Add to collection(s) Add to saved
  1. Business
  2. Finance

Personal Information Guideline - Policy and Procedure Register

advertisement 
Personal Information
Guideline
This guideline supports the Information Management (IM)
procedure
Contents
1.0 Purpose ....................................................................................................................... 3
1.1
1.2
1.3
Background .................................................................................................................. 3
Application .................................................................................................................... 3
Definitions ..................................................................................................................... 3
2.0 Types of personal information ..................................................................................... 4
3.0 Personal information – DET primary legislation........................................................... 5
3.1
Legislation coverage by sector and purpose ................................................................. 5
4.0 Information privacy principles .................................................................................... 15
4.1
4.2
4.3
4.4
4.5
Collection of personal information (IPPs 1 to 3) .......................................................... 15
Storage and security of personal information (IPP 4) .................................................. 15
Provision of personal information (IPP 5) and access to and amendments of
documents containing personal information (IPP 6 and 7) .......................................... 15
Checking accuracy of personal information (IPP8) and use of personal information
(relevance) (IPP 9) ...................................................................................................... 16
Limits on the use of personal information (IPP 10) and limits of disclosing personal
information (IPP 11) .................................................................................................... 17
5.0 Guide for state schools .............................................................................................. 20
5.1
5.2
5.3
5.4
5.5
5.6
Is the information 'personal information' ...................................................................... 20
Collection of personal information (lawful, fair and relevant) ....................................... 20
Storing and securing personal information .................................................................. 21
Access to personal information applications ............................................................... 22
Using personal information (up-to-date, accurate and relevant) .................................. 22
When can I disclose personal information? ................................................................. 22
6.0 Department contact details ........................................................................................ 22
Appendix A: Flowchart to identify which legislation protects the different types of personal
information .................................................................................................................................... 23
Appendix B: Preparing and providing a privacy notice .................................................................. 24
Appendix C: Consent to transfer personal information overseas ................................................... 26
Acknowledgements
This document was developed using materials made available under a Creative Commons BY licence from the Office of
the Information Commissioner, Queensland – http://oic.qld.gov.au.
Security and licence
This document has an information security classification of public.
© The State of Queensland (Department of Education and Training) 2013
Unless otherwise noted below, materials included in this paper are licensed under a Creative Commons Attribution 3.0
Australia licence. To view a copy of this licence, visit http://creativecommons.org/licenses/by/3.0/au/
Last updated 7 April 2014 Final
TRIM Ref: 14/32964
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 2 of 26
1.0 Purpose
The Department of Education and Training (DET) is committed to protecting personal information it holds
and handles as it performs its functions.
DET is administratively responsible for a number of state acts (referred to as its 'primary' legislation – see
Section 3.0 Personal information – DET primary legislation). This primary legislation specifically regulates the
way DET employees deal with certain personal information and to that extent overrides any provisions of the
Information Privacy Act 2009 that deals with the same subject matter. In essence, DET's primary legislation
must be considered and satisfied in the first instance when handling personal information. Under all other
circumstances, the Information Privacy Act 2009 must be adhered to.
The Information Privacy Act 2009 (IP Act) contains 11 Information Privacy Principles (IPPs) which the
department must follow to regulate the way they collect, store, use and disclose personal information about
individuals:
IPP 1. Lawful and fair collection of personal information
IPP 2. Collection of personal information when requested from an individual
IPP 3. Collection of personal information - ensuring relevance, completeness and currency
IPP 4. Storage and security of personal information
IPP 5. Providing information about documents containing personal information
IPP 6. Access to documents containing personal information
IPP 7. Amendment of documents containing personal information
IPP 8. Checking of accuracy, completeness and currency of personal information before use
IPP 9. Using personal information only for relevant purpose
IPP 10. Limits on use of personal information
IPP 11. Limits on disclosure of personal information.
The IP Act places 'practical protections' on the flow of departmental personal information and promotes its
responsible use and disclosure.
Given the complexity of this legislative framework (the primary legislation and the IP Act), this guideline has
been developed to provide practical advice to DET employees when collecting, securing, storing, accessing,
amending, using and disclosing personal information.
1.1
Background
DET has operated under its primary legislation for over a decade in most instances (with the exception of the
Education (General Provisions) Act 2006). The elements of the primary legislation most relevant to personal
information are those referring to confidentiality of children and young people's personal information
recorded, used and disclosed by DET. In 2009, the Queensland State Government introduced a legislative
regime covering information privacy; Right to Information Act 2009 and the Information Privacy Act 2009.
The IP Act set outs requirements for public sector handling of personal information, through the operation of
the eleven IPPs.
1.2
Application
This guideline applies to all DET employees, contractors and volunteers.
1.3
Definitions
Act means an Act of the Queensland Parliament, and includes:
 a British or New South Wales Act that is in force in Queensland, and
 an enactment of an earlier authority empowered to pass laws in Queensland that has received assent.
In an Act, a reference to 'an Act' includes the Act in which the reference is made. Act also includes statutory
instruments under an Act.
Authorised Officer is an officer authorised by the Director-General to do something on the DirectorGeneral's behalf. Not a delegate (e.g. Authorised Officers under the Human Resources Delegations).
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 3 of 26
Breach of privacy occurs where personal information about an individual has been recorded, stored,
accessed, used or disclosed inappropriately (not in accordance with the law).
Confidentiality is a duty of confidentiality that arises when information is inherently confidential because of
its nature (e.g. medical or disciplinary information about a student or employee) or where information is given
in circumstances where there is an express acknowledgement of confidentiality or where an obligation of
confidence is implied (e.g. counselling discussions between a guidance officer and a student or between an
employee and an employee assistance provider), where there is a contractual obligation of confidence or
where a statute imposes such an obligation.
Contracted service provider for the purposes of s.34 of the Information Privacy Act 2009, is a person or
organisation who is engaged under a service arrangement with DET, and is required to comply with the
privacy principles as if it were DET.
Delegate is an officer of DET delegated by the Director-General or Minister through an instrument of
delegation to exercise the Director-General's or Minister's powers under an Act - as if they were the DirectorGeneral or Minister (e.g. power to disclose information under s.426(4)(e) of the Education (General Provision)
Act 2006).
Disclose personal information means to cause information to appear, allow it to be seen, make it known or
reveal it. This includes giving access to such information (e.g. allowing another person to view personal
information on a DET computer).
For the purposes of the Information Privacy Act 2009, an entity (the first entity) discloses personal
information to another entity (the second entity) if:
 the second entity does not know the personal information, and is not in a position to be able to find it out
 the first entity gives the second entity the personal information, or places it in a position to be able to find
it out, and
 the first entity ceases to have control over the second entity in relation to who will know the personal
information in the future.
Employee is any permanent, temporary, seconded or contracted staff member, contractors and consultants,
volunteers who assist staff with their professional duties, or other person who provides services on a paid or
voluntary basis to the department that are required to comply with the department's policies and procedures.
