In a recent post I outlined my concerns about aspects of student privacy. https://edwinbruce.wordpress.com/2014/10/31/how-seriously-do-we-treat-students-privacy/
I followed up with an email to the Privacy Commissioner. Their reply is outlined below and includes a link to their publication outlining schools obligations under the Privacy Act. It seems that my concerns are valid under:
- Principle 4, a school should ensure that it doesn’t collect personal information about each student by unlawful, unfair or too intrusive means.
- Principle 11 requires agencies not to disclose personal information, unless one of the exceptions to principle 11 may apply.
I also note that in order for the Privacy Commissioner to find an interference with privacy there must be a breach of a privacy principle and the person must have suffered significant harm as a result of that breach(section 66). I suspect student embarrassment and potential humiliation may not be considered “significant harm”.
Perhaps some Professional Development in this area may not go amiss in schools around Wellington and possibly wider?
Reply from Office of the Privacy Commissioner
Thank you for your email. I apologise for the delay in responding to you.
Yes, a school would need to be mindful of their obligations under Privacy Act when collecting and disclosing personal information. In particular, principle 4 and principle 11 of the Privacy Act may warrant consideration.
Under principle 4 of the Privacy Act, a school should ensure that it doesn’t collect personal information about each student by unlawful, unfair or too intrusive means.
Principle 11 of the Privacy Act requires agencies not to disclose personal information, unless one of the exceptions to principle 11 may apply. For example, one of the grounds where they could disclose information is if the student consented to the disclosure of their personal information (principle 11(d)). Another ground is if disclosure was one of the purposes for collecting the information (principle 11(a). But disclosure as a purpose raises principle 3 for consideration.
Under principle 3, the agency should make the individual aware that it is collecting their personal information, and what is going to happen with their personal information. Principle 3 reflects an underlying policy of Privacy Act, that agencies should be open about their collection and use practices concerning personal information For this reason, among others, permission to collect, use or disclose personal information is not necessarily requires id here is a demonstrated adequate compliance with principle 3. In other words, an individual should not be surprised by what is happening with their personal information.
Furthermore, in order for the Privacy Commissioner to find an interference with privacy there must be a breach of a privacy principle and the person must have suffered significant harm as a result of that breach(section 66).
You may wish to refer to a booklet published by this Office, “Privacy in School: A guide to the Privacy Act for principals, teachers and boards of trustees”. Here is the link for that booklet: https://privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/Privacy-in-Schools-September-2009.pdf
I trust this information is helpful to you.