As a public school in Sydney, Moorebank High School is regulated by the NSW privacy laws, not the federal Privacy Act. As a result, consent is not required before collecting biometrics. However, the organisation involved, which in this case is the NSW Department of Education, must still fulfil certain criteria under the Privacy and Personal Information Protection Act 1998 (NSW) before it can lawfully collect finger scans of children entering toilets.
First, the information must be collected for a lawful purpose, that is directly related to the functions of the Department. You could argue that protecting school property from vandalism, and ensuring bathrooms are clean for students, is a legitimate function of the Department.
Second, the collection of the information must be “reasonably necessary” for that purpose. This is where notions of proportionality come in. In other words, is the collection of biometrics every time a child wants to use the bathroom a proportionate response to the objective of tackling vandalism? Are there less privacy-invasive alternatives?
Third, the Department must ensure that the information collected is relevant to its purpose, not excessive, accurate and complete. This is where issues of the integrity and validity of the system, and whether it can even achieve its objectives, comes into consideration. Did the Department conduct an evaluation of the efficacy of the system purchased by the school? What are the false positive and false negative rates of identifying children via finger scans? Will this system actually achieve the objective of stopping vandalism, or will the collection of children’s biometrics be in vain?
Fourth, the Department must ensure that the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual student. This is where the implications of monitoring teenagers going to the bathroom is pertinent, both in relation to impacts on how individual students feel, and about the broader social impacts, such as the normalisation of surveillance over children.
Fifth, the Department must take steps to ensure that the students, and their parents and guardians, are notified before any collection takes place, about the purposes for which the information is being collected, the intended recipients of the information, whether the supply of the finger scan is required by law or not, any consequences for the student if they refuse to participate, the existence of their right of access to and correction of the information, and the name and address of the Department in order to address any privacy complaints. Whether or not focus groups or notice in the minutes of P&C meetings is sufficient to meet legal requirements would be a relevant factor here.
And that’s just the obligations in relation to the collection of personal information. Once information is held by the school, or a technology supplier on its behalf, there are additional obligations in relation to managing the security and accuracy of that data, who should be able to access the data, how long the data is kept for, as well as limitations on how that information can be used or disclosed. For example, once you have implemented a system to purportedly prevent vandalism, you can’t later turn around and seamlessly use the data for another purpose, like tackling vaping, bullying, theft or truancy.
They are just the questions of legal compliance. Such a proposal also raises significant questions about social licence and trust. What does the implementation of such technology say about the breakdown of trust between school and students? How will students react to being put under surveillance – will they feel like they are treated like criminals?
Were all of the above matters considered in a Privacy Impact Assessment before the school went ahead with the implementation of this novel technology? Was the school principal offered any advice by the Department about their privacy obligations, and how to meet them? Should decisions about the sourcing, testing, configuration and implementation of technology be left up to individual schools instead of made by the Department?
I see significant challenges for the Department of Education arising from this use case of technology, in terms of meeting their legal obligations under the NSW privacy laws.
But here are some things that NSW privacy law, unfortunately, does not require:
It does not require the consent of every student to collect their biometric template, unlike the federal Privacy Act.
It does not obligate the Department to conduct Privacy Impact Assessments of projects which could raise significant privacy risks, unlike the federal Privacy Act.
It does not require the Department of Education to have a dedicated Privacy Officer, unlike government agencies under the federal Privacy Act.
It does not require the Department of Education to have a designated Privacy Champion within the senior leadership team, unlike government agencies under the federal Privacy Act.
It does not require that staff be trained in their privacy obligations, unlike government agencies under the federal Privacy Act.
It does not include a mandatory data breach notification scheme, unlike the federal Privacy Act.
And there is no ability for a court to levy fines against non-compliant organisations, unlike under the federal Privacy Act.
The NSW privacy laws have barely been touched since they were drafted in the 1990s. While 16 months ago the NSW Attorney General committed to introduce a data breach notification scheme, we are still waiting – and much more significant reforms are needed in any case. We also need adequate funding, of both privacy management programs within agencies and the NSW Privacy Commissioner’s office, in order to protect the privacy of the people of NSW.
(UPDATE, 18 October 2022: In response to advocacy on this issue, the Department of Education has acknowledged the risk, and has asked the school to halt the use of this technology. The NSW Privacy Commissioner is also now engaged with the Department on this issue.)
© Photo by Laura Thonne on Unsplash
