Online Learning and Privacy

The COVID-19 pandemic has forced schools to be flexible and creative in the delivery of curriculum which, in turn, has seen an increase in the use of online applications and web-based learning platforms. Some online portals are internal, school based and controlled programs, others are external.

Whilst the ability for educators to adapt to novel ways of delivering content has been fundamental to successful learning outcomes this year, the introduction and use of new virtual platforms requires an analysis of the safety of those programs and their compliance with Australian Privacy Principles (APPs). As most (if not all) schools are covered by the APPs, principals should take care to ensure that those requirements are not being breached by the online platforms that are being utilised in their schools.

Australian Privacy Principles (APPs)  

There are many legal areas requiring consideration when encouraging or mandating students to engage with certain online resources to ensure students are protected. Indeed, schools are obliged to consider privacy when selecting digital learning tools.

Some relevant considerations relate to how information is gathered and used by third-party providers (and the possibility that those processes breaches the Australian Privacy Principles). We have previously provided a brief guide to the privacy laws for schools which can be found here and which details the privacy principles.

Having regard to those APPs, as a Principal you should be looking into the following issues. This list is by no means exhaustive, but is a strong starting point.


1.   Is the program/platform Australian? 

APP 8: Cross-Border Disclosure of Personal Information

Schools must take reasonable steps to ensure that any non-Australian recipient of information does not breach any of the APPs and complies with Australian Law. Schools may be legally accountable if students’ information is mishandled by web-based learning tools or applications. Once information is transferred out of Australia, it is governed by the privacy laws of the country in which it is stored. Thus, its usage may not comply with Australian standards, creating issues for the school.

Therefore, it is imperative that these online tools are properly assessed and evaluated before they are used by students, and that schools take ‘reasonable steps’ to ensure no breach of APPs occurs.

2.  What does the ‘fine print’ say about information gathering?

The Office of the Victorian Information Commissioner (OVIC) Report (18 August 2020) analysed issues associated with online learning and privacy, identifying key areas of vulnerabilities for schools. The report identified a number of concerns and made recommendations that schools should take to ensure the safety of their students’ private information. A copy of the report can be accessed here.

The report notes that many ‘free’ digital programs have processes that raise privacy issues for schools. It is common that the free programs on-sell data, including personal information of the program users, to third parties.

For example, one commonly used software that is identified in the OVIC report collects information of all its users and provides this data to third parties without taking responsibility for how it is used. The app requires the collection of personal information, including email address, school, chosen username and password. The app also collects other information which it does not consider personal including browser and device information, app usage data, information collected through cookies, demographic information, aggregated information, and IP address. The app manages data through their Terms and Conditions, Privacy Policy and Children’s Privacy Policy. By using the app’s services users agree to the transfer, processing and storage of their personal information in any country where the app engages service providers.

Given the obligations on schools regarding the APPs, the implementation or recommendation for use of apps which do not meet the relevant privacy standards may find them falling short of their requirements. The abovementioned app may not align with IPP 4.1, which refers to an organisations responsibility to take reasonable steps to protect personal information from misuse, loss and unauthorised access.

3.   Are you obtaining informed consent?

Schools collect a great deal of personal information from parents and students required for the delivery of educational services and to maintain student safety. This information is provided for use by the school through the consent of the parents.

However, where schools do not provide sufficient information to parents on how students’ information is going to be used by the school, including the digital applications they use or recommend as part of the curriculum, consent from parents is not likely to be considered to be ‘informed’, undermining the value of that consent. Accordingly, it is important to provide information to parents on privacy policies of online tools so that they are aware of how their child’s personal information is protected.

4. What information is being gathered and is that ‘reasonably necessary’?

It is vital to ensure platforms used only collect data from students that is ‘reasonably necessary’ to be collected under APP 3.

APP 3 requires that a school only collect personal information where it is reasonably necessary for, or directly related to, the school’s functions or activities. Where a digital program being utilised by a school uses that information for purposes which do not form part of the school’s functions or activities, this APP may be breached.

5.   How is the information stored? 

Under APP11, schools must ensure that students’ personal information is secure and protected and that any information which is no longer required is destroyed. Accordingly, when considering to implement or use a digital platform or app in your school, you should ensure that that you thoroughly review the terms and conditions of the digital platform or app to satisfy yourself that the personal information is being stored securely and is protected against misuse, interference and loss, and from unauthorised access, modification or disclosure.

How can Brennan Law Partners assist?

Brennan Law Partners can assist you to be proactive in protecting against privacy breaches by reviewing contracts and ‘fine print’ of service providers. Contact us to review any documents relating to current or prospective service providers.

If you have a concern about the appropriateness of any current service provider or platform, or suspect a privacy breach, contact us immediately to consider appropriate steps to take in the given situation.

If you have any questions regarding any information in this BLP Brief, we welcome you to contact us at any time.
This is meant as a guide only and should not be taken as legal advice.

Question? Comment? We’re here to help so talk to us!