Within schools this includes principals, deputy principals, heads of departments, head of curriculums,
guidance officers, teachers and other school staff.
Information Access Officer is a person within the business unit or school that assists in the facilitation of
DET's compliance and awareness with Right to Information (RTI) and Information Privacy (IP) reforms.
Information Privacy Principles (IPP) means the information privacy principles in Schedule 3 of the
Information Privacy Act 2009.
Legislative compliance means complying with the statute law (e.g. complying with the Acts that govern
DET's operations).
Personal information is information or an opinion, including information or an opinion forming part of a
database, whether true or not, and whether recorded in a material form or not, about an individual whose
identity is apparent, or can reasonably be ascertained, from the information or opinion.
Primary legislation is legislation that DET is responsible for administering under an Administrative
Arrangements Order, such legislation usually authorises and directs DET's operations.
QCAT means Queensland Civil and Administrative Tribunal.
Queensland State schools includes independent public schools.
2.0 Types of personal information
DET provides full details of the different types of information it holds on its website at:
http://deta.qld.gov.au/information-privacy/types-of-information.html.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 4 of 26
3.0 Personal information – DET primary legislation
DET's primary legislation is as follows:
 Education and Care Services Act 2013
 Education (Accreditation of Non-State Schools) Act 2001
 Education (General Provisions) Act 2006
 Education (General Provisions) Regulation 2006
 Education (Overseas Students) Act 1996
 Education (Queensland Studies Authority) Act 2002
 Education and Care Services National Law (Queensland) Act 2011
 Education and Care Services National Law (Queensland) Regulation 2011
 Education and Care Services National Law Act 2010, AKA Education and Care Services National Law
(Queensland)
 Education and Care Services National Regulations (NSW)
 Public Service Act 2008
 Public Service Regulations 2008
 Vocational Education, Training and Employment Act 2000.
It is important to note that the confidentiality provisions outlined in these Acts are offence provisions. A
breach of any one of these provisions may render an individual liable to a fine. A breach of the legislation
may also make an individual liable to disciplinary action under the Public Service Act 2008.
In addition to the provisions under the primary legislation, DET is subject to the IP Act. DET employees are
obliged by this policy and other departmental policies to comply with the requirements of the IP Act in the
performance of their duties, where DET's primary legislation does not override the requirements of the IP Act.
An overview of the process and compliance requirements for DET employees when dealing with personal
information about employees, students and parents is set out in a flowchart in Appendix A. The above
legislative provisions are articulated in detail below.
3.1
Legislation coverage by sector and purpose
In general, recording, use or disclosure of confidential/personal information is prohibited except where
permitted by the law which sets out the prohibition. Each of the primary legislation and the relevant
prohibition provisions is outlined below:
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 5 of 26
Table's legend:
EGPA = Education (General Provisions) Act 2006
EGPR = Education (General Provisions) Regulation 2006
VETE = Vocational Education, Training and Employment Act 2000
ECSA = Education and Care Services Act 2013
QAS = Education (Queensland Studies Authority) Act 2002
ANSSA = Education (Accreditation of Non-State Schools) Act 2001
ECSNL = Education and Care Services National Law (Queensland)
PSA = Public Service Act 2008
PSR = Public Service Regulation 2008
Table one: Primary legislation by sector
Sector
Act
Section
Topic
State schooling
EGPA
s.37
Confidentiality of information about criminal history
s.251D
Confidentiality of student account information
s.373
Confidentiality of financial data obtained from non-state schools
s.426
Confidentiality of student personal information
QSA
s.21ZB
Confidentiality of student account information
Non-State Schooling
ANSSA
s.173
Confidentiality of information obtained in the course of performing functions under the Act
Child Care
ECSA
s.216
Confidential information about a person's affairs gained during administration of the Act
ECSNL
s.273
Confidentiality of personal information gained during exercise of functions under the law
N.B. in relation to this information, if the ECSNL does not apply to the personal information the
default regime will be the Privacy Act 1988 (Cwlth)
VETE
s.286
Confidential information gained during exercise of power or performance of functions under the Act
Training
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 6 of 26
Table two: The common permissions for recording, using or disclosing information are set out below and linked to the relevant
provision
Disclosure to the person the information is about
To the person to whom the information relates
s.173(3)(a)(iii) ANSSA
By consent/agreement of the person the information relates to
With the consent of the person to whom the information relates
s.426(4)(b) EGPA
s.251D(2)(b) EGPA
s.37(3)(b) EGPA
s.21ZB(2)(b) QSA
If the person to whom the information relates is an adult or corporation – with the person's consent
s.217(b) ECSA
If the person to whom the information relates is a child – with the consent of the parent of the child
s.217(c) ECSA
With the consent of a person's parent, if the person is a child unable to give consent
s.426(4)(b)
With the written consent of – if the person the information relates to is not a child – the person
s.173(3)(a)(ii)(A) ANSSA
With the written consent of – if the person the information relates to is a child – a parent or guardian of the child
s.173(3)(a)(ii)(B) ANSSA
With the agreement of the person to whom the information relates
s.273(2)(c) ECSNL
N.B. in relation to this information, if the ECSNL does not apply to the personal information the default regime will be the Privacy Act 1988
(Cwlth)
With chief executive's consent/authorisation
With written consent of the chief executive if (i) necessary to assist in averting a serious risk to the life, health or safety of a
person OR (ii) in the public interest
s.426(4)(e)(i) EGPA
With the authorisation of the chief executive
s.286(3)(b) VETE
The disclosure is otherwise authorised by the Ministerial Council.
s.273(2)(f) ECSNL
N.B. in relation to this information, if the ECSNL does not apply to the personal information the default regime will be the Privacy Act 1988
(Cwlth)
To the chief executive
To the chief executive for the purpose of deciding whether to issue a mature age student notice to the person or cancel a
positive notice issued to the person or to exclude the person from a state school under Chapter 12, Part 4, Division 3 of the
EGPA.
s.37(3)(a) EGPA
To the chief executive for the purposes of a prescribed agreement
s.173(3)(d) ANSSA
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 7 of 26
Production of documents to a Court or Tribunal or Council
In compliance with lawful process requiring production of documents or the giving of evidence before a court or tribunal.
