A complainant has been awarded $7500 by the Federal Privacy Commissioner as a result of highly private personal information about him being included in an Information Pack for School Council members.
The case sends a clear message to schools that they should carefully consider whether to include delicate personal information in School Council Information Packs and to make sure any such information is kept securely and treated in strict confidence.
The case also serves as a warning to all public and private sector entities that are subject to privacy legislation, they should carefully consider whether it is really necessary to include personal information in papers prepared for boards or other governing bodies.
The complainant attended St Paul’s School in Brisbane and alleged that, during his time there, he was sexually abused by a teacher.
St Paul’s School forms part of the Corporation of the Synod of the Diocese of Brisbane (Diocese), but it has a separate constitution. The Diocese is ultimately accountable for the general control and management of schools, but the School Council is delegated the power to control and manage the affairs of St Paul’s School.
The complainant contacted the Diocese about the alleged abuse in March 2007, seeking settlement of his complaint and compensation.
In August 2007, the Diocese’s lawyers wrote to the Diocese about the complainant’s legal action and sent a copy of the letter to St Paul’s School. The correspondence included documents containing details of the complainant’s allegations of sexual abuse.
In September 2007, the School Council of St Paul’s School met to discuss a number of matters, including the complainant’s legal action. In preparation for this meeting, an Information Pack was provided to School Council members a week before the meeting, containing documents which included details of the complainant’s allegations of sexual abuse. The Information Pack was also inadvertently sent to one non-School Council member, a staff member of St Paul’s School who was scheduled to give a presentation at the School Council meeting.
In August 2009, the complainant wrote to the Diocese, alleging the distribution to School Council members and the non-School Council member of documents containing his personal information was a breach of his privacy. The Diocese responded by stating, given the nature of the issues raised by the complainant, it preferred to have the matters independently assessed by the Privacy Commissioner.
Determination by the Privacy Commissioner
The complainant’s allegations, and the Privacy Commissioner’s response to them, are summarised in the table below. The Australian Privacy Principles (APPs) had not commenced at the time the relevant events occurred, so the case was decided under the National Privacy Principles (NPPs). The table below indicates what APPs would be relevant if the case was decided under the APPs.
As the table shows, the allegations largely centred around NPP 4.1, which required the Diocese to take reasonable steps to protect personal information from misuse and loss, and from unauthorised access, modification or disclosure. This requirement is now contained in APP 11.1.
|Allegation by the complainant||NPP/APP||Privacy Commissioner’s finding.|
|1.||Distributing the Information Pack containing the complainant’s personal information to School Council members was not a use or disclosure for the primary purpose of collection or for a permitted secondary purpose, and so breached NPP 2 (use and disclosure).||NPP 2APP 6||This claim was not established.The relevant documents in the Information Pack were provided to the Diocese and copied to the school and School Council for the primary purpose of considering and responding to the complainant’s allegations and legal claim. This was consistent with the requirements of NPP 2.|
|2.||Including the complainant’s name in the documentation provided to School Council and non-School Council members was a breach of NPP 4.1 (data security) as his identity was unnecessary to the School Council’s decision making process.||NPP 4.1APP 11.1||This was a breach of NPP 4.1.The Commissioner held that it was not necessary for the complainant to be identified in the Information Pack, as the role of the School Council was to consider the solicitor’s recommendation, not to confirm the veracity of the complainant’s claim.As a result, given the sensitivity of the information and the vulnerability of the complainant, if the information were misused or disclosed the Diocese could have taken additional reasonable steps to protect his personal information, by redacting his name from the Information Packs. Even if the complainant’s identity was relevant to the decision making process, it could have been provided to School Council members verbally at the meeting, to reduce the risk of disclosure.|
|3.||Providing a non-School Council member with a copy of the Information Pack one week prior to the School Council meeting was a misuse of the complainant’s personal information.||NPP 4.1APP 11.1||
This was a breach of NPP 4.1.
The Diocese advised the non-School Council member was given the Information Pack inadvertently, as a result of an isolated human error. She returned the Information Pack prior to the School Council meeting when requested by the Headmaster, and advised she had not read it.
The Diocese also said it had (after the events in question) introduced a ‘Distribution of Confidential Documents to Council and Sub Committee Members’ policy, which stated School Council members must treat Information Packs with the strictest of confidence and keep them secure at all times. While the policy was not in place at the time of the incident, the Diocese said it reflected its usual practice at the time.
The Privacy Commissioner held that, given the policy was not in place at the time, it did not demonstrate the Diocese had taken the reasonable steps required by NPP 4.1. In the Commissioner’s view, the Diocese failed to adequately check who the Information Packs were being provided to, which resulted in the complainant’s personal information being disclosed to an unauthorised person. Whether or not the recipient did in fact open and read the Information Pack was not relevant.
|4.||Discussing the matter in front of the non-School Council member at the School Council meeting was a misuse of the complainant’s personal information.||NPP 4.1APP 11.1||This claim was not established.The Diocese advised that the non-School Council member attended the meeting to give a presentation, but left the meeting prior to the Council’s discussion of the complainant’s matter. There was no evidence to show this was not correct.|
|5.||Discussing the complainant’s claim with non-School Council members at a social dinner prior to the School Council meeting was a misuse of the complainant’s personal information.||NPP 4.1APP 11.1||This claim was not established.There was no evidence to show the complainant’s matter was discussed at a social event prior to the School Council meeting.|
|6.||The Diocese possibly provided the Information Packs to School Council members via their children, which was a failure to take reasonable steps to protect the complainant’s personal information.||NPP 4.1APP 11.1||
This claim was not established.
The Diocese advised that the Information Packs were delivered directly to each School Council member by courier, using addresses nominated by the School Council members. There was no evidence to show this was not correct.
|7.||The Diocese failed to take reasonable steps to destroy the copies of the Information Pack after the School Council meeting, in breach of its obligation to destroy or permanently de-identify personal information when it is no longer needed for any purpose permitted by the NPPs, as not all School Council members returned their Information Packs.||NPP 4.2APP 11.2||
This claim was not established.
The Diocese advised that, with the exception of St Paul’s School retaining the original Information Pack and one copy for record-keeping purposes, the Information Packs were collected and safely destroyed by being shredded after the School Council meeting. As a result, the Commissioner was not satisfied the Diocese had breached NPP 4.2.
As a result of his findings that the Diocese breached NPP 4.1 in respect of allegations 2 and 3, the Commissioner awarded the complainant $7500 for non-economic loss, including pain and suffering and feelings of humiliation.
This case clearly demonstrates how cautious schools should be when considering whether to include personal information in the Information Packs compiled for School Council members. In particular, if personal information of a particularly sensitive nature is to be included, schools should consider whether redacting the individual’s identity would be appropriate, and whether identifying the individual verbally at the meeting would be sufficient.
In addition, if they haven’t already, schools should:
- implement a policy requiring School Council members to treat information packs in the strictest of confidence and keep them secure at all times (including keeping them under lock and key when not on their person or in use)
- make sure copies of Information Packs are securely destroyed when no longer needed (with a copy maintained in accordance with the school’s Document Retention Policy for record keeping and administrative purposes).
More generally, all entities should use this case as a reminder that they should carefully consider whether it is necessary to include identifying details about individuals in papers prepared for boards or other governing bodies. If not, that information should be omitted.