Schools' privacy policy (2023)

The Department of Education and Training (the Department) values your privacy and is committed to protecting information that schools collect.

All staff including contractors, service providers and volunteers of the Department, and all Victorian government schools (schools), must comply with Victorian privacy law and this policy.

In Victorian government schools, the management of ‘personal information’ and ‘health information’ is governed by Privacy and Data Protection Act 2014 (Vic) and Health Records Act 2001 (Vic) (collectively, Victorian privacy law). In addition, the Department and Victorian government schools must comply with the Victorian Data Sharing Act 2017.

This policy explains how Victorian government schools collect and manage personal and health information, consistent with Victorian privacy law and other associated legislation.

Definitions

Personal information is recorded information or opinion, whether true or not, about a person whose identity is apparent, or can reasonably be ascertained, from the information. The information or opinion can be recorded in any form. A person's name, address, phone number and date of birth (age) are all examples of personal information.

Sensitive information is a type of personal information with stronger legal protections due to the risk of discrimination. It includes information or opinion about an identifiable person’s racial or ethnic origin, political opinions or affiliations, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, criminal record, or membership of a trade union.

Personal and sensitive information is regulated in Victoria under the Privacy and Data Protection Act 2014 (Vic).

Health information is information or opinion about an identifiable person’s physical, mental or psychological health or disability. Health information is a type of personal information which, because of its sensitivity, also has different and stronger legal protections.

Health information is regulated in Victoria under the Health Records Act 2001 (Vic).

Note: De-identified information about individuals can become personal information if it is re-identified or if it is at high risk of being re-identified, for example, if it is released to the public or is a small sample size.

What information do we collect?

Schools collect the following types of information.

• Information about students and their families provided by students, their families and others – for example, contact and enrolment details, health information, and parenting and access arrangements.
• Information about job applicants, staff, volunteers and visitors provided by job applicants, staff members, volunteers, visitors and others – for example, qualifications, working with children checks, teacher registration and banking details.
• Information about the activities of students, staff and families if they are on school grounds (for example captured through CCTV) or using school or departmental systems (such as school networks or school-acquired software).

How do we collect this information?

Schools collect information in a number of ways, including:

• in person and over the phone: from students and their families, staff, volunteers, visitors, job applicants and others
• from electronic and paper documentation: such as job applications, emails, invoices, letters, and forms (such as enrolment, excursion, medical, specialist or consent forms)
  
• through school websites and school-controlled social media
• through online tools: such as apps and other software used by schools
• through any CCTV cameras located at schools
• through photographs, film and other recordings
• through polls, surveys and questionnaires
• and, in some cases, through authorised information sharing arrangements with other services.
  

Collection notices

Schools provide families with a privacy collection notice (also known as a collection statement or privacy notice) on enrolment and on an annual basis to communicate:

• the reason for collecting information about families and students
  
• how the information is used and disclosed
• how to access, update and correct the information.

Schools may also send out ad hoc collection notices during the year, for example if they are adopting new technologies or processes.

Consent processes

Consent is when someone voluntarily agrees for their information to be collected, used and/or shared within or outside the school or the Department.

Consent, when required, is sought in different ways and can be verbal, online or in writing, depending on the circumstances. There are many consent processes that may be applied during the school year.

Some consents are annual, for example the yearly photography consent process, while some will be for a specific purpose such as to collect information for a school event or use of a new software application.

When seeking consent for photographing students, schools apply the Photographing, Filming and Recording Students Policy.

Health services conducted in schools use specific consent forms, which include consent for use and disclosure of health information. For example, schools use the Student Support Services consent form (pdf - 314.5kb) to access these services for students.

Unsolicited information about people

Schools may receive information about you that they have taken no active steps to collect. If permitted or required by law, schools may keep records of this information. If not, they will destroy or de-identify the information when practicable, lawful and reasonable to do so.

Why do we collect this information?

