4 min read

The COVID-19 pandemic has caused almost all schools across the country to adopt new processes and programs for curriculum delivery, particularly for remote learning operations. Even when students are back in the classroom, many online processes and platforms continue to be used to support student learning.

However, with the increased use of online platforms and programs there has been increased incidents of privacy and data breaches involving schools. With a significant volume of valuable and sensitive information being shared over digital platforms, schools face an increasing risk of data breaches or attacks by cyber criminals.

Accordingly, Principals must ensure that their school’s privacy and data protection practices and polices are well developed and implemented, to minimise the risk of cyber issues and the potential consequences should an adverse event take place.

Managing the Increased Risk

Data breaches and cyber risks can result from both human error and malicious third party attacks. As organisations that manage personal information, schools must ensure that they protect the information they hold against unauthorised access or disclosure. With increased use of digital programs and platforms in education, the risk of privacy and data breaches is significantly greater and has resulted in a spike in breaches during the COVID-19 pandemic.

Assess the Risk

Before adopting or implementing a new digital program or platform, schools should undertake an assessment of any risks that that program may give rise to. The assessment should consider privacy and protection of data for all users having regard to a school’s obligations under the Privacy Act and Australian Privacy Principles.

To effectively undertake the assessment, schools should consider:

• What data and information the program collects, noting particularly any sensitive or personal information collected;
• Where the program stores data and information it obtains;
• How the program protects the data and information it obtains;
• Whether the data will be disclosed to any other party and, if so, for what purposes;
• Are the users aware of how the data and information is being collected, stored and used.

If the assessment identifies any risks with the program, the school should then consider whether reasonable steps can be put in place to mitigate those risks and/or whether use of that program should be abandoned.

Maintain Clear Policies

It is also important to maintain clear and accessible policies on the use of digital technologies and platforms within your school. These policies should address:

• What programs can be used, by whom and when;
• The process for introducing new digital platforms into the curriculum (to ensure that the school can undertake an appropriate risk assessment);
• What steps the school will take to protect the information it obtains through the course of its operations;
• How the school will manage any data concerns or breaches.

Train Your Staff

Of course, you can have the best policies in the world but if you do not make those documents ‘living’ documents and train your staff on their effect and implementation, they will not provide any protection or benefit to your school.

Accordingly, it is imperative that you train your staff on the use and adoption of digital technologies to protect against privacy and data breaches. Schools should provide regular training to staff on its privacy and data protection practices, ensuring that any new technologies adopted in the classroom are appropriately understood and used.

Training should be relevant to the manner in which that technology may be used by the staff and any reasonably foreseeable risks identified and trained for. As staff and students will likely be adopting the digital platforms on their personal/home IT systems, associated risks should be accounted for in any relevant training.

Managing a Data Breach

Schools have an obligation under the Privacy Act to take reasonable steps to protect the personal information they hold from unauthorised access, misuse, interference or loss.

If a school has reasonable grounds to believe that a data breach has occurred in these circumstances, it must notify the Commissioner and the affected individuals of the breach.

An eligible data breach will occur if:

1. there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the school; and
2. a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.
   
   

What steps should you take if a Data Breach occurs?

When a breach occurs or is suspected, there is an obligation on the school to:

1. conduct a reasonable and expeditious assessment of a suspected eligible data breach
2. notify the affected individuals as soon as possible, including providing details of the information that was lost/misused/accessed and the potential harm that may result;
3. prepare and provide to the Commissioner a statement about a data breach;
4. comply with any directions given by the OAIC in responding to the breach

Consequences

Where a school fails to respond appropriately to an eligible data breach, both financial and reputational harm may follow. Civil penalties up to $2.1m may be imposed, a failure to limit the potential harm suffered by an effected person may give rise to a claim for compensation and the school may suffer reputational damage.

How can Brennan Law Partners assist?

If you suspect that a data breach has occurred and require assistance to respond, you can contact us for assistance.

We can also help you prepare a Data Breach Response Plan ensure that you are positioned to respond appropriately should an unfortunate breach occur.