Legal challenges with privacy in education sector
Barrister Kathryn Dalziel discusses how the issue of privacy is a constant concern to educators, with reference to Information Privacy Principles and the Privacy Bill which is at the Select Committee stage in the New Zealand Parliament. It is important for schools to foster a culture of privacy, but this is not easy, she writes.
Privacy is an issue that comes up all the time in education. There are many issues including reporting to parents/guardians/caregivers; publishing student information; 3rdparty provider access to student information; developments in information technology; school photos; and sharing of information by school counsellors.
It is important for schools to foster a culture of privacy, but this is not easy. Schools operate within a community and information needs to be shared within that community to enable teachers to identify learning needs and teach to those needs. It seems antithetical to develop a culture of privacy within a community that shares information.
In this article, I will cover the privacy principles or guidelines that we find in the Privacy Act 1993 (“the Privacy Act”) and their application to issues in schools. I will then give a quick summary of the Privacy Bill which has passed its first reading and is currently with select committee. In conclusion, my view is that a culture of privacy is consistent with a community that shares information, like schools. Privacy is about whakaute (respect) and that is what schools are about as well.
Information Privacy Principles
Under s7 of the Privacy Act, the principles or guidelines which help schools and other agencies develop a culture of privacy are set out.
Principles 1-4 are the collection principles. In summary schools should:
-
- only collect personal information they need to know (principle 1);
- try and collect personal information from the person concerned (principle 2);
- be transparent about what they do with personal information (principle 3); and
- be fair about collecting personal information (principle 4).
When you look at the purposes of schools, it is clear that schools need to collect a lot of personal information. The test, when collecting information from students or their families/whanau/caregivers, is whether or not the school would refuse a student enrolment or access to school services if a particular question is not answered. If the question does not matter to enrolment or participation, then it is an optional question.
There are a number of exceptions to principle 2 which recognise that sometimes the individual concerned is not the best person to provide information. For example, schools do need to collect personal information of their students from families/whanau/caregivers and that is acceptable.
Transparency is really important. Schools should have clear privacy statements that tell students and their families/whanau/caregivers how information is used and who has access to it.
Fairness when collecting information makes sense. Schools will develop a good trust relationship with students and their families/whanau/caregivers if they are courteous, respectful, and fair when collecting personal information.
The other principles also provide practical tips. Schools should:
-
- keep information secure from unauthorised use, loss or disclosure (principle 5)
- let people see their personal information (principle 6)
- correct personal information if it is wrong (principle 7)
- check personal information for accuracy before using it (principle 8)
- only keep personal information for as long as it is needed (principle 9)
- only use personal information for the purposes collected (principle 10)
- not share personal information with third parties unless lawful (principle 11)
- use personal identification numbers properly (principle 12)
In practical terms, schools need good systems for security of personal information. They also need to have good processes to handle requests for access to personal information and requests for correction of personal information. Schools need to self-check that information is being looked after: it is tempting when there is a large data set to start using it for something else. Trust could be lost if schools start using information for another purpose or there is a data breach.
Disclosure of information to third parties is a big issue. Firstly, the Privacy Act is subject to all other legislation so if a school is required to share information by another law, then this is fine. There are also exceptions to principle 11 which will allow disclosure in certain circumstances otherwise schools should not be sharing information outside of the school. A good example of an exception is where disclosure is one of the purposes for collecting information. If this purpose has been notified under principle 3, then principle 11 allows disclosure.
Principle 12 emphasises that students are people and not a number. Unique identifiers may be used but they cannot be the same as another unique identifier from another agency.
The Privacy Bill
The Privacy Bill retains and tidies the Privacy Act’s privacy principles. The changes will not affect the way schools should be adopting the principles now. There are some other changes worth noting for schools:
-
- mandatory reporting of privacy breaches;
- the Privacy Commissioner will be able to issue compliance notices that require a school to do something, or stop doing something, in order to comply with privacy law;
- it will be an offence to mislead a school in a way that affects someone else’s information;
- it will also be an offence to knowingly destroy documents containing personal information where a request has been made for it; and
- the Privacy Commissioner will be able to make binding decisions on access requests.
Conclusion
None of the privacy principles should be a surprise: collect personal information in a fair and proper way, look after it, use it properly and check it for accuracy; let people see their information and correct it if it is wrong, and always relate to a student as a person not a number.
This is obviously about respecting individuals so that they can function within a community safely. If individuals are respected, then this builds relationships of trust and confidence. If individuals feel trust and confidence in their community, that community will flourish.
Privacy is not the only way of making individuals feel part of the community. However, it is a very good start and there is helpful guidance in the Privacy Act on how to put this into practice.
Kathryn Dalziel is a barrister at Walker Street Chambers, specialising in civil litigation, employment and privacy law. In a career that spans over 30 years, Kathryn has worked as a barrister and solicitor, a senior crown prosecutor, a lecturer in the University of Canterbury School of Law; and a partner in a boutique inner city law firm. Kathryn has written ‘Privacy in Schools’ and has contributed to ‘Health Care and the Law 4th Ed’, and ‘Ethics, Professional Responsibility and the Lawyer, 3rd Ed’. Kathryn regularly present papers at legal seminars and conferences and she is on a number of charitable Boards including St John of God Hauora Trust Board, and the Isaac Theatre Royal Charitable Foundation Board.
Contact Kathryn at kathryn@kathryndalzielbarrister.co.nz or connect via LinkedIn or Twitter