Over the last few years, schools have had to deal with a raft of new legislative compliance schemes.
One of the more recent is the Notifiable Data Breaches scheme. Schools hold quite extensive data on students, staff and parents and now need to be across their responsibilities in this area.
The Australian Privacy Principles (APPs) are legally binding under the Privacy Act and concern the collection, holding, accessing and correction of personal information.
As APP entities, schools must implement systems to comply with the APPs and to permit enquiries or complaints to be dealt with internally. For instance, APP 1.3 requires schools to have a clearly expressed and up to date privacy policy that deals with their management of personal information.
A breach of an APP in relation to the personal information of a student may be an “interference with the privacy” of that student and lead to claims against the school and an investigation by the Information Commissioner.
Personal information
Schools are unique in terms of the nature and extent of personal information they hold about their students.
Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not, and
- whether the information or opinion is recorded in a material form or not.
It also includes sensitive information and health information, such as a person’s race and ethnic origin, sexual orientation and practices, physical and mental health, and opinions on medical or mental health.
The type of personal information collected by schools about their students includes:
- name, address, contact details
- medical information such as allergies, diagnoses, medication
- disability or learning difficulties
- counselling records – personal matters affecting the students (including about their parents and peers) and abuse details, and
- psychological assessments dealing with mental health issues and medication.
Notifiable Data Breaches scheme
The Notifiable Data Breaches scheme commenced on 22 February 2018. It requires entities covered by the APPs, such as schools, to notify the Australian Information Commissioner about eligible data breaches and the persons whose information is the subject of the breach.
An eligible data breach happens if any of the following occurs to personal information held by an organisation, such as a school:
- there is unauthorised access to the information
- there is unauthorised disclosure of the information
- there is loss of the information,
and
- the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
In the context of a data breach, serious harm to an individual may include serious physical, psychological, emotional, financial, or reputational harm. It is harm that should be assessed in light of such matters as: the kind of personal information involved in the data breach; the sensitivity of information; the persons to whom the information might be disclosed; or the nature of the harm that the individual might suffer.
A student might also be reasonably expected to suffer some form of psychological or emotional harm if sensitive medical information about them was subject to unauthorised access or disclosure.
A parent who has provided contact details to the school but who is keeping it secret from a former abusive partner could also suffer serious emotional harm if the contact details were accidently included on a class list.
So how do data breaches occur?
The Office of the Australian Information Commissioner (OAIC)publishes statistical information about notifications received under the Notifiable Data Breaches scheme to assist entities and the public to understand the operation of the scheme and the causes of data breaches. The most recent report concerns the period 1 April – 30 June 2019.
During this period the OAIC received a total of 245 notifications (the average quarterly number of notifications up to that period was 242). The data breaches predominantly came from two sources:
• 62% from malicious or criminal attack (being 151 data breaches), and
• 34% from human error (being 84 data breaches).
The private education sector was the fourth largest sector, with 9% of reports.
The largest source was from breaches from malicious or criminal attacks – those that were deliberately crafted to exploit known vulnerabilities for financial or other gain. The vast majority of cyber incidents (79%) were linked to compromised credentials, either through phishing, by unknown methods or by brute force attack.
Many incidents exploited vulnerabilities involving a human factor, such as individuals clicking on a phishing email (emails that ask for personal information under the guise of being a legitimate email from a legitimate organisation) or the use of credentials that have been compromised or stolen by other means to obtain unauthorised access to personal information.
The second largest source of data breaches was human error, such as:
• sending personal information to the wrong recipient via email (35%)
• unauthorised disclosure through the unintended release or publication of personal information (18%), and
• loss of paperwork or data storage devices (12%).
It was noted that some data breaches can affect larger numbers of people. For instance, the OAIC reported that the failure to use BCC (blind carbon copy) when sending emails impacted an average of 601 individuals per breach.
By way of example, in June 2019 it was reported that Nagle Catholic College sent a warning letter to parents after the school was targeted by a cyber security attack. Someone mistakenly opened a link in an email that was sent to the college. This permitted the hacker to access parent bank account details being held by the college. The college advised that it was working with cyber security experts to mitigate and address the breach.
It was reported that the principal wrote to the parents of the school to express his deep regret for the data breach and noted that the attack was “highly sophisticated”.
In August 2018 the Education Department investigated a privacy breach that resulted in the accidental online publication of student’s personal records at Strathmore Secondary College. The data breach involved the publication of more than 300 students’ records on the school’s intranet which included information about medical and mental health conditions, medications, and learning and behavioural difficulties.
It was believed that human error was behind the publication. The principal of the college is reported to have said:
“I was shocked and disappointed to learn that this information was incorrectly uploaded to our intranet. I am so sorry for the distress and hurt this has caused our students and their families.”
It was also reported by the OAIC that ransomware made up 8.57% of attacks. Ransomware is a type of malicious software designed to block access to a computer system or computer files until a sum of money is paid. This software will encrypt the files on the affected computer, making them inaccessible.
Remedial action
If a school has reasonable grounds to believe that an eligible data breach has occurred, it must notify the commissioner and the individuals to whom the information relates.
However, if remedial action is able to be taken by the school before any serious harm is likely to be caused to an individual then the access or disclosure is not an eligible data breach and does not have to be reported to the OAIC.
It is still a data breach – but it is not an eligible data breach.
For example, if a teacher reported that he had taken home but lost a student file, and the file contained the student’s ILP with details of his psychological history and assessment, there is a potential eligible data breach.
If the file is found in a place where no one else had access to it, then there is no unauthorised access or disclosure and no likelihood of serious harm to the student. However, if the file was found on the bus, and was returned through various people, the loss would be an eligible data breach if the student would likely suffer serious harm because of the disclosure of his sensitive personal information.
Notifying individuals
If a school does experience an eligible data breach, and it is practicable to do so, it must take such steps as are reasonable in the circumstances to notify each individual to whom the information relates or each individual who is at risk from the eligible data breach.
If this cannot be done, the school must publish information about the breach on its website and take reasonable steps to publicise the breach so that it comes to the attention of the relevant individuals.
Consequences
The consequences for a school that experiences a notifiable data breach can extend well beyond having to report. It can include reputational damage and adverse publicity.
Further, the OAIC may investigate whether the school has sufficient processes in place to comply with the APPs. It might also exercise its enforcement powers, such as requiring the school to enter into enforceable undertakings to compel compliance with the Privacy Act and, in extreme cases, seek fines through the courts.
The breach may also result in claims from affected persons for compensation for an interference with their privacy.
The consequences may also be serious for any staff member who was responsible for the breach or who failed to advise the school of the breach on a timely basis so that the school was unable to take effective remedial action. It may put their employment at risk and, if they are teachers, result in their conduct being reported to Victoria Institute of Teaching or other relevant authority.
The role of everyone employed in schools is therefore critical to ensuring compliance with the Privacy Act and in preventing the potential adverse consequences of an eligible data breach of student information.
This article is an extract of the presentation given by Steven Troeth at the annual Australia and New Zealand Education Law Association (ANZELA) Conference in Melbourne in October 2019. Troeth is a solicitor and partner at Gadens Law.