Understanding the Privacy Act

Good information handling is a foundation stone of building trust between everyone who participates in the life of a school or early learning service. 

School and early learning service staff are generally aware of how to protect the privacy of students and their family or caregivers, but situations can arise where finding the right answer is not so straightforward.

The starting point for navigating these kinds of situations is the Privacy Act 1993. While the 12 privacy principles are law that schools and services must follow, they are not so much hard and fast rules as basic guidance. 

To apply the privacy principles, staff need to understand them. It is also important to understand if there are other relevant laws, such as the Education Act, which take precedence over the privacy principles.

Let’s consider the principles that schools are most likely to need to know about.

Principles 1-4

Collect information responsibly

When collecting personal information about students and their families, schools and services must be sure they are collecting it for the lawful purpose of the school or service and the information is necessary for those purposes. 

When collecting personal information, schools and services should collect that information directly from the individual concerned. But if a child is under 16, it is naturally more practical to get the information from the parents. 

When collecting information from an individual, it is important that the individual (or their parents or caregivers) are aware of how it is being collected, why it is being collected, what will be done with it, and who will see it.

Schools and services must not collect information by any unlawful or unfair means. For example, schools should not record students or teachers without their knowledge. 

Principle 5

Store and send information safely

Schools and services have an obligation to take care of personal information held. There need to be reasonable measures in place to avoid loss of information or unauthorised access or use. 

Some things to think about are:

• Physical security: use of lockable filing cabinets, password protected desktop computers as well as laptops and other mobile devices, and care with work taken home by staff.
• Operational security: restricting access to personal information to appropriate staff, use of track and trace systems to identify who has been accessing confidential and sensitive information.
• Security of transmission: careful use of pigeon holes, notice boards, group emails and spreadsheets (especially as email attachments).
• Disposal of information: be careful when disposing of computer records and hard copy documents. 

Principle 6

Give people access to their information

Principle 6 gives any person the right to ask a school or service if it holds information about them, and in most cases, to have access to that information. The request can be made in writing or orally. The school or service must respond no later than 20 working days after receiving the request.

Personal information may be withheld under the Privacy Act in some cases.

The most relevant withholding grounds for schools and services are:

• Disclosure will mean the unwarranted disclosure of the affairs of another person.
• The information is an evaluation or an opinion, compiled solely for the purposes of awarding scholarships, awards, honours or other benefits and was given in confidence. For example, the contents of a job reference.
• Disclosure will mean a breach of legal professional privilege. A school board may, for example, withhold its lawyer’s legal advice with respect to a student’s expulsion.
• Disclosure is contrary to the interests of an individual under the age of 16. A school may withhold a student’s personal information when the student is under the age of 16, if it is contrary to his or her interests.

Principle 7

Dealing with incorrect information

Any person has the right to ask a school or early learning service to correct any of the information held about them. If the school believes the information is correct, then the person has the right to have a statement disputing the information added to the school or service’s record.

For example, a school principal might record the behaviour of a student at a meeting as angry. The student might disagree and ask for it to be changed. In this instance, the school or service does not have to change its record but must attach the student’s view to be read alongside the principal’s view.

Principle 8

Check the information

Principle 8 is an obligation to take reasonable steps to check the accuracy of the information before using it. In other words, try and make sure the information is accurate, up to date, complete, relevant, and not misleading. A common example is outdated address details leading to personal information being sent to the wrong place. It is good practice to check the currency of personal details periodically.

Principle 9

Keep information only for as long as necessary

Principle 9 says a school should not keep a person’s information for longer than is necessary. There is no set timeframe in the Privacy Act, and it will vary depending on the information. Once a school no longer has a lawful purpose to hold on to the information, it should safely dispose of it – check the disposal schedule produced by the Ministry of Education which addresses different classes of information and how long they must be retained.

Principle 10

Use personal information for its purposes

Schools or services should only use personal information for the purposes for which it was collected. For example, if a parent or student consents to photographs for a project, the school or service may not subsequently use the photograph for promotional advertising – unless it obtains additional consent.

If a school or service is taking photos of children to share online or to use in publications, a general rule is to check with the parents (or the students themselves if they are 16 or over). 

An additional safeguard that can be adopted is to not necessarily identify the children by their names in photographs.

Principle 11

Limits on disclosing personal information

The general point is that schools and services must look after personal information of students and staff and not release that information to third parties. This principle, like other principles, is subject to other legislation. 

Under the Education Act, schools are required to collect essential information on enrolment and to pass this information on to any school to which the student transfers. Schools are also required to pass on information about students to the Ministry of Education.

Under the Oranga Tamariki Act, if teachers or early learning service staff have concerns about a child’s safety or wellbeing, they can report this to an appropriate person or agency (like Police or Oranga Tamariki). 

Under the Privacy Act, agencies and individuals can report concerns if they believe it is necessary to prevent or lessen a serious threat to an individual’s safety or wellbeing, or for law enforcement purposes. 

Principle 12

Unique identifiers

Principle 12 governs how ‘unique identifiers’ – such as student ID numbers, driver’s licence and passport numbers – can be used. It says schools cannot assign an ID number to a student that has already been given to that person by another school or organisation. 

Beyond the Privacy Act

There are many privacy issues which are outside the Act which a school or service can manage by having good policies. For example, a student may impact the privacy of another student by filming and publishing images of them against their wishes. While the use of personal information in this way falls under the domestic affairs exemption in the Privacy Act (and outside the jurisdiction of the Privacy Commissioner), a school can have rules to manage behaviour that may be intended to hurt or harm another student or a teacher.

Privacy is a very contextual area. The key thing to know is where to go to seek advice and help. Call the Office of the Privacy Commissioner’s enquiries line on 0800 803 909 or use the online contact form. 

The AskUs tool of FAQs is a resource full of privacy-related questions, such as:

• Can a school publish a child’s information?
• Can a school give student information to a DHB dental service?
• How does a school respond to a request for a student’s information?
• Can a teacher tell someone if they are concerned about a child’s wellbeing?
• Is a teacher allowed to read texts on a student’s phone? 
• There are also online privacy training modules which are free to do. 
• All these resources can be found at www.privacy.org.nz(external link)

Update

The Privacy Act is changing. The new legislation comes into effect 1 December 2020. Resources for the Privacy Act 2020 can be found on the Office of the Privacy Commissioner’s website(external link). Resources for schools, kura and early learning centres can also be found on the Ministry of Education website(external link).