Victorian schools and education providers are now captured by the Child Information Sharing Scheme (CISS). This changes privacy, child safety and regulatory implications and risks. Schools should be aware of how CISS operates and its impact on other parts of school governance and compliance.

What is the CISS?

CISS facilitates the sharing of confidential information between organisations that work with children to promote the wellbeing and safety of those children. CISS aims to remove barriers to information sharing to best facilitate early identification and remediation of child abuse, neglect or other risks to child wellbeing and safety.

The CISS commenced on 3 September 2019. Schools and education providers are captured in phase 2 which commenced on 19 April 2021. (Phase 2 was delayed in 2020 due to COVID-19.)

Which organisations are captured?

With phase 2 now in force, the CISS has expanded to capture:

  • Registered schools: independent, catholic and government
  • Doctors in Schools program
  • Enhancing Mental Health in Schools program
  • Kindergartens
  • Public health services and denominational hospitals
  • Regulators including the Victorian Registration and Qualifications Authority (VRQA), Victorian Curriculum and Assessment Authority and Victorian Institute of Teaching
  • Registered medical practitioners who practises in the medical profession as a general practitioner in Victoria
  • Registered community health centres

Information sharing can occur between any of these organisations. Organisations that are captured are referred to in the CISS as Information Sharing Entities (ISEs).

Key obligations under the CISS

Under the CISS, an ISE can:

  • Share information proactively to other ISEs
  • Make a request for information; and
  • Share information in response to a request from another ISE.

When an ISE receives an information request, it must access the request against a three step test.

  1. Would sharing the information promote the wellbeing and safety of the child or children concerned?
  2. Would sharing the information help the receiving ISE either:
    • make a decision, assessment or plan,
    • start or conduct an investigation,
    • provide a service, and/or
    • manage any risk?
  3. Is the information excluded information that cannot be shared under the CISS?

Schools – as ISEs – must respond to requests from other ISEs in a timely manner. If the sharing meets the three step threshold test, you must share the information. If the test is not met, you cannot share the information but you must respond to the request with an explanation in writing.

CISS and Privacy

The CISS regime includes legislative principles to guide the collection, use or disclosure of confidential information. It is a principle of the CISS regime that ISEs give precedence to the wellbeing and safety of a child over the right to privacy.

The use or disclosure of confidential information under the CISS regime in good faith and with reasonable care does not constitute a contravention of any other Act.

For independent and catholic schools that also must comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth), disclosure under the CISS is permitted by APP 6.2(b) where it is authorised by law.

This means that where a disclosure is made in compliance with the CISS, it is not a privacy breach. However, if schools do not meet the regulatory requirements of the CISS, the disclosure may also be a privacy breach.

You may need to review your privacy policy, privacy procedures, and data security protocols, confidentiality policies, and consent and release of information forms.

We recommend that organisations:

  • Train your staff – The CISS needs to be administered by staff members who will need training to understand when to make a request for information and how to respond to requests. For organisations also caught by FVISS, training will be needed for employees on the interaction between the two schemes.
  • Review your policies and procedures – The CISS has significant implications for organisations, particularly in terms of privacy and child safety. These policies and procedures need to be reviewed and amended to align with the CISS, as well as other documents such as enrolment contracts and collection notices.
  • Communicate to your stakeholders – While the CISS assists organisations to better share information for the wellbeing of children, the increased sharing of information could concern children and their families. It is important organisations mitigate any relationship risks that could arise by clearly communicating when it will share information under the CISS and how this will impact confidentiality and privacy.
  • Seek strategic advice – For the organisations captured in the second phase of the CISS, this type of information sharing will likely be a substantial departure from previous practice. Organisations should carefully consider how they will roll out the CISS, embed it into their operations and comply with the complex legislative framework as well as their other obligations.