The Office of the Privacy Commissioner provides useful guidelines for good information handling.
Good information handling is a foundation stone of building trust between everyone who participates in the life of a school or early learning service.
School and early learning service staff are generally aware of how to protect the privacy of students and their family or caregivers, but situations can arise where finding the right answer is not so straightforward.
The starting point for navigating these kinds of situations is the Privacy Act 1993. While the 12 privacy principles are law that schools and services must follow, they are not so much hard and fast rules as basic guidance.
To apply the privacy principles, staff need to understand them. It is also important to understand if there are other relevant laws, such as the Education Act, which take precedence over the privacy principles.
Let’s consider the principles that schools are most likely to need to know about.
When collecting personal information about students and their families, schools and services must be sure they are collecting it for the lawful purpose of the school or service and the information is necessary for those purposes.
When collecting personal information, schools and services should collect that information directly from the individual concerned. But if a child is under 16, it is naturally more practical to get the information from the parents.
When collecting information from an individual, it is important that the individual (or their parents or caregivers) are aware of how it is being collected, why it is being collected, what will be done with it, and who will see it.
Schools and services must not collect information by any unlawful or unfair means. For example, schools should not record students or teachers without their knowledge.
Schools and services have an obligation to take care of personal information held. There need to be reasonable measures in place to avoid loss of information or unauthorised access or use.
Some things to think about are:
Principle 6 gives any person the right to ask a school or service if it holds information about them, and in most cases, to have access to that information. The request can be made in writing or orally. The school or service must respond no later than 20 working days after receiving the request.
Personal information may be withheld under the Privacy Act in some cases.
The most relevant withholding grounds for schools and services are:
Any person has the right to ask a school or early learning service to correct any of the information held about them. If the school believes the information is correct, then the person has the right to have a statement disputing the information added to the school or service’s record.
For example, a school principal might record the behaviour of a student at a meeting as angry. The student might disagree and ask for it to be changed. In this instance, the school or service does not have to change its record but must attach the student’s view to be read alongside the principal’s view.
Principle 8 is an obligation to take reasonable steps to check the accuracy of the information before using it. In other words, try and make sure the information is accurate, up to date, complete, relevant, and not misleading. A common example is outdated address details leading to personal information being sent to the wrong place. It is good practice to check the currency of personal details periodically.
Principle 9 says a school should not keep a person’s information for longer than is necessary. There is no set timeframe in the Privacy Act, and it will vary depending on the information. Once a school no longer has a lawful purpose to hold on to the information, it should safely dispose of it – check the disposal schedule produced by the Ministry of Education which addresses different classes of information and how long they must be retained.
Schools or services should only use personal information for the purposes for which it was collected. For example, if a parent or student consents to photographs for a project, the school or service may not subsequently use the photograph for promotional advertising – unless it obtains additional consent.
If a school or service is taking photos of children to share online or to use in publications, a general rule is to check with the parents (or the students themselves if they are 16 or over).
An additional safeguard that can be adopted is to not necessarily identify the children by their names in photographs.
The general point is that schools and services must look after personal information of students and staff and not release that information to third parties. This principle, like other principles, is subject to other legislation.
Under the Education Act, schools are required to collect essential information on enrolment and to pass this information on to any school to which the student transfers. Schools are also required to pass on information about students to the Ministry of Education.
Under the Oranga Tamariki Act, if teachers or early learning service staff have concerns about a child’s safety or wellbeing, they can report this to an appropriate person or agency (like Police or Oranga Tamariki).
Under the Privacy Act, agencies and individuals can report concerns if they believe it is necessary to prevent or lessen a serious threat to an individual’s safety or wellbeing, or for law enforcement purposes.
Principle 12 governs how ‘unique identifiers’ – such as student ID numbers, driver’s licence and passport numbers – can be used. It says schools cannot assign an ID number to a student that has already been given to that person by another school or organisation.
There are many privacy issues which are outside the Act which a school or service can manage by having good policies. For example, a student may impact the privacy of another student by filming and publishing images of them against their wishes. While the use of personal information in this way falls under the domestic affairs exemption in the Privacy Act (and outside the jurisdiction of the Privacy Commissioner), a school can have rules to manage behaviour that may be intended to hurt or harm another student or a teacher.
Privacy is a very contextual area. The key thing to know is where to go to seek advice and help. Call the Office of the Privacy Commissioner’s enquiries line on 0800 803 909 or use the online contact form.
The AskUs tool of FAQs is a resource full of privacy-related questions, such as:
The Privacy Act is changing. The new legislation comes into effect 1 December 2020. Resources for the Privacy Act 2020 can be found on the Office of the Privacy Commissioner’s website(external link). Resources for schools, kura and early learning centres can also be found on the Ministry of Education website(external link).
BY Education Gazette editors
Education Gazette | Tukutuku Kōrero, reporter@edgazette.govt.nz
Posted: 9:20 am, 7 March 2019
8 March 2023
In mid-February, much of the North Island of Aotearoa New Zealand was dealt a devastating blow at the hands of Cyclone Gabrielle. There have been many stories o
13 July 2023
A former school gym has a new lease on life following the 2011 Christchurch earthquakes.
5 October 2023
More than 300 Rainbow ākonga from 15 secondary schools across Auckland came together in June for a day of celebration, learning and connection.
