Privacy in the education sector: Why you should care about the Notifiable Data Breaches Act

13 April 2018

Stephen Newman, General Counsel |

How much personal information does your educational institution hold? You might not think it's a lot, however schools and universities collect a vast array of personal data, from exam results and knowledge of learning disabilities to health issues and religious affiliation.

Identity thieves and hackers are always on the look out to steal, misuse and corrupt personal information and data to the detriment of the ‘owner’. Educational institutions and their students are not immune from this conduct.

It's no surprise, therefore, that the Notifiable Data Breaches Act (NDBA), which came into effect on 22 February, will require educational institutions to think about their legal obligations under the Privacy Act 1988 regarding the personal information they hold and what they have to do if there is a suspected or actual data breach.

One very important new development is that when a breach occurs and cannot be remediated, educational institutions now have to notify both those affected and the Office of the Australian Information Commissioner.

It's vital that educational institutions understand their obligations with regards to the NDBA so they don't run into trouble in the future. Stephen Newman, BDO General Counsel, provides his thoughts on the impact of the NDBA on the Education Sector ahead of his webinar on this very important topic  on April 19.

Why is it important to understand what personal information schools store?

"Often, educational institutions don't necessarily think about the data they have as 'personal information.' Exam results, learning difficulties, bullying or other forms of complaints made against teachers, family information, religious affiliation and the like may all be ‘personal information’ that needs to be dealt with in accordance with the Australian Privacy Principles found in the Privacy Act 1988.   

Schools are not immune from being hacked. There have been a number of recent instances where school management systems and student records have been interfered with. For example, the records of around 13,000 students at a Western Australian higher educational institution were recently hacked. These incidents don't make front page news as easily as when banks, other financial institutions, social media platforms and major corporates have their data systems breached, however the information schools store is just as important."

How can schools keep the info they store secure?

"Ultimately, it's more of an awareness thing than anything else. While not every institution has a robust and well-staffed IT department, there will be at least some people working in IT who need to develop an understanding of their computer and network systems and how best to protect them, what hackers are up to at any given moment so that they're looking in the right places when it comes to protecting data and what needs to be done when an attack occurs.

It's also important to check what third party providers are doing with your data, especially if an institution is using the cloud. What protections do they use and what ability does the institution have to seek recourse if something goes wrong?"

While cybersecurity is in the news a lot and it is virtually impossible to prevent all attacks, the fact that breaches regularly occur suggests more work needs to be done in this space."

BDO's education sector webinar series

Here at BDO, we want to give as many people as possible the information they need to succeed. With the rules and regulations governing the education sector constantly changing, we've developed a webinar series to help people stay informed. Our first one will be led by Stephen on data security, and is available to watch on 19 April, or can be accessed at a later date.

Education Webinar Series

For more information, contact BDO today.