It is a truism that the duties imposed on the modern school are various and onerous – duty of care to children, duties to employees under industrial relations or WHS legislation, responsibilities to the Non-State Schools Accreditation Board [JT|C&LL1] and Australian Charities and Not-for-Profits Commission, and duties arising from the multitude of contractual arrangements to which an educational institution is party.

A legal duty that perhaps once occupied less attention than its counterparts, privacy law is now an increasingly pertinent issue faced across the education sector, warranting close consideration in this growing technological era.

Privacy Law – The Basics

The Australian Privacy Principles (or Privacy Principles) are the cornerstone of the privacy protection framework in the Privacy Act 1988. They apply to any organisation or agency the Privacy Act covers, including an individual, body corporate, partnership, unincorporated association, or trust. By virtue of this broad definition, the ambit of the Privacy Principles extends to educational entities.

The Privacy Principles establish the minimum standards for the collection, use, access, and disclosure of personal information (amongst other things). The Principles, in conjunction with the Privacy Act, provide a mechanism for individuals to access personal information held by an organisation where both the Applicant and the information sought meets certain requirements.

Australian Privacy Principle 12 – Access to Personal Information

When an access request is made, a school has a number of obligations:

  1. To reply to the request within a reasonable period after the request is made.[1]
  2. To give access to the information in the manner requested by the individual if it is reasonable and practicable to do so.
  3. Where refusing to give access:
    1. to take such steps (if any) as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual; and/or
    2. to give the individual a written notice setting out reasons for the refusal and mechanisms available to complain about the refusal.


The general proposition is that personal information must be disclosed where requested, unless one of the stated exemptions applies. Of particular relevance to the educational sector are the following exceptions:

  • APP 12.3(b): Giving access would have an unreasonable impact on the privacy of other individuals;
  • APP 12.3(f): Giving access would be unlawful;
  • APP 12.3(g): Denying access is required or authorised by or under an Australian law or a court order; or
  • APP 12.3(j): Giving access would reveal evaluative information generated within the entity in connection with a commercially sensitive decision-making process.

For the full list of exemptions, refer to rule 12.3 of the Privacy Principles.

Privacy of Other Individuals

By way of example:

  1. Students: name, birth certificate, school reports, race, religion, and medical reports;
  2. Parents: name, marital status, race, religion; and
  3. Staff: education, tax file numbers, educational qualifications, job references, race and religion.

Commercially Sensitive Decision-Making Process

For something to be commercially sensitive, the decision-making process should involve commercially valuable information, the value of which would be diminished if the information were disclosed. For example, decisions about proposed projects that, if disclosed, would place the entity at a commercial disadvantage.[2]

Denying Access is Required

By way of example, documents that were brought into existence for the dominant purpose of enabling a school to receive legal advice and documents between lawyers and the respondent involving confidential communications.[3]

“Reasonable and Practical

Thus, as a starting point, schools must acknowledge a legal obligation to provide access to the information requested and express a commitment to take such steps as are reasonable in the circumstances to give access in a way that meets the needs of the entity and the individual.[4]

To this extent, schools are expected to consult with the individual to satisfy their request as best they can within the parameters established by Privacy Principle. Some examples of alternative ways of giving access are:

  • deleting any personal information for which there is a ground for refusing access and giving the redacted version to the individual;
  • giving a summary of the requested personal information to the individual;
  • giving access to the requested personal information in an alternative format;
  • facilitating the inspection of a hard copy of the requested personal information and permitting the individual to take notes; or
  • facilitating access to the requested personal information through a mutually agreed intermediary[5]

Other Considerations

On 16 February 2023 the Federal Attorney-General’s Department published a report on a review of the Privacy Act 1988 (Cth). As at the date of this article, feedback is currently being sought. The proposed recommendations, if passed, would have further impacts on independent schools.

Quite apart from the requests under the Privacy Act 1988 (Cth), interested parties may have other avenues to seek information from a school, such as by way of a subpoena or a preliminary disclosure application.

How Can We Help?

Privacy law is a nuanced area, with the potential for severe consequences in the event of non-compliance. If your school is looking to further understand your obligations, seeking a review of your Privacy Policy to ensure compliance with the legislative framework, or have received a request for information, the friendly team at Corney & Lind Lawyers can help. Contact our team today on (07) 3252 0011 or email the writers of this article at and

[1] APP 12.4

[2] ‘ZG’ and Sydney Catholic Schools Ltd (Privacy) [2021] AICmr 89

[3] ‘ZN’ and a School (Privacy) [2021] AICmr 95

[4] ZN’ and a School (Privacy) [2021] AICmr 95

[5] ‘ZG’ and Sydney Catholic Schools Ltd (Privacy) [2021] AICmr 89


[JT|C&LL1]While they have obligations to ATO in relation to PAY-G, they don’t pay tax.