This document provides an overview of privacy obligations for staff at the Department of Education. It discusses laws and guidelines around privacy including the Privacy and Personal Information Protection Act 1998, Government Information (Public Access) Act 2009, and Health Records and Information Privacy Act 2002. It defines personal and sensitive information and outlines rules for collecting, using, storing and disclosing personal data. Specific roles that commonly deal with personal information like data analysts, HR staff and administrators are discussed. Aggregate versus unit-level data and releasing information is also covered.
2. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Understanding privacy obligations is important for all staff
The Department of
Education collects and
manages a vast amount
of information, much of it
personal information
about its staff, students
and parents. As an
employee, it is vital that
you understand how to
work with this
information.
2
3. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Which laws, regulations and guidelines set out Information
Access and Privacy protocols?
3
Privacy and
Personal
Information
Protection Act
1998 (PPIP)
Government
Information
(Public Access)
Act 2009 (GIPA)
Health Records
and Information
Privacy Act
2002 (HRIP)
GIPA Act
Regulations
Agency Privacy
Management
Plans (PMP)
Privacy codes of
practice
Commissioner’s
guidelines
4. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
What is personal information?
4
Personal information is
information or an opinion
about an individual.
The individual’s identity
needs to be apparent or
reasonably ascertainable.
5. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Sensitive and Health Information are types of personal
information that require extra protection
5
Sensitive Information
“Ethnic or racial origin, political
opinions, religious or philosophical
beliefs, ATSI status, country of birth,
LBOTE and chosen/preferred SRE
class”
(s.19(1) PPIP Act)
PPIPA
Privacy and Personal Information
Protection Act 1998
Health Information
Information about an individual’s
health, disability or health services
(s.6 HRIP Act)
HRIPA
Health Records and Information Protection
Act 2002
Note: The extra protection categories do not mean that these types of personal information can never be
collected, used or disclosed. They just have tougher rules, so extra care is needed with these categories.
6. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Collecting personal information is regulated by rules known as
Privacy Principles
6
The information must:
1) Fulfil a lawful purpose
2) Be relevant
3) Be accurate
It must not:
1) Be excessive
2) Be intrusive to an unreasonable
extent on the personal affairs of the
subject
EXAMPLE
Enrolment data, such as names,
addresses, medical information, etc. is
clearly authorised by the Department’s
governing and other legislation for the
purpose of operating schools effectively
and safely.
7. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Personal information should only be used for the primary
purpose for which it was collected, unless:
7
The person has
consented
Where authorised
or required by
another law
It is for a directly
related secondary
purpose within
their reasonable
expectations
To deal with a
serious and
imminent threat to
any person
8. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Questions we must ask when collecting and using personal
information include:
8
Is it reasonably necessary to
include this particular data?
If the Department received a
complaint about breaching
privacy, could we reasonably
argue that the use or disclosure
was necessary for us to do our
core business?
Is this data ‘directly related’
to my work?
9. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Any information collected by the Department can only be
used for limited purposes
9
Operational (School-level)
• Allocation of classes
• Determining demand for special religious
education classes
• Arranging for interpreters when needed
for parent teacher interviews
• Managing students with safety risks
e.g. allergies
Strategic (Departmental-level)
• The calculation of the family occupation
and education index (FOEI) for each
school.
• The allocation of resources for each
school.
For example: Enrolment data is collected for a primary purpose, which is to
enrol a student. However, there are a range of directly related secondary
purposes for which that data can be used, such as:
10. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
When collecting data, it is important that we tell people
how we will use their information
10
• General student administration
relating to the education and
welfare of the student.
• Communication with students
and parents or carers.
• To ensure health, safety and
welfare of students, staff and
visitors to the school.
• State and National Reporting
purposes.
11. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 11
It allows staff to be aware of what data we have.
The Business Unit knows who to go to for help or access to
certain information.
The privacy status for the dataset is made explicit.
It identifies whether general release to the public is allowed (at
an aggregated level, for instance).
The Department’s Information Asset Register tells us what
data we have and how we are protecting it
12. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Some roles are more likely to deal with personal information
on a daily basis
12
Data Analysts
People and Services Staff
Hiring Managers
13. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Another role who may come across personal information is an
Administration Support Officer
13
When dealing with data I must
follow the appropriate steps:
• Only use data relevant to my
task (e.g. email addresses
rather than survey responses).
• Ensure I only use data for the
purpose for which it was
collected.