s.251D(2)(c) EGPA
s.426(4)(c) EGPA
s.21ZB(2)(c) QSA
s.217(e) ECSA
Ordered by a court, commission or tribunal constituted by law to be disclosed under proceedings before it
s.286(3)(d) VETE
Required under a matter before the council or ombudsman
s.286(3)(c) VETE (disclose)
For a purpose of the Act
For a purpose of this Act
s.36 EGPA
s.426(4)(a) EGPA
s.21ZB(2)(a) QSA
s.217(a) ECSA
For a purpose of chapter 10
s.251D(2)(a) EGPA
Under this Act
s.286(3)(a) VETE
In the performance of functions under this Act
s.173(3)(a)(i) ANSSA (Disclose)
In the performance of functions under this part
s.373(3)(a)(i) EGPA
In the exercise of a function under, or for the purposes of, or in accordance with, this law
s.273(2)(a) ECSNL
N.B. in relation to this information, if the ECSNL does not apply to the personal information the default regime will be the Privacy Act 1988
(Cwlth)
As permitted or required by another Act or law
Permitted or required by another Act or required by law
s.173(3)(e) ANSSA
Permitted or required by another Act or law
s.37(3)(c) EGPA
s.373(3)(c) EGPA
Permitted or required by another Act (does not include common law disclosures such as natural justice)
s.251D(2)(d) EGPA
s.426(4)(d) EGPA
s.21ZB(2)(d) QSA
s.217(f) ECSA
Otherwise required by law
s.286(3)(e) VETE
Authorised or required by any law of a participating jurisdiction, or is otherwise permitted by law
s.273(2)(b) ECSNL
N.B. in relation to this information, if the ECSNL does not apply to the personal information the default regime will be the Privacy Act 1988
(Cwlth)
Information publicly available
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 8 of 26
Where the information is otherwise publicly available
s.373(3)(b) EGPA
s.173(3)(b) ANSSA
Where the information relates to proceedings before a court or tribunal and the proceedings are or were open to the public
s.273(2)(d) ECSNL
N.B. in relation to this information, if the ECSNL does not apply to the personal information the default regime will be the Privacy Act 1988
(Cwlth)
Where the information is, or has been accessible to the public, including because it was published for the purposes of, or in
accordance with, this Law
s.273(2)(e) ECSNL
N.B. in relation to this information, if the ECSNL does not apply to the personal information the default regime will be the Privacy Act 1988
(Cwlth)
Child welfare
For a purpose directly related to a child's protection or welfare
s.217(d) ECSA
As required under a prescribed agreement
To another state or the Commonwealth Government as part of a prescribed agreement
s.173(3)(c) ANSSA
The above mentioned provisions generally apply to all exercising powers or performing functions under the relevant Act, including past and present DET employees
and the Chief Executive. Specific guidance about compliance with the prohibition provisions is provided in a number of DET policies.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 9 of 26
Table three: Outlined below are the most common disclosures that DET employees make in the performance of their duties
with a brief explanation as to how each disclosure is lawfully justified
Routine disclosures
Reason to permit disclosure
Applicable statutory exception
Publishing student information in historical publications
and school anniversary publications
With written consent of the school principal only in respect of
former students (See EGPA Delegations: power is delegated
from Director-General)
s.426(4)(e)(ii) EGPA
Publishing student information in the school newsletter,
school bulletin (or notice) board, school website
With student consent (or where the student is a child, and is
unable to consent, with the consent of a parent).
Procedure: Obtaining and managing student and individual
consent
s.426(4)(b) EGPA
Biannual reporting of state school student educational
performance to parents
For a purpose of the Act - s.425 EGPA 2006
s.426(4)(a) EGPA
Reporting of information to Queensland Studies Authority
As permitted or required by another Act - See the functions and
powers of the QSA under the Education (Queensland Studies
Authority) Act 2002
In the compulsory participation phase note also Chapter 10
EGPA, in particular s.251A.
Procedure: Management of Student Accounts (QSA Learning
Accounts)
ss.251D(2)(d), 426(4)(d) EGPA,
s.286(3)(e) VETE
Publication
Reporting on academic achievement
Disclosing student personal information to police, child safety and school transport operators
Reporting student personal information to Queensland
Police, Child Safety Officers of School Bus Operators
With written consent of the Regional Director or PAES or PARS
or Director Regional Services or school principal, if it is in the
public interest (See EGA Delegations: power is delegated from
Director-General)
Procedures:
Information Sharing under Child Protection Act 1999
Release of Personal Student Information to Operators of School
Bus Services
Disclosing Student Personal Information to Law Enforcement
Agencies
s.426(4)(e)(ii) EGPA
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 10 of 26
Routine disclosures
Reason to permit disclosure
Applicable statutory exception
Disclosing student personal information where it is
necessary to do so to assist in averting a serious risk to
the life, health or safety of a person, including the person
to whom the information relates
With written consent of the Deputy Director-General EQ,
Assistant Director-General Student Services, Executive Director
DETi, Regional Director or PAES or PARS or Director Regional
Services or school principal (power is delegated from DirectorGeneral)
s.426(4)(e)(i) EGPA
Disclosing student personal information to Queensland
Police, interstate/territory Police and Australian Federal
Police and external legal advisers
With written consent of the Executive Director, Legal and
Administrative Law Branch (power is delegated from DirectorGeneral)
s.426(4)(e)(ii) EGPA
Providing student personal information to transport
operators in respect of state school students who have
breached the School Transport Code of Conduct
With written consent of the Regional Director or PAES or PARS
or Director Regional Services or school principal, if it is in the
public interest (power is delegated from Director-General)
s.426(4)(e)(ii) EGPA
Reporting sexual abuse of a student <18 by DET
employees member
For a purpose of the Act - s.365 EGPA 2006
Procedure:
Allegations Against Employees in the Area of Student Protection
s.426(4)(a) EGPA
Reporting sexual abuse of student <18 s.365 (From 9 July
2012)
Reporting likely sexual abuse of student <18 s.365A
(From TBA)
For a purpose of the Act - s.365 and 365A EGPA 2006
Procedures:
Student Protection
Allegations Against Employees in the Area of Student Protection
s.426(4)(a) EGPA
Child protection reports to child protection officers and
police, and SCAN disclosures
As permitted or required by another Act - ss.22, 159L(b)(i),
159M, and 159N of the Child Protection Act 1999
Procedure:
Information Sharing under Child Protection Act 1999
ss. 37(3)(c), 251D(2)(d),
373(3)(c), 426(4)(d) EGPA,
s.21ZB(2)(d) QSA,
s.217(f) ECSA,
s.173(3)(e) ANSSA
Disclosing child care information to other authorities
N.B. in relation to this information, if the ECSNL does not
apply to the personal information the default regime will be
the Privacy Act 1988 (Cwlth)
Disclosed in accordance with the law - s.271 ECSNL
s.273(2)(a) ECSNL
Disclosure of information to education and care services
N.B. in relation to this information, if the ECSNL does not
apply to the personal information the default regime will be
the Privacy Act 1988 (Cwlth)
Disclosed in accordance with the law - s.272 ECSNL
s.273(2)(a) ECSNL
Disclosure to relevant entities in other jurisdictions
For a purpose of this act - s.218 ECSA
s.217(a) ECSA
Reporting matters of concern to other departments
For a purpose of this act - s.219 ECSA
s.217(a) ECSA
Child care disclosures
Providing information to other schools
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 11 of 26
Routine disclosures
Reason to permit disclosure
Applicable statutory exception
Providing records of state school students to principal of a
non-state school or another state school
For a purpose of the Act - s.387 EGPA
Procedure:
Enrolment in State Primary, Secondary and Special Schools'
Student Transfer Note Form
s.426(4)(a) EGPA
Providing records of state school students to interstate
schools
Must be with student consent (or where the student is a child,
and is unable to consent, with the consent of a parent).
