software, refer to the Technologies and ICT Services policy.
Before implementing any software, schools must refer to and follow the guidance in the Software and Administration Systems policy.
Conducting a PIA
The PIA template is best completed by the person in the school who is most familiar with the software or initiative. Vendors must not complete the PIA on the school’s behalf. However, staff can contact vendors to ask specific questions about security setup and functionality.
PIA templates
Pre-populated PIA templates are available for software commonly used in schools. Schools must adjust these and complete them to reflect how their school plans to use the software to meet their requirements.
Download the templates from Pre-populated PIAs (staff login .
For other software, download the PIA template (DOCX 145 KB) (staff login .
Completing the template
The PIA template consists of:
- Part 1: Risk identification
- Part 2: Action list
- Part 3: Endorsement.
Part 1: Risk identification
Part 1 of the template is an analysis of the proposed software against the 10 Information Privacy covering each stage of the information life cycle (collection to disposal).
Things to consider at each stage of the information life cycle:
- Collection: What information is being collected. Is it all necessary? Is the school collecting new information or can existing information be used? Is a new collection statement or consent required?
- Use and disclosure: Does the use and disclosure of existing information fit the original collection purpose? Is there a reasonable expectation of the use and disclosure? Who will the information be shared with?
- Quality: How will the school keep the information current, accurate and complete?
- Storage and security: How will the school keep the information safe? Is the data stored outside of Victoria and, if so, will similar privacy protections apply?
- Disposal: Do any mandatory retention periods apply? How will information be returned, destroyed or permanently de-identified?
Part 2: Action list
Part 2 of the template is a list of actions the school must take to reduce any risks identified in Part 1. The department’s privacy team can help determine these in consultation with the school.
Part 3: Endorsement
Once Part 1 and 2 are completed:
- Send it to the Privacy team to review. They may require changes before it can proceed.
- The principal’s endorsement is required once any changes are made. By signing the PIA, the principal accepts responsibility for the completion of the action list and any risks described in the PIA.
- Send the signed PIA back to a privacy officer who will also endorse it and acknowledge that the PIA has been completed in accordance with department policy and process.
It is important to note that the Privacy team don’t endorse any software. Instead, the Privacy team’s role is to review PIAs and offer recommendations and advice on ways to reduce risks.
Once the PIA is endorsed by all parties, schools must:
- keep the signed PIA with other project documentation (for example, security assessments and contracts)
- complete everything in the action list
- record any additional actions taken after the PIA was signed by adding a page after the endorsement section
- share a copy of the PIA with the School Council, if requested and with principal approval.
Privacy matrix
Some schools maintain a privacy matrix which is a list of all third-party software at their school that handles personal, sensitive or health information.
Using a privacy matrix is optional but it can be useful to help streamline notifications or communications to parents.
To start creating a privacy matrix, download the Privacy matrix template (XLSX 34 KB) (staff login .
If help is required to complete the privacy matrix, please contact the Privacy team at privacy@education.vic.gov.au
Health information
Health information
Health information is a type of personal information and under Victorian law is defined as information or opinion about an identifiable person’s physical, mental or psychological health or disability. It has stronger legal protections because its inappropriate use and disclosure can cause greater harm to or discrimination against a person. Schools typically hold health information about students and other individuals.
Due to its high risk, extra steps must be taken to make sure the information has stronger protections in place. The exact levels of protection needed will depend on the circumstances.
Stronger or higher levels of protection may include:
- implementing tighter access controls
- getting valid consent
- using contracts with third parties.
When managing health information, schools must only collect, use and store what's essential to fulfil the purpose of collection.
Types of health information records
Examples of records that may contain health information are:
- Individual Education Plans, behaviour support plans and other learning or educational assessments
- health care information provided by allied health professionals
- Student Support Services (SSS) documentation and referrals
- health practitioner reports provided by parents to the school
- support plan forms that describe a student’s health and wellbeing
- applications and assessments for disability supports funding
- notes about student behaviour or wellbeing recorded in school systems
- information about medical appointments that show or suggest specific services or conditions.
Parents and carers rights and responsibilities
Parents and carers:
- must make sure the school has relevant health information about their child
- may choose to limit the release of information about chronically ill or critically injured children who are not currently attending school.
