The Privacy Act 1988 (Cth) (Privacy Act) is a Commonwealth Act that regulates the collection, storage, use and disclosure of different types of personal information by:
- Commonwealth and Australian Capital Territory government agencies
- private sector organisations with turnovers of over $3 million.
Non-government schools and systems (schools), which includes Catholic Schools, must collect, use, disclose and store personal information and health information according to the Privacy Act.
In order to carry out its function, each Catholic school is required to collect relevant personal information (which may include health information) about students, parents, carers, potential employees, contractors and volunteers.
Australian Privacy Principles
A key component of the legislation is the mandatory requirement for a school to comply with the Australian Privacy Principles (APPs).
A summary of the APPs which are most relevant to schools include:
- APP 1 – Open and transparent management of personal information: this requires schools to have a publicly available Privacy Policy and practices and procedures to ensure they comply with the APPs.
- APP 3 – Collection of solicited personal information: this limits the personal information a school can collect to personal information necessary for its functions or activities.
- APP 5 – Notification of the collections of personal information: schools must take reasonable steps to notify an individual of the circumstances and purposes of collection of personal information, amongst other things.
- APP 6 – Use or disclosure of personal information: schools should use or disclose personal information only for the purpose it was collected (called the ‘primary purpose’), or for a secondary purpose if an exception applies. Such exceptions include being required or authorised by law to disclose the information, to lessen or prevent a serious threat to life, health or safety, or for an enforcement related activity.
- APP 12 – Access to personal information: schools must provide access to an individual’s personal information, but there are exceptions. For example, where giving access would pose a serious threat to health or safety or have an unreasonable impact on the privacy of others.
- APP 13 – Correction of personal information: schools must correct personal information if informed or aware of an error. A correction could mean making sure the information is complete, up-to-date, accurate, relevant or not misleading.
Notifiable Data Breach Scheme
Catholic schools are also required to report notifiable data breaches (also known as eligible data breaches) to the Office of the Information Commissioner (OAIC) and to affected individuals.
A data breach occurs where personal information is lost, misused, stolen or is accessed without authority.
An eligible data breach is a data breach that is likely to result in serious harm to one or more individuals. When a school becomes aware of an eligible data breach, it will usually have 30 days to notify the OAIC and affected individuals, but must, as soon as possible, take any action necessary to mitigate harm or prevent the likely risk of serious harm.
CSNSW must also comply with the APPs and the notifiable data breach scheme.
Need help?
The National Catholic Education Commission (NCEC) and Independent Schools Australia (ISA) jointly publish the Schools Privacy Compliance Manual, which contains detailed information about the APPs, notifiable data breaches and other privacy related issues relevant to schools.
The information contained on this website is of a general nature only and does not constitute legal advice. There may be other obligations imposed on schools in relation privacy and confidential information. If your school needs further help with a privacy related issue, you can also contact the Catholic Schools New South Wales Legal Hotline
- Call 1800 4Catholic Schools New South Wales (1800 427 679).
School Photography Guidelines
- Visit our page on the sharing of photos and videos in schools.