Procedure:
Enrolment in State Primary, Secondary and Special Schools'
Interstate Student Data Transfer Note Form
s.426(4)(b) EGPA
Automatic access to student's records under OneSchool
For a purpose of the Act
s.426(4)(a) EGPA
Giving information as required by sections in the
Education (General Provisions) Act 2006 and Education
(General Provisions) Regulation 2006
For a purpose of the Act. Note each requirement to disclose
such information also has a discretionary power to not disclose
it:
See: ss. 75(3), 168(4), 182(5) & 183, 245(3), 281(2), 283(5),
285(6), 288C(1) &(5), 290(6), 295(2), 300(5), 317(5), 324(5),
327(3), 330(3), 386(3), 424(2), 387(6) & (9), 424(2), 425(2)
EGPA and ss. 9C(2), 17(2), 19(2), 20(3) and 21(3) EGPR
s.426(4)(a) EGPA
Giving administrative access to certain records held in
state schools
For a purpose of the Act
Procedure:
Access to Records Held in Schools Procedure
s.426(4)(a) EGPA
Providing a report on a student to parents or solicitors for
the purpose of legal proceedings - this includes requests
for reports or answers to a series of questions made by
independent children's lawyer
For a purpose of the Act – s.62 Education (General Provisions)
Regulation 2006
s.426(4)(a) EGPA
Discovery of documents during litigation (to be dealt with
only by the employees of Legal and Administrative Law
Branch)
In compliance with a lawful process - personal injuries
proceedings act, motor accidents insurance act, evidence act
ss.37(3)(c), 251D(2)(c), 373(3)(c),
426(4)(c) EGPA
Subpoena, summons and search warrants (to be dealt
with only by employees of the Legal and Administrative
Law Branch)
In compliance with a lawful process
ss.37(3)(c), 251D(2)(c), 373(3)(c),
426(4)(c) EGPA,
s.21ZB(2)(c) QSA,
s.217(e) ECSA
Providing schooling information to parents
Documents and reports related to legal proceedings
Requests for information by Commonwealth Government
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 12 of 26
Routine disclosures
Reason to permit disclosure
Applicable statutory exception
Requests for information from Centrelink
ss.194/195 of the Social Security (Administration) Act 1999
(Cwlth) (the requests must be in writing and comply with the
Social Security (Administration) Act 1999 (Cwlth))
s.109 Commonwealth of Australia
Constitution Act
Right to Information Act 2009 / Information Privacy Act 2009 requests
Right to Information Act 2009 and Information Privacy Act
2009 requests (these are to be dealt with only by the DET
RTI Unit)
As permitted or required by another Act – see Right to
Information Act 2009 and Information Privacy Act 2009
ss. 37(3)(c), 251D(2)(d),
373(3)(c),426(4)(d)EGPA,
s.21ZB(2)(d) QSA,
s.217(f) ECSA,
s.173(3)(e) ANSSA
For a purpose of the Act and as permitted or required by another
Act. This is particularly relevant where as part of a decision
making process you are obliged to disclose material which
contains the personal information of students. This may happen
for example during disciplinary processes against students
under Chapter 12, Part 4 of the EGPA 2006 or in relation to
disciplinary processes against school employees under the
Public Service Act 2008.
Please note that the disclosure of the identity of particular
informants / complainants is not usually necessary to this
process, and such details should be blacked out.
Procedure: Safe, Supportive and Disciplined School
Environment.
In relation to decision making
processes under the EGPA 2006,
s.426(4)(a) EGPA.
In relation to disciplinary
processes under the PSA, where
the disclosure is required by the
PSA, s.426(4)(d) EGPA
Natural justice / procedural fairness
Disclosure as part of the obligations of natural justice school principals are often involved in the making of
administrative decisions that have the potential to affect
the rights, interests and legitimate expectations of other
people, be they students, parents or employees. In
general, when making such decisions natural justice
requires the disclosure of adverse material which is
credible, relevant and significant to the person whose
interests may be affected by the decision (see Kioa v.
West [1985] HCA 81)(in relation to disciplinary processes
under the Public Service Act 2008, the obligation provide
natural justice set-out s.190(1)).
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 13 of 26
Table four: Primary legislation by information privacy principle
Outlined below is an overview of how DET's primary legislation interacts with the IPPs – which IPPs are overridden and which continue to apply.
Type of information
Aspects of individual privacy regulated by primary
legislation
IPPs that do not
apply to this
information
IPPs that still
apply to this
information
s.36
Criminal history personal information
Use of personal information
IPPs 10 and 11
IPPs 1-9
s.37
Criminal history personal information
Disclosure of personal information
IPPs 10 and 11
IPPs 1-9
s.251D
Student account personal information
Recording and disclosure of personal information
IPPs 10 and 11
IPPs 1-9
s.373
Financial data
None
Nil
Nil
s.426
Student personal information
Recording, use and disclosure of personal information
IPPs 10 and 11
IPPs 1-9
Student account personal information
Recording and disclosure of personal information
IPPs 10 and 11
IPPs 1-9
Information, including personal information
Disclosure of personal information
IPP 11
IPPs 1-10
Personal affairs information, including
personal information
Recording, use and disclosure of personal information
IPPs 10 and 11
IPPs 1-9
Protected information, including personal
information
Disclosure of personal information
IPP 11
IPPs 1-10
Personal information
N.B. in relation to this information, if the
ECSNL does not apply to the personal
information the default regime will be the
Privacy Act 1988 (Cwlth)
Disclosure of personal information
IPP 11
(Privacy Act 1988
(Cwlth) applies)
IPPs 1-10
(Privacy Act
1988 (Cwlth)
applies)
Act/Section
EGPA
QSA
s.21ZB
VETE
s.286
ECSA
s.216 and
217
ANSSA
s.173
ECSNL
s.273
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to ensure you have the most current version of this document.Page 14 of 26
4.0 Information privacy principles
The IP Act sets out the legislative framework to protect the personal information of individuals, giving
individuals the right to access and amend their own personal information and sets out the rules for how DET
handles personal information when DET's primary legislation does not apply. Refer to the Office of the
Information Commissioner's guidelines – privacy principles for a comprehensive breakdown of the principles.
The sections below outline advice mainly provided from the Office of the Information Commissioner's website.