• Make sure the data isn’t saved
somewhere where it can be
accessed by anyone outside the
team responsible for it.
14. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Recruitment also requires us to work carefully with personal
information
14
A reminder: Do not put confidential or personal documents in the recycle box. It must be shredded first.
.
After receiving applicants’
resumes and identification
documents we:
• Must secure personal
information – lock these away.
• Should dispose of them by
shredding them once the
recruitment process is finished.
• Must not disclose any personal
information about the
candidates to other people
who are not part of the
recruitment process.
15. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
The GIPA Act establishes a
proactive, more open
approach to gaining access
to government
information in NSW. This is
to ensure Government is
open, accountable, fair
and effective.
As part of The Government Information (Public Access) Act
2009 there is a presumption that data can be made readily
available if needed
15
http://www.ipc.nsw.gov.au/gipa-act
Data released under
GIPA is still subject to a
privacy test.
The GIPA Act
• Authorises and encourages the proactive release of
information by NSW public sectors.
• Gives members of the public a legally enforceable
right to access government information.
• Ensures that access to government information is
restricted only when there is an overriding public
interest against release.
16. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
Bradley Cooper’s taxi ride: a lesson in privacy risk.
16
http://www.salingerprivacy.com.au/2015/04/19/bradley-coopers-taxi-ride-a-lesson-in-privacy-risk/
• Salinger Privacy produced
an article on privacy risks
and ‘open data’.
• Bradley Cooper’s taxi ride
is a useful reminder of the
risks of re-identification of
data.
17. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 17
We can disclose personal information outside the
Department if:
It is authorised or
required by another
law.
It is under another
exemption, such as law
enforcement, research,
etc.
The information is not
“sensitive information”
(ethnicity, religion, etc),
and disclosure is for the
primary purpose for
which it was collected.
We have the consent of
the individual.
18. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
We can disclose personal information outside the Department
18
When it is: Sensitive info Health info Other personal info
with their consent
for the purpose for
which it was collected
for a directly related
secondary purpose
(within expectations)
for the purpose you
notified them about
authorised or required
by another law, or
another exemption
19. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
AGGREGATE DATA
• Aggregate data: summary
information, for example, data on
schools in remote areas, broken
down by school year, gender and
Indigenous status.
• Even with aggregate data, there is a
risk that individual students or
teachers could be identified from
the data. Safeguards must be
applied in such cases, with
strategies to ‘anonymise’ the data.
19
UNIT RECORD DATA
• Unit Record data: about a unique
individual contains details that
allows an individual to be
identified, such as names, or a
Student Registration Number.
Types of data we deal with:
20. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
How the data we deal with can be released:
20
AGGREGATE DATA
• Aggregate data is released on the
basis that:
1. No information that permits the
identification of individuals is
released
2. Data released is valid and reliable
3. It is of high quality
UNIT RECORD DATA
• Unit record data may only be
released on the basis that it:
1. Complies with privacy principles
that says we can disclose personal
information.
21. CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU
More information or assistance
Personal Information and Privacy Protection Act 1998 (PIPPA)
http://www.legislation.nsw.gov.au/inforcepdf/1998-133.pdf?id=1db809e7-46ab-44c1-bce5-d12f0058a002
Health Records and Information Privacy Act 2002 (HRIPA)
http://www.austlii.edu.au/au/legis/nsw/consol_act/hraipa2002370/
Department of Education Privacy Management Plan
https://www.det.nsw.edu.au/media/downloads/reports_stats/privacy/privacy-management-plan-march-2014.pdf
Department of Education Privacy Code of Practice
http://www.dec.nsw.gov.au/documents/15060385/15385042/Privacy_code.pdf
Department of Education Privacy & Information Access Resources
Information Access - https://detwww.det.nsw.edu.au/lists/directoratesaz/legalservices/foi/index.htm (see also link to website)
Privacy - https://detwww.det.nsw.edu.au/lists/directoratesaz/legalservices/ls/privacy/index.htm
http://www.dec.nsw.gov.au/about-us/plans-reports-and-statistics/privacy
Privacy Bulletin - https://detwww.det.nsw.edu.au/media/downloads/directoratesaz/legalservices/ls/privacy/bulletins/bulletin3.pdf
Government Information (Public Access) Act 2009 (GIPAA)
http://www.legislation.nsw.gov.au/maintop/view/inforce/act+52+2009+cd+0+N
21