With the advancement of modern technology, organisations (including schools) are lucky enough to be able to manage the impact of COVID-19 through remote working and learning arrangements.
However, many schools are navigating unchartered waters trying to determine what resources and tools are needed to ensure students and teachers are supported and whether these tools can easily be used from home.
A privacy impact assessment provides a useful framework to screen for privacy issues and may help to further mitigate any privacy risks associated with remote learning arrangements.
Why assess privacy risks at the moment?
Right now, it’s more important than ever, because we are sharing and disclosing a magnitude of personal, confidential and sometimes even sensitive information online.
Under Australian Privacy Principle 11, organisations must take active measures to protect personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure. Organisations also have obligations under the Notifiable Data Breach Scheme.
Assessment – key considerations
Collection:
- What personal/confidential/sensitive information will be collected?
- How will it be collected?
- How will consent to use and disclosure be obtained?
Consider these questions in the context of each learning platform that you’re using.
Use:
- Is the user aware of uses of their personal information?
- What measures are in place to ensure the information is used only the primary purpose of collection OR related secondary purpose?
- If the information is sensitive information, will use by with consent or only for primary purpose?
Disclosure:
- To whom will information be disclosed?
- Will information be disclosed only for the purposes for which it was collected?
- What measures are in place to vet the privacy practices of any recipient?
NB: You should also consider whether the Collection, Use and Disclosure of the information is consistent with your own internal privacy policy.
Security:
- What security measures apply to this personal information? Do we have adequate cybersecurity and suitable policies?
- Do all devices, and firewalls have the necessary updates and the most recent security patches (including to operating systems and antivirus software) and have strong passwords?
- Have you implemented a secure method for staff to access your network and system?
- Do you have a system in place that all users are aware of in the event of a potential data breach?
Education:
- Are staff members educated on ICT and cyber security practices, such as identifying hazards, how to ‘lock rooms’, disciplining or removing students from rooms, and use of passwords and encryption?
- Are staff members educated on physical security and the handling of personal information when working from home?
- Is there a policy that covers information security when staff members work offsite, such as from home, a secondary site office or a temporary office?
How we can help
If you’re uncertain as to how your current policies and practices may equip you for the new environment, may wish to consider:
- Reviewing, updating and amending your privacy policy;
- Implementing and/or reviewing a data breach response plan;
- Drafting consent forms for parents and students, detailing the types of programs they will be using and what information may be collected/used/disclosed; and
- Training your staff on their rights and obligations.
Moores can provide assistance with all of the above and be available for online training with staff members. For more information, please do not hesitate to contact us.