While the Information Privacy Principles are, in part, overridden by DET's primary legislation, they still fully
apply to all personal information not covered by DET's primary legislation and will apply at least in part to all
personal information handled by DET.
4.1
Collection of personal information (IPPs 1 to 3)
When DET (its employees and contractors) is collecting personal information, this must be done lawfully and
in the fairest, simplest way to ensure protection of people's personal information and minimise the risk of
breach of the Information Privacy Act 2009.
Fundamental questions to ask are:
 What information is needed to carry out DET's purpose?
 Can the purpose be achieved without collecting it?
When collecting personal information DET must have a specific purpose, not collect any more than is
necessary, and not use unfair or unlawful means of collection. Collecting personal information because DET
thinks it may need it at some time in the future is likely to breach the privacy principles relating to collection.
Only IPP 1 applies to an individual giving information to DET without it being requested (unsolicited
information).
IPP 2 applies only where DET collects the information directly from the individual. In these instances a
privacy notice (see Appendix B) should be administered. Privacy notices are provided to inform individuals of
the use when their personal information is collected. Personal information is disclosed only to the individual
to whom the information applies or, when disclosure is properly authorised under legislation or with consent
using the Obtaining and Managing Student and Individual Consent procedure, where applicable.
IPP 3 applies where:
 DET asks the individual for the information
 DET asks someone else (for example, another agency) for information about an individual.
4.2
Storage and security of personal information (IPP 4)
Information Privacy Principle (IPP) 4 relates to the security of personal information. It requires DET to ensure
that they apply appropriate protections to the personal information they control. This means that, even where
documents are being held by another body or person, if DET has the ability to exercise control over them it
must take the steps necessary to ensure they are protected. Refer to the Information and Communication
Technology (ICT) procedure's ICT security section.
4.3 Provision of personal information (IPP 5) and access to
and amendments of documents containing personal
information (IPP 6 and 7)
Information Privacy Principles (IPPs) 5, 6 and 7 concern the transparency of DET actions when dealing with
personal information and ensuring that individuals (the information is about) are able to exercise some
measure of control over it.
These IPPs require DET to:
 make people aware of what kinds of personal information they hold and why
 tell people how they can get access to it
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 15 of 26
 state how they can seek to have it amended if they believe it is not accurate.
Chapter three of the Information Privacy Act 2009 (IP Act) creates a legal right of access to, and amendment
of, documents containing an individual's personal information. It applies to more government entities and
documents than those subject to the privacy principles, but all bodies subject to the privacy principles (the
IPPs or the National Privacy Principles (NPPs)) are covered by chapter three. For this reason, in the majority
of circumstances, compliance with IPPs 6 and 7 will be achieved by compliance with chapter three of the IP
Act.
The exceptions to this will be where the entity is a bound contracted service provider under section 35 of the
IP Act. Bound contracted service providers are subject to the privacy principles but not to chapter three of
the IP Act. The requirements of chapter three can be a guide for how bound contracted service providers can
meet their obligations under IPPs 5, 6 and 7.
4.4 Checking accuracy of personal information (IPP8) and
use of personal information (relevance) (IPP 9)
Information Privacy Principles (IPPs) 8 and 9 are concerned with ensuring that the information used by DET
is accurate, up-to-date and complete, and that DET only uses what is relevant of the information they hold
for the purpose of its business at that time.
'Accurate, up-to-date and complete' will be collectively referred to in this section as 'accurate', except where
each requirement is explained. Accuracy of information is particularly important where it is being used to
make decisions. If the information is not accurate, the use may be a breach of IPP 8.
IPP 8 and 9 ensure that, whenever DET uses personal information, it first ensures that it is accurate and
relevant. This helps DET make fair and lawful decisions, based on reliable information. IPP 8 requires DET
to take reasonable steps to ensure that personal information is accurate. The reasonable steps required to
ensure accuracy in particular circumstances will depend on several factors, including:
 the nature of the information
 how recently the information was collected
 how quickly the information can go out of date
 who provided the information
 the purpose for which the organisation uses the information
 the consequences for the individuals concerned if the data is not sufficiently accurate, complete and upto-date.
The type of information, and the consequences that may flow from poor data quality, will be a key factor in
determining whether the steps DET takes are reasonable. Some information, if incorrect when used, may
simply irritate the individual it is about, for example, the misspelling of a name. However, some incorrect
information may have significant adverse impacts on an individual, for example, recording an individual's age
incorrectly when they are applying for an age-based entitlement.
Like IPP 8, IPP 9 applies only where DET is intending to use the personal information it holds. DET holds a
great deal of personal information and not all of it will be relevant to every use relating to the individual it is
about. In order to ensure that the use does not breach IPP 9, DET must take care only to use that part of the
information which is relevant.
Relevance is also discussed in the section on IPP 3, and the phrase 'directly related' is examined in the
section on IPP 1. The same principles apply when considering IPP 8. Generally, DET must consider:
 the use to which the personal information is to be put
 whether the personal information is directly related to that use.
When considering whether the personal information is relevant to the purpose, DET should consider:
 what DET is trying to achieve when it uses the information
 any legislation or policies that relate to or govern that use.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 16 of 26
4.5 Limits on the use of personal information (IPP 10) and
limits of disclosing personal information (IPP 11)
IPP 10 provides that personal information may only be used for the purpose for which it was obtained and
not for any other purpose, unless one of the exceptions applies as set out under Information Privacy Act
2009, Schedule 3, IPP 10 (1) (a) to (f). IPP 11 provides that personal information must not be disclosed
outside DET unless one of the exceptions applies. Additionally, when certain exceptions are relied upon, the
use or disclosure must be noted on the record containing the personal information. For example, where
personal information is disclosed, with reliance on Information Privacy Act 2009, Schedule 3, IPP 11, DET is
required to ensure that the recipient does not use it for any other purpose.
There are a number of additional considerations to take into account, in addition to the primary legislation.
Table five: Information Privacy Act 2009 by example and DET policy
Example
Role
Policy
Relationship
with other Acts
requiring
access to or
amendment of
personal
information
Where a provision in the Education
(General Provisions) Act 2006 (EGPA)
allows access and amendment of personal
information.
All employees
-
Relationship
with other Acts
prohibiting
disclosure of
information
The Information Privacy Act 2009 operates
other than where another Act, for example,
the EGPA prescribes collection, storage,
handling, accessing, amendment,
management, transfer, use and disclosure
of personal information.
