HOW THE UPCOMING MANDATORY NDB SCHEME WILL AFFECT SCHOOLS
Mandatory data breach notification in Australia… after several attempts to place my thoughts succinctly on paper, to highlight what I believe are some key industry takeaways before the NDB scheme comes into force next month, I am no further ahead.
I tried the moral approach, focusing on the imperative for organisations to get on top of their privacy programs because the timely and responsible handling of data breaches matters to the community they serve. Too much principle, not enough substance.
I tried the compliance and accountability approach, focusing on the risk of increased regulatory scrutiny (and even financial penalties) in the event organisations don’t have their privacy houses in order in advance of a probably-inevitable-but-certainly-preventable data breach. Too much conjecture (on my part) about how enforcement of the NDB Scheme will actually play out over the coming months.
I tried the internal governance approach, focusing on the various gaps organisations might have in their personal information handling practices that could lead to strife – not just data breaches, but also the challenge of properly dealing with data breaches once they’ve happened. Too preachy, and also not a very exciting read.
WHAT HAPPENS TO THE IMAGES OF STUDENTS?
What I care about most is how our schools collect, manage and disclose personal information – particularly, images of students.
This matters to me because my daughter is a student, and her images are gathered and used by her school for a variety of purposes. Those same images are often disclosed by the school, via social media and other publications, for marketing, community awareness and recognition of achievements.
Most schools are required to comply with the National Privacy Principles (NPPs) of the Privacy Act 1988, excepting those covered by state/ territory privacy laws (e.g. State funded schools). The Privacy Amendment (Notifiable Data Breaches) Act 2017established the NDB Scheme, which operates in conjunction with organisational privacy obligations under the NPPs.
Schools will have the same obligations under the NDB Scheme as other organisations. This includes assessing suspected data breaches and notifying parents, students and the Office of the Australian Information Commissioner of data breaches when required.
WHAT HAPPENS IF SCHOOLS DON’T COMPLY?
A failure by a school to protect personal information in accordance with the NPPs – whereby it is stolen, lost or has been accessed or disclosed without authorisation and The breach is likely to result in serious harm to the individuals to whom the information relates – may amount to an “eligible data breach” under the NDB Scheme. I am concerned, as any parent would be, that not all schools are ready for that.
In the past, schools may have taken a risk management approach to data breaches by choosing to conceal them… I mean, dealing with them entirely in-house. In the event of any media attention, schools might then deflect a privacy blow as an anomalous and regrettable occurrence. However, as recently expressed in a School Governance article,
“reputational risk is also one of the main concerns of school boards as independent schools rely on their reputation to ensure financial viability and growth in enrolments. A major incident which indicates a failure to handle students’ personal data can impact on a school’s future financial viability and enrolment growth.”
The NDB Scheme, coupled with the increased profile of cyber-bullying and technical security risks (associated with “smart” classrooms and cloud-based services for schools), should be a great incentive for schools to re-evaluate their approach to personal information handling.
WHAT CAN WE TAKEAWAY FROM THIS?
While I appreciate that my thoughts on this could easily be unpacked into detailed articles of their own, consider:
PRIVACY IS NOT A TICK-AND-FLICK COMPLIANCE EXERCISE
CYBER-BULLYING IS A REAL PROBLEM
Photographic and digital images should be regarded as some of the most personal information about students that schools collect and manage. Schools should consider whether their current “media use consent” process is adequate, particularly as regards social media and other online disclosures. An error when disclosing student images on a school’s social media feed would – if there is the likelihood of serious harm to the student (e.g. emotional or physical harm caused by cyber-bullying) – be an “eligible data breach” under the NDB Scheme. If I were a school administrator, I would be intensely uncomfortable with that risk.
SECURITY CONTROLS ARE VITAL IN ELECTRONIC ENVIRONMENTS
Schools must take reasonable steps to ensure that electronically held personal information is secure. This includes being confident that vendors for cloud-based services (such as electronic document management, e-learning and photo/ image management) have adequate security controls in place and are compliant with key privacy principles in their storage and handling of personal information on the school’s behalf. The NDB Scheme acknowledges that a breach may involve more than one organisation – e.g. a school and the cloud service provider they were using at the time of the breach. This being the case, now is the perfect time to review vendor contracts in relation to the secure handling of personal information, data breach monitoring and reporting.