Collecting, using and sharing health information in schools
Schools must collect, use, store and share health information in line with relevant laws and departmental policy.
Collecting health information
Schools may collect student health information as needed to carry out their core functions.
When collecting this information, school’s must collect the minimum amount needed to do their job. School staff must always exercise sensitivity towards the family and student’s needs.
When a parent/carer or mature minor student wants to limit the sharing of information, schools must inform them of:
- the school’s need to know the student’s health conditions and first aid requirements so plans for support can be in place
- how the school protects their personal and health information.
For guidance when collecting information, refer to Collection notices.
Schools can also request relevant information from authorised services under the Child and Family Violence Information Sharing Schemes.
Using and disclosing health information
Schools’ use and/or disclosure of health information must be limited to when:
- it is necessary to carry out school functions
- it is needed to lessen or prevent a serious threat to a person or the public’s health, safety or welfare
- a parent/carer or mature minor consents to the sharing of information
- sharing information outside the department is required or authorised by law.
For example, if a parent or carer consents (unless the disclosure is required by law), a school can share observations (not interpretations) of a student's behaviour with the student's medical/health practitioner to help them monitor and plan the student's health care.
For guidance on sharing information with other staff visit Sharing information.
For guidance on disclosing student information externally, visit Requests for Information about Students.
Health professionals
Health professionals must disclose student personal and health information when needed to ensure a student’s health, safety or wellbeing.
They must not disclose this information unless:
- parent/carer or mature minor consent is provided
- they legally have to or are authorised to under relevant laws or information sharing schemes.
If schools need to share health information and are unsure if it is allowed, contact the Privacy team by emailing privacy@education.vic.gov.au
Storing health information
Health information must be stored securely and access limited to only those who require it for one of the purposes described in using and sharing health information.
When storing health information schools must:
- minimise how much information is stored by only storing essential information or top-level summaries
- take extra care when storing it by considering who has access and whether access can be restricted through system permissions or secure storage locations
- document strict processes for granting and removing access to the information
- regularly review access to the information to make sure only the right people have access
- avoid keeping information for longer than needed in digital or physical systems.
In practice, this may look like:
- writing a summary of a student’s adjustments, such as listing ‘requires noise reducing headset’ rather than ‘Autism Spectrum Disorder’
- deleting or disposing of information after it is in an authorised recordkeeping system
- making sure health information is stored in system locations that only authorised staff can access.
Where to store health information
Department systems such as CASES21, SOCS or HART are recommended for storing health information. A school’s administration server may also be appropriate. For more guidance, refer to Software and Administration Systems.
If a school needs to use third-party software to store health information, it must meet security, privacy and records management requirements.
For guidance on the software assessment process, refer to Software and Administration Systems.
Before replacing or decommissioning any system storing health information, the records must be transferred from third-party software to the school.
Biometric information and technologies
Biometric information and technologies
Biometric information is a record of unique human physiological features or behavioural attributes. Some biometric information can also fall within the definition of health information under the Health Records Act 2001.
Biometric information can include a record of a person’s:
- ace or facial dimensions
- iris scans
- finger and palm prints
- voice recordings
- health data such as heart rate and fitness metrics.
Biometric information scanning is increasingly used by organisations to confirm identity. Some new technologies even capture biometric information as part of their standard functionality.
For example, biometric characteristics can be scanned via:
- check-in kiosks using palm prints
- attendance devices that use facial recognition
- sport and health monitoring devices
- oral/language learning tools that capture voice recordings.
Use of biometric information
As biometric information is unique to the individual, it has an ongoing identifiable connection to the person. Therefore, schools must consider carefully before biometric technology is introduced and information from children, families and staff is collected and used. Biometrics can be seen as intrusive when Victorian privacy law indicates that the least intrusive method should be preferred.
Privacy obligations do not prohibit the use of biometric technologies in schools. However, if considering using biometric information, schools must complete the following 4 steps first.
Step 1: Contact the Privacy team
Contact the Privacy team by emailing privacy@education.vic.gov.au
The Privacy team will help assess the benefits of the biometric technology prior to procurement. This will include comparing it to current practices and weighing them against potential risks.
Step 2: Check the software on Arc Software
Step 2 requires that schools check the software has been assessed on Arc .