All employees
-
Transfer of
personal
information
outside
Australia
Student personal information is held in a
non-departmental web service which is
physically located overseas. DET may do
this if the individual agrees to the transfer;
or the transfer is authorised or required
under a law; or the agency is satisfied on
reasonable grounds that the transfer is
necessary to lessen or prevent a serious
threat to the life, health, safety or welfare;
or (2 or more of these) (i) the agency
reasonably believes that the recipient of the
personal information is subject to law,
binding scheme or contract that effectively
upholds principles for the fair handling of
personal information that are substantially
similar to the IPPS or, (ii) if the agency is
the Health Department, the NPPs; the
transfer is necessary for the performance of
the agency's functions in relation to the
individual; (iii) the transfer is for the benefit
of the individual but it is not practicable to
seek the agreement of the individual, and if
it were practicable to seek the agreement of
the individual, the individual would be likely
to give the agreement; (iv) the agency has
taken reasonable steps to ensure that the
personal information it transfers will not be
held, used or disclosed by the recipient of
the information in a way that is inconsistent
with the IPPs or, if the agency is the Health
Department, the NPPS.
All employees
See Appendix C:
Consent to transfer
personal information
overseas.
Obtaining and
Managing Student and
Individual Consent
procedure.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 17 of 26
Example
Role
Policy
Binding a
contracted
service
provider to the
privacy
principles
A contracted service provider, as outlined in
the service contract, is bound to abide by
the Information Privacy Act 2009, as if they
were the agency. The agency entering into
the service arrangement must take all
reasonable steps to ensure that the
contracted service provider is required to
comply with the Information Privacy Act
2009.
All employees/
business unit or
school's
engaging and
administering
service
contracts with
contracted
service
providers
Purchasing and
Procurement
procedure
Disclosure and
Amendment of
personal
information
under the IP
Act
To be dealt with by the RTI Unit
Manager, Information Release
Legal and Administrative Law Branch
Department of Education and Training
PO Box 15033 City East QLD 4002
-
Access to Records
Held in Schools
procedure
Information
Management (IM)
procedure
All employees
-
Phone: (07) 3237 0819
Facsimile: (07) 3247 5286
Email: rti@deta.qld.gov.au
Protections
and offences
Under the Information Privacy Act 2009
there are prescribed protections against
actions for defamation or breach of
confidence – if a person has been given
and access was required or permitted to be
given under this Act; or the access was
authorised by a decision-maker, in the
genuine belief that the access was required
or permitted to be given under this Act –
protections are in place under the Act. Also
as for publication. A person must not give a
direction, either orally or in writing, to a
person (an employee or officer of the
agency) required or permitted to make a
decision under this Act directing the person
to make a decision the person believes is
not the decision that should be made under
this Act; a person must not, in order to gain
access to a document containing another
person's personal information knowingly
deceive or mislead a person exercising
powers under this Act.
Table six: Documents not covered by the privacy principles
There are a number of documents that are exempt from the IPP requirements.
Covert activity
A document to the extent it contains personal information — (a) arising out of, or
in connection with, a controlled operation or controlled activity under the Police
Powers and Responsibilities Act 2000 or the Crime and Misconduct Act 2001, or
(b) arising out of, or in connection with, the covert undertaking of an operation,
investigation or function of a law enforcement agency, or (c) obtained under a
warrant issued under the Telecommunications (Interception and Access) Act 1979
(Cwlth).
Witness protection
A document to the extent it contains personal information about a person who is
included in a witness protection program under the Witness Protection Act 2000
or who is subject to other witness protection arrangements made under an Act.
Disciplinary actions
A document to the extent it contains personal information arising out of — (a) a
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 18 of 26
and misconduct
complaint under the Police Service Administration Act 1990, part 7, or (b) a
complaint, or an investigation of misconduct, under the Crime and Misconduct Act
2001.
Public interest
disclosure
A document to the extent it contains personal information — (a) contained in a
public interest disclosure under the Public Interest Disclosure Act 2010, or (b) that
has been collected in an investigation arising out of a public interest disclosure
under the Public Interest Disclosure Act 2010.
Cabinet and
executive council
A document to the extent it contains personal information that is also the subject
of the Right to Information Act 2009, schedule 3, section 1, 2 or 3.
Commissions of
inquiry
A document to the extent it contains personal information arising out of a
commission of inquiry.
Other
A document that is — (a) a generally available publication, or (b) kept in a library,
art gallery or museum for the purposes of reference, study or exhibition, or (c) a
public record under the Public Records Act 2002 in the custody of Queensland
State Archives that is not in a restricted access period under that Act, or (d) a
letter, or anything else, while it is being transmitted by post.
Table seven: Entities to whom the privacy principles do not apply
There are a number of entities that are exempt from the IPP requirements.
Entities to which the
privacy principles do
not apply
1
2
3
4
5
6
Entities to which the
privacy principles do
not apply in relation
to a particular
function
1
2
3
4
5
6
7
8
The Assembly, a member of the Assembly, a committee of the Assembly, a
member of a committee of the Assembly, a parliamentary commission of
inquiry or a member of a parliamentary commission of inquiry.
The Parliamentary Judges Commission of Inquiry appointed under the expired
Parliamentary (Judges) Commission of Inquiry Act 1988.
A commission of inquiry issued by the Governor in Council, whether before or
after the commencement of this schedule.
A parents and citizens association under the Education (General Provisions)
Act 2006.
A grammar school to which the Grammar Schools Act 1975 applies.
A government owned corporation or a subsidiary of a government owned
corporation.
A court, or the holder of a judicial office or other office connected with a court,
in relation to the court's judicial functions.
A registry or other office of a court, or the employees of a registry or other
office of a court in their official capacity, so far as its or their functions relate to
the court's judicial function.
A tribunal in relation to the tribunal's judicial or quasi-judicial functions.
A tribunal member or the holder of an office connected with a tribunal, in
relation to the tribunal's judicial or quasi-judicial functions.
A registry of a tribunal, or the employees of a registry of a tribunal in their
official capacity, so far as its or their functions relate to the tribunal's judicial or
quasi-judicial functions.
A quasi-judicial entity in relation to its quasi-judicial functions.
A member of, or the holder of an office connected with, a quasi-judicial entity,
in relation to the entity's quasi-judicial functions.
The employees of a quasi-judicial entity in their official capacity, so far as their
functions relate to the entity's quasi-judicial functions.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 19 of 26
5.0 Guide for state schools
Queensland State schools collect, use and disclose personal information of students, parents and
employees on a daily basis.
This is a guide only to assist with normal operations within schools. Legal advice should be sought from
DET's Legal and Administrative Law Branch for specific circumstances requiring further legal advice.
5.1
Is the information 'personal information'
Personal information is information or an opinion (including captured electronically in databases, true or
untrue, whether in material form (e.g. paper) or not) about a person whose identity is apparent, or can
reasonably be ascertained.
For example, a student's name and address, marital status of a student's parents, a teacher's qualification
level, or school community member's home address.
All other information is non-personal departmental information. For example, school operational plans, deidentified school achievement reporting, or school announcements that do not include personal information
(e.g. employee's names, student names). All non-personal departmental information can be handled in
accordance with the Information Management (IM) procedure's information security classifications section.
The Information Privacy Act 2009 does not apply to a Parent and Citizens Association under the Education
(General Provisions) Act 2006.