Primary purposes of collecting information about students and their families

Schools collect information about students and their families when necessary to:

• educate students
• support students’ social and emotional wellbeing, and health
• fulfil legal requirements, including to:
  • take reasonable steps to reduce the risk of reasonably foreseeable harm to students, staff and visitors (duty of care)
  • make reasonable adjustments for students with disabilities (anti-discrimination law)
  • ensure, as far as is reasonably practicable, the health and safety of people in school workplaces (occupational health and safety law)
    
• enable schools to:
  • communicate with parents about students’ schooling matters and celebrate the efforts and achievements of students
  • maintain the good order and management of schools
• enable the Department to:
  • ensure the effective management, resourcing and administration of schools
  • fulfil statutory functions and duties
  • plan, fund, monitor, regulate and evaluate the Department’s policies, services and functions
  • comply with reporting requirements
  • investigate incidents in schools and/or respond to any legal claims against the Department, including any of its schools.
    

  (Video) GDPR explained: How the new data protection act could change your life

Primary purposes of collecting information about others

Schools collect information about staff, volunteers and job applicants:

• to assess applicants’ suitability for employment or volunteering
• to administer employment or volunteer placement
• for insurance purposes, including public liability and WorkCover
• to fulfil various legal obligations, including employment and contractual obligations, occupational health and safety law and to investigate incidents
• to respond to legal claims against schools/the Department.
  

When do we use or disclose information?

Using and/or disclosing information refers to how it is utilised for a specific purpose, and how it is shared and/or made available to other individuals or organisations.

Schools use or disclose information consistent with Victorian privacy law and other associated legislation, including as follows:

• for a primary purpose – as defined above
  
• for a related secondary purpose that is reasonably to be expected – for example, to enable the school council to fulfil its objectives, functions and powers
  
• with notice and/or consent – for example, consent provided for the use and disclosure of enrolment details (the information collected will not be disclosed beyond the Department without consent, unless such disclosure is lawful)
  
• when the Department reasonably believes it is necessary to lessen or prevent a serious threat to:
  • a person’s life, health, safety or welfare
    
  • the public’s health, safety or welfare
    
• when required or authorised by law – including as a result of our anti-discrimination law, occupational health and safety law, child wellbeing and safety law, family violence law, or reporting obligations to agencies such as the Department of Health and the Department of Families, Fairness and Housing and complying with tribunal or court orders, subpoenas, summonses or search warrants, and in some circumstances to meet our duty of care
• when required under the Child and Family Violence Information Sharing Schemes, with other Victorian schools and Victorian services to promote the wellbeing or safety of children, or to assess or manage family violence risk
• to investigate or report suspected unlawful activity, or when reasonably necessary for a specified law enforcement purpose, including the prevention or investigation of a criminal offence or seriously improper conduct, by or on behalf of a law enforcement agency
• as de-identified information, for research or school statistics purposes, or to inform departmental policy and strategy
• to establish or respond to a legal claim.
  

Unique identifiers

The Department assigns a unique identifier to every Victorian government school student in its student records system to enable schools to carry out their functions effectively. In addition, the Department uses a unique Victorian Student Number (VSN) assigned to each student by the Victorian Curriculum and Assessment Authority (VCAA) when they enrol in a Victorian government school, independent or Catholic school. The use of the VSN is regulated and can only be used as stipulated by legislation.

The Department also assigns international students a unique international student identifier number.

Other unique identifiers may be applied by schools.

Students undertaking vocational or university education can also register for a Federal Government issued and managed unique identifier, Unique Student Identifier (USI). The USI is used to create an online record of a student’s recognised Australian training and qualifications. Students are required to have a USI before they can receive their qualification or statement of attainment.

Student transfers

Between Victorian government schools

When a student has been accepted at, and is transferring to, another Victorian government school, the current school transfers information about the student to that school. This may include copies of the student’s school records, including any health information. Parental consent is not required for this.

This enables the new school to continue to provide for the education of the student, to support the student’s social and emotional wellbeing and health, and to fulfil legal requirements.

To and from Victorian non-government schools including Catholic schools

When a student has been accepted at, and is transferring to or from a non-government school in Victoria, the current school provides a transfer note from the student records system to the new school, with parental consent.

Additionally, the current school may share information with the new school to promote the wellbeing or safety of the student or to assess or manage family violence risk pursuant to the Information Sharing Schemes.