If not, then schools will need to follow the process to request a security assessment and undertake a privacy impact assessment (PIA).
Step 3: Review contract terms and conditions with Privacy
If the security assessment and PIA have been completed and endorsed, the school and Privacy team need to review the contract of the biometric software to ensure it complies with departmental policies including:
- Schools' privacy
- Photographing, Filming and Recording Students
- Generative Artificial Intelligence policy.
Step 4: Consult the school community
At this point of the process, a comprehensive consultation process with the school community is required.
This includes consultations with:
- parents and carers
- students
- other members of the school community.
This could be done via a parent information evening or similar.
Photographs and video recordings in biometric applications
Some technologies such as generative artificial intelligence can use existing images, videos and audio recording to create biometric information. This combines the risks inherent in both image/audio capture generally, and biometric data, and should be avoided.
Information security
Information security
All school and corporate staff must take reasonable steps to protect personal and health information they create, handle or for which they have responsibility.
Schools must make sure that personal and health information is:
- stored securely
- protected from loss
- protected from unauthorised access, changes or sharing
- destroyed or disposed of according to department policies when no longer required.
Information and communication technology security policies
Several department policies guide how to use information and communication technology (ICT).
Information Security explains the requirements for protecting school information.
Software and Administration Systems outlines the requirements for schools before buying or renewing software contracts and when auditing existing software.
Portable Storage Device Security Policy (staff login explains how to protect portable storage devices that have sensitive or protected information.
Digital Technologies – Responsible Use policy explains how schools should help students to use technology safely and responsibly.
Procurement of ICT systems
When schools procure third-party systems, all legal obligations must be covered in the contract. For example, it should include requirements relating to privacy, data protection and records management.
For details, refer to Software and Administration Systems.
Privacy incidents
Privacy incidents
Defining privacy incidents
A privacy incident is any incident where there is a suspected or confirmed loss, inappropriate access, modification, use or disclosure of personal information.
Examples of privacy incidents include:
- emailing someone’s personal information to the wrong recipient
- misappropriation of staff login details to access a school administration system
- applying incorrect access controls to personal documents
- publishing sensitive documents online
- uploading student photos on social media without parental consent
- theft of a student file (electronic or hard copy)
- sharing information about a staff member’s health without consent.
If there is a data breach, loss or inappropriate sharing of information that doesn't include personal information, it is an information security incident, not a privacy incident.
For guidance on information security incidents, refer to Information Security.
When a privacy incident occurs
If a privacy incident has occurred, or may have occurred, schools must notify appropriate departmental teams so that they can assist. Schools can contact the Privacy team for advice at privacy@education.vic.gov.au
The school must also raise an eduSafe Plus report (staff login and ensure the school’s leadership team is informed.
If the incident involves a data breach, unauthorised access to systems or cyber-attack, schools can also report a cyber security issue (staff login .
The Privacy team will help schools evaluate and respond to the incident, and will ensure other key departmental areas are brought in for relevant support.
Complaints
Complaints
If someone is concerned about the way the department or a school has handled their own or their child’s personal information, they can make a privacy complaint. Privacy complaints can be directed to the Privacy team at privacy@education.vic.gov.au
For information, refer to Make a privacy .
Resources
Resources
Privacy on a page (staff login required)
- Privacy on a page for student health and wellbeing staff – Accessible version (DOCX 76
- Privacy on a page for casual relief teachers – Accessible version (DOCX 74
- Privacy on a page for school administration staff (DOCX 109
Training
Information for parents on school policies
- Department of Education privacy
- Schools’ privacy policy: information for
- Make a privacy complaint to the Department of
Collection notices
- Schools’ privacy collection
- Privacy reminder draft newsletter text (DOCX 72 KB) (staff login
- Notice – new software template (DOCX 55 KB) (staff login
- Notice – software in our school template (DOCX 58 KB) (staff login
- Collection notice generator (DOCX 76 KB) (staff login
Photographs, filming and consent
- Photographing, Filming and Recording Students
- Photographing, Filming and Recording Staff and other Adults
Privacy impact assessments
- Privacy Impact Assessment (PIA) template (DOCX 145 KB) (staff login
- Privacy Matrix (XLSX 34 KB) (staff login
Incidents and complaints
Useful links
Reviewed 20 May 2020