• On 12 March 2014 substantial changes to Australia’s existing Privacy laws will commence, which will affect how Non-Government Schools (“Schools”) handle personal information. These new laws introduce 13 Australian Privacy Principles (APPs) with which Schools must comply.

• The new laws will apply to Schools, unless they have annual revenues of less than $3 million and they do not provide a health service. The new laws do not apply to state and territory government schools.
• The APPs introduce new obligations which include stricter rules on sending personal information overseas, complaints handling procedures, the use of personal details for direct marketing, the security of personal information and the treatment of unsolicited personal information.
• A central feature of the new laws is that Schools must have procedures, practices and systems, integrated within their organisational governance framework, to ensure compliance with each of the 13 APPs (Compliance Program) and to manage privacy queries and complaints (Complaints Handling Program). This requirement is referred to as “Privacy by Design”.
• The new laws will require Schools to have a documented Privacy Program in place which sets out clearly the why (why do you need to comply); the what (what do you have to do); the how (how you comply with each of the 13 APPs); the who (who is responsible for particular parts of privacy compliance); and the when (when and at what frequency do things need to be done).
• The new laws will also require Schools to publish a clear and specifically worded disclosure statement (referred to as a Privacy Policy) that spells out the types of personal information they collect and hold, how they collect and store the information, and the purposes for which they use and disclose personal information.
• Also central to compliance, Schools must ensure that other systems and procedures are in place, such as those governing ICT and physical security, as well as human resources policies covering workplace surveillance, email and internet monitoring, social media usage, and of course staff training.
• The Privacy Commissioner will have expanded powers under the new laws, including the ability to conduct Performance Assessments of Schools to determine whether they are handling personal information in accordance with the 13 APPs.
• The Privacy Commissioner will be able to seek enforceable undertakings, or apply through the courts for civil penalties of up to $1.7 million for companies or $340,000 for individuals for breaches of the Privacy Act.
• To prepare for these changes, Schools should conduct a Personal Information Management Audit, document their Privacy Program and ensure that they publish a new Privacy Policy on their public website no later than 12 March 2014.
• Failure to establish and effectively implement procedures, practices and systems to comply with the new Privacy laws presents a significant risk for a School. Reputational damage is an obvious consequence, in the event that a School community discovers that a School’s board and executive were either unaware of the School’s privacy obligations, or simply chose to ignore them.
• Ten Steps to Ensuring Privacy Compliance are set out at the end of this briefing paper.
  

Click here to download the briefing paper.