Online Learning and Privacy
Whilst the ability for educators to adapt to novel ways of delivering content has been fundamental to successful learning outcomes this year, the introduction and use of new virtual platforms requires an analysis of the safety of those programs and their compliance with Australian Privacy Principles (APPs). As most (if not all) schools are covered by the APPs, principals should take care to ensure that those requirements are not being breached by the online platforms that are being utilised in their schools.
Australian Privacy Principles (APPs)
There are many legal areas requiring consideration when encouraging or mandating students to engage with certain online resources to ensure students are protected. Indeed, schools are obliged to consider privacy when selecting digital learning tools.
Some relevant considerations relate to how information is gathered and used by third-party providers (and the possibility that those processes breaches the Australian Privacy Principles). We have previously provided a brief guide to the privacy laws for schools which can be found here and which details the privacy principles.
Having regard to those APPs, as a Principal you should be looking into the following issues. This list is by no means exhaustive, but is a strong starting point.
1. Is the program/platform Australian?
APP 8: Cross-Border Disclosure of Personal Information
Schools must take reasonable steps to ensure that any non-Australian recipient of information does not breach any of the APPs and complies with Australian Law. Schools may be legally accountable if students’ information is mishandled by web-based learning tools or applications. Once information is transferred out of Australia, it is governed by the privacy laws of the country in which it is stored. Thus, its usage may not comply with Australian standards, creating issues for the school.
Therefore, it is imperative that these online tools are properly assessed and evaluated before they are used by students, and that schools take ‘reasonable steps’ to ensure no breach of APPs occurs.
2. What does the ‘fine print’ say about information gathering?
The Office of the Victorian Information Commissioner (OVIC) Report (18 August 2020) analysed issues associated with online learning and privacy, identifying key areas of vulnerabilities for schools. The report identified a number of concerns and made recommendations that schools should take to ensure the safety of their students’ private information. A copy of the report can be accessed here.
The report notes that many ‘free’ digital programs have processes that raise privacy issues for schools. It is common that the free programs on-sell data, including personal information of the program users, to third parties.
Given the obligations on schools regarding the APPs, the implementation or recommendation for use of apps which do not meet the relevant privacy standards may find them falling short of their requirements. The abovementioned app may not align with IPP 4.1, which refers to an organisations responsibility to take reasonable steps to protect personal information from misuse, loss and unauthorised access.
3. Are you obtaining informed consent?
Schools collect a great deal of personal information from parents and students required for the delivery of educational services and to maintain student safety. This information is provided for use by the school through the consent of the parents.
However, where schools do not provide sufficient information to parents on how students’ information is going to be used by the school, including the digital applications they use or recommend as part of the curriculum, consent from parents is not likely to be considered to be ‘informed’, undermining the value of that consent. Accordingly, it is important to provide information to parents on privacy policies of online tools so that they are aware of how their child’s personal information is protected.
4. What information is being gathered and is that ‘reasonably necessary’?
It is vital to ensure platforms used only collect data from students that is ‘reasonably necessary’ to be collected under APP 3.
APP 3 requires that a school only collect personal information where it is reasonably necessary for, or directly related to, the school’s functions or activities. Where a digital program being utilised by a school uses that information for purposes which do not form part of the school’s functions or activities, this APP may be breached.
5. How is the information stored?
Under APP11, schools must ensure that students’ personal information is secure and protected and that any information which is no longer required is destroyed. Accordingly, when considering to implement or use a digital platform or app in your school, you should ensure that that you thoroughly review the terms and conditions of the digital platform or app to satisfy yourself that the personal information is being stored securely and is protected against misuse, interference and loss, and from unauthorised access, modification or disclosure.
How can Brennan Law Partners assist?
If you have a concern about the appropriateness of any current service provider or platform, or suspect a privacy breach, contact us immediately to consider appropriate steps to take in the given situation.