privacy - useful resources for department staff
TRANSCRIPT
About PrivacyA resource for Departmental Staff
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 2
Understanding privacy obligations is important for all staff
The Department of Education collects and
manages a vast amount of information, much of it
personal information about its staff, students
and parents. As an employee, it is vital that you understand how to
work with this information.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 3
Which laws, regulations and guidelines set out Information Access and Privacy protocols?
Privacy and Personal
Information Protection Act 1998
(PPIP)
Government Information
(Public Access) Act 2009 (GIPA)
Health Records and Information Privacy Act 2002 (HRIP)
Agency Privacy
Management Plans (PMP)
Commissioner’s guidelines
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 4
What is personal information?
Personal information is information or an opinion
about an individual.
The individual’s identity needs to be apparent or
reasonably ascertainable.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 5
Sensitive and Health Information are types of personal information that require extra protection
Sensitive Information“Ethnic or racial origin, political opinions, religious or philosophical beliefs, ATSI status, country of birth, LBOTE and chosen/preferred SRE class” (s.19(1) PPIP Act)
PPIPA Privacy and Personal Information Protection Act 1998
Health InformationInformation about an individual’s health, disability or health services (s.6 HRIP Act)
HRIPAHealth Records and Information Protection Act 2002
Note: The extra protection categories do not mean that these types of personal information can never be collected, used or disclosed. They just have tougher rules, so extra care is needed with these categories.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 6
Collecting personal information is regulated by rules known as Privacy Principles
The information must:1) Fulfil a lawful purpose2) Be relevant3) Be accurate
It must not:1) Be excessive2) Be intrusive to an unreasonable extent on the personal affairs of the subject
EXAMPLEEnrolment data, such as names, addresses, medical information, etc. is clearly authorised by the Department’s governing and other legislation for the purpose of operating schools effectively and safely.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 7
Personal information should only be used for the primary purpose for which it was collected, unless:
The person has consented
Where authorised or required by another law
It is for a directly related secondary
purpose within their reasonable
expectations
To deal with a serious and
imminent threat to any person
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 8
Questions we must ask when collecting and using personal information include:
Is it reasonably necessary to include this particular data?
If the Department received a complaint about breaching
privacy, could we reasonably argue that the use or disclosure was necessary for us to do our
core business?
Is this data ‘directly related’ to my work?
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 9
Any information collected by the Department can only be used for limited purposes
Operational (School-level)
• Allocation of classes• Determining demand for special religious
education classes• Arranging for interpreters when needed for parent teacher interviews• Managing students with safety risks e.g. allergies
Strategic (Departmental-level)
• The calculation of the family occupation and education index (FOEI) for each school.
• The allocation of resources for each school.
For example: Enrolment data is collected for a primary purpose, which is to enrol a student. However, there are a range of directly related secondary
purposes for which that data can be used, such as:
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 10
When collecting data, it is important that we tell people how we will use their information
• General student administration relating to the education and welfare of the student.
• Communication with students and parents or carers.
• To ensure health, safety and welfare of students, staff and visitors to the school.
• State and National Reporting purposes.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 11
It allows staff to be aware of what data we have.
The Business Unit knows who to go to for help or access to certain information.
The privacy status for the dataset is made explicit.
It identifies whether general release to the public is allowed (at an aggregated level, for instance).
The Department’s Information Asset Register tells us what data we have and how we are protecting it
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 12
Some roles are more likely to deal with personal information on a daily basis
Data Analysts
People and Services Staff
Hiring Managers
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 13
Another role who may come across personal information is an Administration Support Officer
When dealing with data I must follow the appropriate steps:
• Only use data relevant to my task (e.g. email addresses rather than survey responses).
• Ensure I only use data for the purpose for which it was collected.
• Make sure the data isn’t saved somewhere where it can be accessed by anyone outside the team responsible for it.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 14
Recruitment also requires us to work carefully with personal information
A reminder: Do not put confidential or personal documents in the recycle box. It must be shredded first.
.