To and from interstate schools

When a student has been accepted at and is transferring to or from a school outside Victoria, the current school provides a transfer note to the new school, with parental consent.

Further direction on information transfers between schools is available in the guidance under Enrolment – Student transfers between schools.

NAPLAN results

NAPLAN is the national assessment for students in years 3, 5, 7 and 9, in reading, writing, language and numeracy.

Schools use NAPLAN data to evaluate their educational programs by analysing results for students who attended their school.

Victorian government schools can access student NAPLAN results from the student records system. When a student transfers to or from an independent, Catholic or interstate school, with parental consent, the school where the assessment was undertaken can provide a student’s NAPLAN results to the new school.

Responding to complaints

On occasion, Victorian government schools and the Department’s central and regional offices receive complaints from parents and others. Schools and/or the Department’s central or regional offices will use and disclose information as considered appropriate to respond to these complaints (including responding to complaints made to external organisations or agencies). More information about the process can be found in the Complaints – Parents policy.

Complaints relating to the Department’s International Student Program are managed according to the ISP Complaints and Appeals Policy.

Complaints specifically about the Department’s or a school’s handling of personal information are managed according to the privacy complaints process.

Accessing information

All individuals, or their authorised representative(s), have a right to access, update and correct information that a school holds about them, providing access to information or records doesn’t increase a risk to the safety of a child or children.

Access to student information

Schools only provide school reports and ordinary school communications to students, parents, carers or others who have a legal right to that information. Requests for access to other student information or by others must be made by lodging a Freedom of Information (FOI) application through the Department’s Freedom of Information Unit.

In some circumstances, an authorised representative may not be entitled to information about the student. These circumstances include when granting access would not be in the student’s best interests or would breach our duty of care to the student, would be contrary to a mature minor student’s wishes or would unreasonably impact on the privacy of another person.

Additionally, the Child and Family Violence Information Sharing Schemes allow prescribed organisations to share confidential information with each other to promote the wellbeing or safety of children, or to assess or manage family violence risk. Victorian schools and a range of other Victorian services fall under these schemes. For more information, refer to: Information sharing and MARAM reforms.

Access to staff information

School staff may first seek access to their personnel file by contacting the principal. Guidance on access to staff health information is available at: Access to health information – Employees.If direct access is not granted, the staff member may request access through the Department's Freedom of Information Unit.

Refer to Freedom of information requests for further information.

Storing and securing information

Victorian government schools take reasonable steps to protect information from misuse and loss, and from unauthorised access, modification and disclosure. They store all paper and electronic records securely, consistent with the Department’s records management policy and information security standards. All school records are formally disposed of, or transferred to the State Archives (Public Record Office Victoria), as required by the relevant Public Record Office Victoria record Retention and Disposal Authorities. Refer to the Records Management Policy for Schools for further information.

Victorian government schools are provided with tools and information to help them assess software and contracted service providers for privacy and information handling risk. Privacy Impact Assessments (PIAs) help schools to assess third party software used in a school that handles personal, sensitive or health information. Conducting PIAs helps schools to identify privacy and security risks, evaluate compliance with Victorian privacy laws and document actions required to manage any identified risks.

The European Union’s (EU’s) General Data Protection Regulation (GDPR) applies to international students from the EU.For queries, contact international@education.vic.gov.au.

Updating your information

It is important that the information we hold about students, families and staff is accurate, complete and up to date. Please contact your school’s general office when information you have provided to them has changed.

More information

Information for parents

• School privacy policy-English (docx - 111.23kb)
• School privacy policy-English (pdf - 229.52kb)
  

FOI and privacy

To make a FOI application contact:

Freedom of Information Unit
Department of Education and Training
2 Treasury Place, East Melbourne VIC 3002
(03) 7022 0078
foi@education.vic.gov.au

For more information about FOI, see Freedom of information requests.

If you have a query or complaint about privacy, please contact:

Knowledge, Privacy and Records Branch
Department of Education and Training
2 Treasury Place, East Melbourne VIC 3002
(03) 8688 7967
privacy@education.vic.gov.au

Related pages

• Department of Education and Training privacy policy
  
• The Department's website privacy policy