5.2 Collection of personal information (lawful, fair and
relevant)
When collecting personal information, schools can only collect the information necessary to fulfil its function
of providing an educational program to state school students. For example, collecting unnecessary
background or financial information about someone would be a breach of the Information Privacy Act 2009.
Key questions to ask when collecting, or you have been given personal information without making a request
(for example, a parent gives you a written detailed family history of a student):
 What is the purpose?
 What is the function or activity?
 The answer to this question it must be based in law. Check the objects of the Education (General
Provisions) Act 2006 (Part 3 – Objects) for further guidance.
For example, collecting student and parent personal information via the enrolment agreement (e.g.
student date of birth, parent daytime contact phone number), to enable the school to provide an
educational program to the student.
 Is all of the information required?
 Only collect information that is necessary to fulfil the school's operational need. Collecting information
that is not required is a breach of IPP 1.
For example, collection of parent financial information is required for national reporting. You only need
to collect the financial information (e.g. salary or wage level) at the point in time that you collect the
information. Asking for previous financial history is not required (e.g. average salary over the last 5
years).
 What does a person need to know about 'why' the school is collecting their personal information from
them?
 If you are collecting personal information from an individual, you need to give that person a 'privacy
notice' letting them know:
 Why their information is being collected? Including any law that allows or requires the collection.
 How DET is going to use their personal information and to whom it will be given (any person or
body to whom DET usually gives the information).
 If any person or body that your school gives the information, in turns gives it to another person or
body.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 20 of 26
 If there are one or more purposes for collection, you need to outline each reason for collection so
the person has a choice to agree or disagree to collection. For example, separate 'marketing
purposes' from 'assessing your child's application for enrolment'.
 How do I draft a 'privacy notice'?
 Preparing and providing a privacy notice is detailed in Appendix B.
 Where do I need to put the 'privacy notice'?
 forms
 telephone scripts (if you give a verbal privacy notice – keep a detailed file note)
 websites
 pamphlets
 notice boards/ displays at service counters
 correspondence.
 Is the information relevant to the operations of the school?
 Always try to collect the information from the relevant individual wherever possible (i.e. rather than
another agency).
 Your school must make sure that only information that is relevant, up-to-date, and complete is being
collected.
 Note the date on which the information is collected, this will assist with currency assessment later on.
 Make sure collection of personal information is not unreasonably intrusive in a person's affairs. For
example, asking about sensitive personal affairs, invading their private property, repeatedly and
unnecessarily asking for the same information.
Quick check
 Review all of your forms, questionnaires and other tools that you use to collect personal information – do
they meet the questions posed above?
 Compare each of these tools with the purposes of the functions of DET (guided by the objects of EGPA
2006 – Part 3 – Objects).
 Ensure they are all necessary data collections and do not collect more personal information than is
necessary.
5.3
Storing and securing personal information
When storing and securing personal information you must make sure appropriate protections are in place to
protect against loss, unauthorised access, use, modification, disclosure or other misuse.
Further DET guidance on security measures can be found in the Information and Communication
Technology (ICT) procedure.
Schools hold extensive amounts of personal information about employees and students, for example, birth
origin and date, criminal history, etc. This information carries the potential for identity theft, financial harm to
the person if misused, or it could be used to the detriment of the person's life, safety, liberty, reputation or
livelihood. Extra care should be taken by school principals to develop appropriate strategies to protect
personal information in all operations within the school.
How do you safeguard personal information?
 limit access to those people with a need to know the information
 use audit logs to deter and detect security breaches
 secure places where information is physically stored
 secure data during and after transmission.
What do you do if you suspect personal information security has been compromised?
 speak with your direct supervisor, and
 seek advice from DET's Legal and Administrative Law Branch.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 21 of 26
5.4
Access to personal information applications
Any person who has had their personal information collected by DET has the right to seek access to that
information.
An access to personal information request can be made through DET's Right to Information and Information
Privacy application website.
All school principals must follow DET's Access to Records Held in Schools procedure, when providing
access to certain documents held in school under an administrative arrangement.
5.5 Using personal information (up-to-date, accurate and
relevant)
The personal information collected by schools must be kept accurate, complete and up-to-date. Only the
relevant parts of this information can be used to fulfil the purpose for which it was originally obtained.
The agreed use of personal information is for searching purposes (looking for a student record for example)
and to transfer the information within the school or department. However, the person to whom the
information relates must be aware that their personal information will be used in this way and transferred to
another area of DET.
The only circumstances where a school can use personal information for a purpose other than the reason it
was originally collected is any of the following:
 through a new agreement with the person (can be expressed or implied)
 there is serious threat to health, safety or welfare
 it is required or authorised under a law
 for law enforcement
 it is a directly related purpose as under the original agreement for use
 it is required for research or statistics in a de-identified form.
5.6
When can I disclose personal information?
There are strict limits on the disclosure of personal information. Where disclosure is allowed, you must
ensure that further disclosure of personal information by a third party is not occurring (e.g. a contractor using
the personal information for other purposes).
A full overview of the legislation and DET policies covering disclosure is outlined in Table three on page 10
of this guideline.
6.0 Department contact details
Manager, Information Policy
Information and Technologies Branch (ITB)
Phone: (07) 3034 4313
RTI Unit
Manager, Information Release
Legal and Administrative Law Branch
Department of Education and Training
PO Box 15033 City East QLD 4002
Phone: (07) 3237 0819
Facsimile: (07) 3247 5286
Email: rti@deta.qld.gov.au
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 22 of 26
Yes
No
Employee record
Yes
No
Yes
Identification of
student
No
Is the employee information excluded from the
meaning of an employee record?
Education (General Provisions)
Act 2006 s 251D & Education
(Queensland Studies Authority)
Act 2002 s 21ZB
Yes
No
NB disclosure of employee records will
primarily be dealt with under Public Service
Regulation 2008, and if not, then under the
Information Privacy Act 2009
No
No
For personal information and
where no other statutory
provisions apply refer to
Information Privacy Act 2009
Yes
Is the information
confidential information
about a child care service regulated
under Education and Care Services Act
or the Education and Care Services
National Law (Qld) Act
Child care service
Education and Care Services
Act 2013 ss 216, 217
& Education (Accreditation of
Non-State Schools) Act 2001
s 173
Education and Care Services
National Law (Queensland)
Act 2011
Privacy Act 1988 (Cwlth)
Yes
NB: Data can apply to past students who are
still ‘young persons’
Is the information about
‘student account information’, i.e.
information that is in or to be added
to or disclosed from a student
account?
Young person
No
Key:
Yes
No
Employees
Students
Authorities
Student
Information
Is the information about a student
registered for home education?
Home education student
Information Privacy Act 2009
Sch 1 & 2; Sch 3 IPP 11.1; s 28
Information Privacy Act
2009 Sch 3
Yes
No
Is the information about the
parent reasonably capable of
identifying the student?
