A complainant has been awarded $7500 by the Federal Privacy Commissioner as a result of highly private personal information about him being included in an Information Pack for School Council members.

The case sends a clear message to schools that they should carefully consider whether to include delicate personal information in School Council Information Packs and to make sure any such information is kept securely and treated in strict confidence. 

The case also serves as a warning to all public and private sector entities that are subject to privacy legislation, they should carefully consider whether it is really necessary to include personal information in papers prepared for boards or other governing bodies.

Background

The complainant attended St Paul's School in Brisbane and alleged that, during his time there, he was sexually abused by a teacher.

St Paul's School forms part of the Corporation of the Synod of the Diocese of Brisbane (Diocese), but it has a separate constitution. The Diocese is ultimately accountable for the general control and management of schools, but the School Council is delegated the power to control and manage the affairs of St Paul's School.

The complainant contacted the Diocese about the alleged abuse in March 2007, seeking settlement of his complaint and compensation.

In August 2007, the Diocese's lawyers wrote to the Diocese about the complainant's legal action and sent a copy of the letter to St Paul's School. The correspondence included documents containing details of the complainant's allegations of sexual abuse.

In September 2007, the School Council of St Paul's School met to discuss a number of matters, including the complainant's legal action. In preparation for this meeting, an Information Pack was provided to School Council members a week before the meeting, containing documents which included details of the complainant's allegations of sexual abuse. The Information Pack was also inadvertently sent to one non-School Council member, a staff member of St Paul's School who was scheduled to give a presentation at the School Council meeting.

In August 2009, the complainant wrote to the Diocese, alleging the distribution to School Council members and the non-School Council member of documents containing his personal information was a breach of his privacy. The Diocese responded by stating, given the nature of the issues raised by the complainant, it preferred to have the matters independently assessed by the Privacy Commissioner. 

Determination by the Privacy Commissioner

The complainant's allegations, and the Privacy Commissioner's response to them, are summarised in the table below. The Australian Privacy Principles (APPs) had not commenced at the time the relevant events occurred, so the case was decided under the National Privacy Principles (NPPs). The table below indicates what APPs would be relevant if the case was decided under the APPs.

As the table shows, the allegations largely centred around NPP 4.1, which required the Diocese to take reasonable steps to protect personal information from misuse and loss, and from unauthorised access, modification or disclosure. This requirement is now contained in APP 11.1.

Click here to view table.

As a result of his findings that the Diocese breached NPP 4.1 in respect of allegations 2 and 3, the Commissioner awarded the complainant $7500 for non-economic loss, including pain and suffering and feelings of humiliation.

Recommendations

This case clearly demonstrates how cautious schools should be when considering whether to include personal information in the Information Packs compiled for School Council members. In particular, if personal information of a particularly sensitive nature is to be included, schools should consider whether redacting the individual's identity would be appropriate, and whether identifying the individual verbally at the meeting would be sufficient.

In addition, if they haven't already, schools should:

  • implement a policy requiring School Council members to treat information packs in the strictest of confidence and keep them secure at all times (including keeping them under lock and key when not on their person or in use)
  • make sure copies of Information Packs are securely destroyed when no longer needed (with a copy maintained in accordance with the school's Document Retention Policy for record keeping and administrative purposes).

More generally, all entities should use this case as a reminder that they should carefully consider whether it is necessary to include identifying details about individuals in papers prepared for boards or other governining bodies. If not, that information should be omitted.