PRIVACY A TECH “TREND” FOR 2019 – HOW SCHOOLS CAN PREPARE

With the strengthening of the Australian privacy law to include mandatory data breach notification, the growing data privacy issues surrounding big tech companies like Facebook, Google – and even now Apple – the introduction of the Global Data Protection Regulation (GDPR) in EU earlier this year, (and I’d add the recent setback with the My Health rollout), its predicted by Gartner that digital ethics and privacy will be a top ten strategic technology trend for 2019.

So why should schools care?

1. The annual Deloitte Australian Privacy index continues to rank the Education sector as one of the weakest sectors for being transparent on privacy practices to consumers
2. A recent NTT global threat intelligence report stated the Australian education sector topped the list of attacked industries
3. The Australian Privacy Commissioner’s quarterly statistics in relation to data breach notification included 16 data breaches in the Education sector during the period 1 July 2018 – 30 September 2018 (8 of which were a result of human error!), and
4. The community – including students and parents – are paying attention!

Information security is a key element of privacy. A cybersecurity expert from the University of NSW was recently quoted as saying schools are just as vulnerable – if not more so – than companies when it comes to cybersecurity.

 “Schools don’t tend to have professional IT staff with a deep understanding of security issues, although a number of schools doubtlessly have teachers who understand IT and the associated security issues,” Professor Gernot Heiser.

In addition to this, schools have obligations in relation to transparency about their personal information handling practices and must apply rigorous decision making when collecting, using and disclosing such information.

Getting on top of privacy in 2019

For schools – or any child-safe organisation for that matter – it’s important to get privacy right for our kids. Quite outside the issues of community trust, there are also significant penalties that can apply if a school gets it wrong.

And, what is the one piece of data that shares a mountain of information to easily identify a person? An image (that is, a photo or video).

Images of a person are considered personal information in the context of Australian privacy law (both at the national and State/ Territory levels). As a school, you must clearly explain to your parents/guardians what images of their children will be collected and processed by the school, and the uses to which those images will be put by the school. To ensure this is done correctly:

• Provide parents with access to an up-to-date and detailed privacy policy on how the school manages personal information, and a detailed ‘collection statement’ (also called a ‘privacy notice’) relating to the taking and using of images at school. A broad catch-all ‘collection statement’ is not sufficient.
• Ensure practices, procedures and systems (i.e. a smart photo management tool that manages consent and restrictions in real-time) are in place and properly applied. This should include an ability for your school to deal with inquiries or complaints.
• Ensure you have current (i.e. at least yearly) informed consent from parents/guardians in relation to their child’s images being taken and used. In some cases, you may need to seek an additional consent – for example, where you have a new idea or initiative involving student photos, or where it is intended to use photos for specific marketing purposes. You can find additional information about consent in my recent blog post, here.

10 best practices schools can follow on image management

1. The taking of images at school should only occur when there is a valid reason to do so and should be adequately supervised
2. Student images should be used for only intended purposes agreed to by parents/guardians
3. Location services should be turned off when taking photos on mobile devices as they attach location data to pictures taken
4. Avoid the use of photos that identify individual students. A safe compromise is to only use photos taken from behind students. Remember, school uniforms and logos in images can quickly identify your school and if you are a school of religious denomination or delivering special needs services to children, that photo may be afforded additional protections under Australian privacy law
5. If you do use photos of students, don’t refer to a student by name (even their first name) in the caption under the photo or in the post. Don’t use student name/s in the file name of the photo because if someone inspects or saves the file, the name is available for everyone to see
6. Ensure all students have dressed appropriately and images taken do not contribute or expose children to embarrassment, distress or harm
7. Do not use images of students who are considered vulnerable or whose identity requires protection (i.e. foster children)
8. Opting-out or refusal of consent in any way should not limit a student’s participation in school activities
9. Images should be carefully and securely stored in accordance with Australian privacy rules, with the consent attached for automation/cross-referencing purposes
10. Images should only be shared with third-parties for their use when it has been clearly communicated to parents/guardians as part of a school ‘collection statement’ or explicitly agreed to as part of the consent process. Note, using a ‘collection statement’ alone as the basis for sharing images to social media, marketers or others outside of the school environment is likely not going to be sufficient. A parent/guardian should be allowed to ‘opt-in’ (or elect) to have their child’s images transferred to third parties (rather than be required to ‘opt-out’).

Place a special focus on school websites & social media

Schools need to develop a policy about the use of images of children on their website and on social media. The internet is public, accessible and largely an unregulated media. Decisions to post student images on websites should take this into account. Photos taken at a school event, for example, can reveal a substantial amount of information through which children can be identified.

It is important to preserve the right of parents/guardians to request that a school remove any images of their child posted to a website or social media. Every effort should be made to take the image down as soon as possible, but the best approach is to not publish an image online if there are any concerns with the context or consent behind a photo. Once on the net, there’s no getting off!

Is your school improving its privacy practices around images? If not, why not?