Yes
Not an employee record
Is the information part of the employee record?
(e.g. work conduct report, medical report or
allegation of misconduct)
Ref: Public Service Regulation 2008 s 10(1)
Is the employee information routine personal
work information? (e.g. work email address,
work phone number, next of kin)
Yes
Education (General
Provisions) Act 2006
All confidentiality provisions
No
Parent
Is the information about the
parent of a State School
student?
Public Service Act 2008
Ch 5 Pt 4
Yes
Is the
information
about a past, present
or prospective State
School
student?
For example, performance reporting,
financial data
Under which
authority
information is
recorded and/or
disclosed
No
Non-personal departmental
information
Routine information
No
Employee
Information
No
Does the information relate
to the employee/applicant’s criminal
history?
Criminal history
Yes
Is the
information about a
public service
employee?
Yes
Personal information is information or an opinion,
including information or an opinion forming part of a
database, whether true or not and whether recorded in a
material form or not, about an individual whose identity is
apparent, or can reasonably be ascertained, from the
information or opinion
Is the information
‘personal information’?
Managing personal information about employees, students and parents
Appendix A: Flowchart to identify which legislation protects the
different types of personal information
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 23 of 26
Appendix B: Preparing and providing a privacy notice
Preparing and providing a privacy notice
A privacy notice communicates the Department of Education and Training's intent when collecting an
individual's personal information. The collection notice explains:
 why the personal information is being collected
 what departmental legislation (if any) authorises the collection
 any usual practice to disclose personal information to another entity and if the other entity is known to
further disclose. For example, include details about outsourcing arrangements involving personal
information or other inter-governmental data sharing/data matching arrangement
 any outsourcing arrangements involving personal information.
A privacy notice is not the same as asking for consent to use or disclose personal information.
Writing the privacy notice
A simple drafting format follows. The instructions '<Insert 1>' refers to inserting the description as listed
against the corresponding number under 'What to include in the privacy notice' below.
The Department of Education and Training through <Insert 1> is collecting <Insert 2> in
accordance with <Insert 3> in order to <Insert 4>. The information will only be accessed by
<Insert 5>. <Some of this information/This information> may be given to <Insert 6> for the
purpose of <Insert 7>. The information will not be given to any other person or agency unless
<Insert 8>.
What to include in the privacy notice
When drafting the privacy notice in accordance with the Information Privacy Act 2009 (IPP 2), include:
Insert 1 name of business unit or school
Insert 2 type/s of information being collected e.g. 'your personal information'
Insert 3 legislation requiring or allowing for collection of the information e.g. Vocational Education, Training
and Employment Act 2000, Education (General Provisions) Act 2006 or Education and Care
Services Act 2013
Insert 4 why the information is being collected (e.g. the business unit or school's purpose for collection)
[Our control]
Insert 5 who will use the information
Insert 6 who the information will, or may be, given to
Insert 7 purpose for which the information will be used once given to a third party (if known)
Insert 8 any other circumstances in which information will be given away (e.g. where required by law)
and/or steps that will be taken by the business unit or school if it is proposed to give the information
to anyone other than the person or agency listed in 'Insert 6' above (such as asking for the person's
consent).
Example of privacy notice
The following can be used when personal information is being collected and will be retained within Australian
legal jurisdiction.
The Department of Education and Training through {name of School} is collecting your personal
information in accordance with {section XX of the <name of Act>} in order to {state the purpose
for collection}. The information will only be accessed by {authorised employees within the
department}. (Some of) this information may be given to {name the company delivering the ICT
service} for the purpose of {state the purpose for the handing over the personal information}.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 24 of 26
The information will not be given to any other person or agency unless {you have given us
permission or we are authorised or required by law}.
In the case of a survey where data is stored on overseas servers use:
The Department of Education and Training through {name of school} is collecting your
personal information in accordance with {section XX of the <name of Act>} in order to {state
the purpose for collection}. The <type of ICT service e.g. survey> is being conducted using
<name of ICT service provider and ICT tool> which is based in <name country>. Information
you provide on this <type of ICT service e.g. survey> will be transferred to <name of ICT
service's tools> server in the <name of country>. By <completing this survey/providing this
information> you agree to this transfer.
Presenting the privacy notice
A privacy notice may be presented in a form which suits the circumstances and the needs of the individual.
For example, notices may be:
 printed on collection forms, or attached to the form or given to the individual as a separate document
 posters and/or pamphlets publicly displayed or available at the location where service is provided
 part of an electronic log-in process to an ICT system or service
 a verbal script used by employees who manage phone enquiries
 a website privacy notice on a departmental web pages
 as part of a disclaimer in an email message
 in languages other than English or involve the services of an interpreter
 in a form that meets the needs of an individual who may be physically impaired or who does not have
sufficient capacity to understand.
Presenting an online privacy notice
Ways in which a privacy notice may be presented online when using a non-departmental online ICT service
include:
 a paragraph on business unit or school web page which directs (by hyperlink) the individual, whose
personal information will be collected, to the ICT service where the information is to be collected and used
 a paragraph on a business unit or school web page which includes a mandatory field checked by the
individual as acknowledgment of acceptance before they can proceed
 a paragraph on a web page where collection is to occur e.g. on a service provider's website if it can be
configured specifically for use by the business unit or school
 a paragraph on a form, or written notice attached to the form, which is being used to collect the personal
information before being given to the service provider. This form may be downloaded from a website but
managed as a paper form.
People may sign to acknowledge they have read and understand the privacy notice or click a mandatory field
before being able to submit an online form.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 25 of 26
Appendix C: Consent to transfer personal information overseas
Consent is obtained in accordance with Obtaining and Managing Student and Individual Consent procedure.
If the use of the ICT service is voluntary (for example, the responsible adult or participant can choose, or not
choose, to become involved), the individual's agreement can be obtained as part of the collection process
and added to the example below.
This may also be used when the collection is voluntary and the personal information is collected from a
responsible adult or older student and is to be transferred overseas.
The <type of ICT service> is being conducted using <name of ICT service provider and online
tool> which is based in <name country>. Information you provide on this <type of ICT service>
will be transferred to <name of ICT service's tools> server in the <name of country>. By
<completing this activity/providing this information> you agree to this transfer.
Uncontrolled copy. Refer to the Department of Education and Training Policy and Procedure Register at http://ppr.det.qld.gov.au to
ensure you have the most current version of this document.
Page 26 of 26
Related documents
Application for supplementary funding to support students with
Application for supplementary funding to support students with
Marking Scheme of F
Marking Scheme of F
Booster Club
Booster Club
Fact Sheet 1 - Risk Identification
Fact Sheet 1 - Risk Identification
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
A / AN? (PowerPoint)
A / AN? (PowerPoint)
Download
advertisement