Privacy and the use of third-party web and cloud-based service providers
This bulletin informs principals about the application of privacy law to the use of third-party online service providers in schools. It is part of a suite of advice for principals on cyber-security resources for schools and must be read in conjunction with ITD resources Principal support – assessing and engaging external IT services and Due diligence vendor checklist which address the application of due diligence to the selection of online services. Last updated October 2021.
On this page
Please wait while page index is generated
The Privacy and Personal Information Protection Act 1998 (PPIP Act) and Health Records and Information and Privacy Act 2002 (HRIP Act) and Privacy Act 1988 (Cth) regulate how the department collects, secures, uses and discloses the personal, sensitive and health information it holds on individuals.
Personal information is information or an opinion about an individual from which their identity is apparent or can reasonably be ascertained.
Health information is personal information that is information or an opinion about the physical or mental health or a disability of an individual or provision of health services to an individual.
Sensitive information is personal information about an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.
For further information see privacy bulletin Managing personal and health information.
Privacy legislation identifies principles that organisations and public sector agencies must apply to management of personal information.
When collecting personal information organisations and agencies must:
- only collect information for a lawful purpose directly related to a function or activity of the organisation or agency
- collect information directly from the individual or their parent/guardian if under 16 years of age
- inform the individual of:
- the collection
- purposes for which the information is being collected
- intended recipients of the information
- whether supply of the information is required by law or voluntary
- consequences if the information is not provided
- the right to access and correct the information and
- name and address of organisation/agency collecting the information.
When the department and third-party service providers collect student personal information they must inform students and/or their parent/guardian of these matters.
For further information and a template privacy notice see privacy bulletin Collecting personal and health information.
Retention and security principles
Organisations and agencies that hold personal information must:
- retain the information only for as long as is necessary for the purpose for which it may be used
- dispose of the information securely
- protect the information by taking reasonable safeguards against loss, unauthorised access, use or disclosure.
Further information for principals about management of information security and due diligence when deciding whether to use non department IT services is provided in ITD resources Principal support – assessing and engaging external IT services and Due diligence vendor checklist.
Storage of and access to personal information provides additional information about security, access and alteration principles.
Access and alteration principles
Organisations and agencies that hold information must, if requested by an individual, provide access to their personal information and make appropriate amendments to ensure the information is accurate, relevant, up to date, complete and not misleading, having regard to the purpose for which it was collected.
As part of their due diligence principals should ensure third party service providers have procedures that enable individuals to request access to and alteration of their personal information.
The department’s applications for access and alteration of information which it holds are available on the intranet and guidance for principals when handling an application for alteration is available here.
Use and disclosure principles
Organisations and agencies that hold personal information must only use or disclose the information for the purpose for which it was collected. An individual’s consent is required if their information is to be used and/or disclosed for another purpose.
When a school uploads student personal information from school records such as ERN to a third-party service provider it must obtain consent from the student or parent/carer.
Schools cannot rely on the permission for a student to access online services provided by the department, on a student’s Application to Enrol, to disclose student information to third party service providers.
A template letter to parents/carers informing them of the use of third-party service providers and consent form is at Appendix A.
For further information on use and disclosure principles see privacy bulletin Use and disclosure of personal information.