Chapter 3: Records that must be restricted
Schools must support openness and transparency by ensuring staff have access to the records they need to perform their duties, and only restricting records to meet legislative requirements, regulations, or policies, such as privacy laws.
Access to records that contain personal, sensitive, health or confidential information must be restricted, and only shared with staff on a ‘need to know’ basis. This helps to protect personal information from misuse, loss and unauthorised access, modification, disclosure, or any harm that may arise.
For example:
- student health and wellbeing records must be restricted, and access controlled because they contain students’ health/personal information. Records containing health information require a higher level of protection – refer to the health information guidance page
- personnel records must be restricted, and access controlled because they contain personal, sensitive, health or confidential information about staff.
Schools must annually review:
- users of school administration systems and ensure that only authorised users have access, as per the End of all terms (staff login required)
- open-access folders in systems and sites (including the school’s website) for any records with personal or sensitive information and remove them immediately. Open access folders are folders without any access controls, and such folders must not be used to store personal or sensitive information.
If schools find personal or sensitive information exposed in open-access folders, they must immediately secure it and then advise the Privacy Team at privacy@education.vic.gov.au as such instances may constitute a breach and so must be assessed for privacy risk and risk of harm. The Privacy Team will assist with this and any other remediation actions in accordance with relevant policy and legislation.
The following policies provide further supporting information to inform decisions about access to information and records:
Reviewed 04 October 2024