Purpose of this policy

To ensure schools maintain privacy of information.


Schools must:

  • adopt the Department’s Schools’ Privacy Policy (this can be achieved by creating a link to the policy on the school’s website)
  • abide by legislative privacy requirements in relation to how personal and health information is collected, used, disclosed and stored
  • be reasonable and fair in how this information is treated, not only for the benefit of staff and students, but also to protect the school’s reputation




The Privacy and Data Protection Act 2014 applies to all forms of recorded information or opinion about an individual who can be identified, including photographs and emails.  It establishes standards for the collection, handling and disposal of personal information and places special restrictions on ‘sensitive information’ such as:

  • racial or ethnic origin
  • political views
  • religious beliefs
  • sexual preference
  • membership of groups
  • criminal record.

The Health Records Act 2001 establishes standards for the collection, handling and disposal of health information including a person’s

  • physical, mental or psychological health
  • disability.

Health information can also include access to health services and the nature of these services; however this type of information does not have to be recorded to be classified as health information.

Objectives and principles

The objectives of privacy laws are to:

  • balance the public interest in the free flow of information while protecting personal and health information
  • empower individuals to manage, as far as practicable, how personal and health information is used and disclosed
  • promote responsible, open and accountable information handling practices
  • regulate personal information handling by applying a set of information privacy principles.

Information privacy principles create rights and obligations about personal and health information; however these only apply when they do not contravene any other Act of Parliament.  In most cases there will be no contradiction as the relevant action falls within one of the exceptions within the information privacy principles.  

School compliance strategies

Some strategies school can implement to ensure compliance with the privacy legislation include:

  • nominating a person to manage and review the school’s privacy practices
  • conducting a privacy audit to determine what information the school collects, how information is used and with whom information is shared
  • examining data security arrangements
  • ensuring all staff, including volunteers, are aware and compliant with the Schools’ Privacy Policy and supporting documents

Privacy exemptions

Personal and health information can be disclosed for a purpose other than for which it was collected and without the person’s consent when the disclosure is:

  • necessary to lessen or prevent a threat to life, health or safety
  • required, authorised or permitted by law or for law enforcement purposes
  • used for research or compilation of statistics in the public interest, in certain limited circumstances.  Any research in schools must be first approved by the Office for Policy, Research and Innovation.


Privacy and duty of care

Privacy laws recognise and permit schools collecting, using and disclosing information so that they can comply with their duty of care to students.  A key element of duty of care is that the processes and procedures used are documented and records kept.


Privacy and parents/guardians

To assist decision making about a student’s needs, schools inform parents/guardians of the student’s academic progress, behaviour, educational options or special educational requirements.

Privacy laws do not restrict this use of the information, as this is the purpose for which it is collected.

Enrolment information

Schools must:

  • provide a privacy collection notice with the enrolment form explaining to the parents and student why this information is being collected, what it is used for, where it might be disclosed and how they can access information held about them
  • only use the information collected during enrolment for the purposes that it was collected for.  Disclosure for an unrelated purpose requires parental consent or in the case of a secondary student the content of the parent and student, unless the circumstances fall within one of the above privacy exemptions.


Health information

Health related information can be kept confidential by the principal, or shared with:

  • selected staff to the extent they need to know to care for the student, or
  • all staff when they need to know in case of emergencies.

Note 1: Counselling services are health services and records are confidential health records.  Confidentiality of information disclosed during a counselling session must be maintained unless the student provides consent or the situation falls into a privacy exemption category.



Transferring student information between Victorian government schools is allowed when:

  • parents/guardians are informed of the process
  • schools meet the Department’s standards in transferring files.

Access to information

The privacy laws do not change the individual’s right to access their information that is held by a government school. The individual’s right to access remains via a request made under the Freedom of Information Act 1982.

Privacy legislation encourages organisations to be open and transparent about what personal and health information they hold about individuals. When it is appropriate schools can provide individuals with informal access to their own personal or health information.  However, the person seeking access should make a request under the Freedom of Information Act 1982 if records hold information:

  • provided by a third party
  • that identifies a third party or
  • that may cause harm to the individual or others.


Opening INFO
Strength does not come from physical capacity. It comes from an indomitable will
Strength does not come from physical capacity. It comes from an indomitable will