After receiving applicants’ resumes and identification documents we:
• Must secure personal information – lock these away.
• Should dispose of them by shredding them once the recruitment process is finished.
• Must not disclose any personal information about the candidates to other people who are not part of the recruitment process.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 15
The GIPA Act establishes a proactive, more open
approach to gaining access to government
information in NSW. This is to ensure Government is open, accountable, fair
and effective.
As part of The Government Information (Public Access) Act 2009 there is a presumption that data can be made readily available if needed
http://www.ipc.nsw.gov.au/gipa-act
Data released under GIPA is still subject to a
privacy test.
The GIPA Act
• Authorises and encourages the proactive release of information by NSW public sectors.
• Gives members of the public a legally enforceable right to access government information.
• Ensures that access to government information is restricted only when there is an overriding public interest against release.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 16
Bradley Cooper’s taxi ride: a lesson in privacy risk.
http://www.salingerprivacy.com.au/2015/04/19/bradley-coopers-taxi-ride-a-lesson-in-privacy-risk/
• Salinger Privacy produced an article on privacy risks and ‘open data’.
• Bradley Cooper’s taxi ride is a useful reminder of the risks of re-identification of data.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 17
We can disclose personal information outside the Department if:
It is authorised or required by another
law.
It is under another exemption, such as law enforcement, research,
etc.
The information is not “sensitive information” (ethnicity, religion, etc), and disclosure is for the
primary purpose for which it was collected.
We have the consent of the individual.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 18
We can disclose personal information outside the Department
When it is: Sensitive info Health info Other personal info
with their consent
for the purpose for which it was collected
for a directly related secondary purpose (within expectations)
for the purpose you notified them about
authorised or required by another law, or another exemption
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 19
AGGREGATE DATA
• Aggregate data: summary information, for example, data on schools in remote areas, broken down by school year, gender and Indigenous status.
• Even with aggregate data, there is a risk that individual students or teachers could be identified from the data. Safeguards must be applied in such cases, with strategies to ‘anonymise’ the data.
UNIT RECORD DATA
• Unit Record data: about a unique individual contains details that allows an individual to be identified, such as names, or a Student Registration Number.
Types of data we deal with:
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 20
How the data we deal with can be released:
AGGREGATE DATA
• Aggregate data is released on the basis that:
1. No information that permits the identification of individuals is released
2. Data released is valid and reliable3. It is of high quality
UNIT RECORD DATA
• Unit record data may only be released on the basis that it:
1. Complies with privacy principles that says we can disclose personal information.
CENTRE FOR EDUCATION STATISTICS AND EVALUATION WWW.CESE.NSW.GOV.AU 21
More information or assistance
Personal Information and Privacy Protection Act 1998 (PIPPA)http://www.legislation.nsw.gov.au/inforcepdf/1998-133.pdf?id=1db809e7-46ab-44c1-bce5-d12f0058a002
Health Records and Information Privacy Act 2002 (HRIPA)http://www.austlii.edu.au/au/legis/nsw/consol_act/hraipa2002370/
Department of Education Privacy Management Planhttps://www.det.nsw.edu.au/media/downloads/reports_stats/privacy/privacy-management-plan-march-2014.pdf
Department of Education Privacy Code of Practicehttp://www.dec.nsw.gov.au/documents/15060385/15385042/Privacy_code.pdf
Department of Education Privacy & Information Access ResourcesInformation Access - https://detwww.det.nsw.edu.au/lists/directoratesaz/legalservices/foi/index.htm (see also link to website)Privacy - https://detwww.det.nsw.edu.au/lists/directoratesaz/legalservices/ls/privacy/index.htm http://www.dec.nsw.gov.au/about-us/plans-reports-and-statistics/privacyPrivacy Bulletin - https://detwww.det.nsw.edu.au/media/downloads/directoratesaz/legalservices/ls/privacy/bulletins/bulletin3.pdf Government Information (Public Access) Act 2009 (GIPAA)http://www.legislation.nsw.gov.au/maintop/view/inforce/act+52+2009+cd+0+N