In NSW, the Not-For-Profit Guidelines for Non-Government Schools (2019) (the ‘NFP Guidelines’) were launched to assist schools to understand their not-for-profit obligation with reference to common transactions schools experience.
The NFP Guidelines recently underwent Ministerial review and public consultation of the exposure drafts and was completed in late 2023, together with a proposed draft Regulatory Framework for the Oversight of Assistance provided to NSW Non-Government Schools.
The NFP Guidelines provide a useful reference point on the types of common transactions schools face and the records they are expected to maintain and make available to the Minister to make determinations of compliance with section 83C.
They are extremely useful to schools in Victoria as a further reference in relation to considering potentially prohibited arrangements.
Non-government schools must operate for a not-for-profit purpose. In NSW, this is required to be eligible for financial assistance from the NSW government. In Victoria, the not-for-profit requirement is a condition of school registration. Regulations in both states establish the not-for-profit obligation and a requirement to only enter into not-for-profit transactions “for the conduct of the school” (Vic) or for the “operation of the school” (NSW) or otherwise risk being deemed to be for-profit and non-compliant with financial assistance or registration conditions.
In Victoria, the ‘not-for-profit’ criteria for schools are set out in regulation 7 of the Education and Training Reform Regulations 2017 (“ETR Regulations”).
In brief,
Section 83C of the NSW Education Act 1990 operates in a similar way, drafted from the position of when a school would be deemed to operate for-profit in relation to its use of “income” or “assets”, and “payment” for property, goods and services.
The NSW requirements are broadly mirrored in Victoria by the ETR Regulations with explanatory guidance provided in the Guidelines to the Minimums Standards for School Registration (2022) (‘Minimums Standards Guidelines’).
Whilst not binding in Victoria, The NFP Guidelines offer a useful external reference for Victorian registered schools particularly in relation to measures that can be taken to avoid PAAs or demonstrate that transactions are not made for-profit.
We have provided a summary analysis of the proposed changes to the NFP Guidelines that support schools to comply with s83C, and the equivalent Victorian PAA requirements. View our summary table.
The exposure draft NFP Guidelines incorporate both examples of common transactions and provide further explanatory guidance to distinguish when a school “will likely be operating for profit” or “may be operating for profit”. Although they do not set a precedent, they are useful to understanding where we have seen or are likely to a similar interpretation to “reasonable market value”, and what is “reasonably required” adopted for Victorian schools.
Characteristics of transactions that can be considered as not for the operation (or conduct) of the school or otherwise considered as operating for a profit can arise where:
New examples include:
The NSW Department of Education is currently considering feedback on the exposure drafts and has not provided a release date. Schools should consider the proposed updated Guidelines as part of their 2024 business planning, reflect on the records requirements as a tool to assess the maturity of their operating practices and recordkeeping to identify any areas for improvement or rectification.
Our Education team can work with you to assist with:• Advice on the application of the regulations for specific transactions.• Review of existing arrangements that pre-date the regulations in both NSW and Victoria.• Policy and procedure review or development to enable compliant transactions.• Board and key personnel training on NSW S83C and Victorian PAA requirements
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.
Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.
To coincide with the return to school of students across the country, the Australian Institute of Sport (AIS) published updated Concussion Guidelines for Youth and Community Sport (Concussion Guidelines) (accessible in full here). These Concussion Guidelines emphasise the need to take a conservative approach to managing suspected concussions in children and young people, acknowledging that children and young people take longer to recover from concussion than adults.
The Concussion Guidelines extend the mandatory minimum stand-down period to 21 days from the time of concussion until returning to competitive contact sport. Previously, this was 10 days.
No competitive contact or collision sport for 21 days after a concussion
The introduction of this minimum exclusion period of 21 days has been made in recognition of the fact that young people take longer to recover from concussion than adults. This also aligns Australia with the approach in the United Kingdom and New Zealand.
Another rule to remember is that for those without a dedicated health care practitioner to guide recovery, students must be symptom free for 14 days before returning to contact training. This is not 14 days after the concussion; it is 14 days symptom free.
Additionally, the AIS is recommending schools introduce a ‘concussion officer’ to oversee the management of concussion. A ‘concussion officer’ is a single point of contact who manages the coordination of matters related to concussion. A ‘concussion officer’ is not a concussion expert and is not expected to diagnose concussion. Analogous to the role of a ‘fire warden’, the ‘concussion officer’ ensures anyone diagnosed with concussion follows the school’s agreed concussion protocol.
While a concussion can happen in the playground, higher risks for concussions are generally within competitive and collision sports. We know many independent and Catholic schools compete in interschool sport competitions, run by organisations such as APS, AGSV, EISM and Girls’ Sport Victoria. It is too early to see how these sporting bodies will respond to the updated Concussion Guidelines. Schools will need to carefully navigate their duty of care, when student exclusion is likely to pose challenges in scheduled fixtures.
We highly recommend anyone who works in sport, risk or child safety at a school reviews the new Concussion Guidelines. At Moores, we help schools by providing advice about the duty of care and how this relates to concussion prevention and response procedures. We can also help develop and/or refresh your risk management framework or risk treatment plans. Concussion management could be a useful example to explore risk tolerance and mitigation considerations to manage risk to an acceptable level. There is also the added complication of likely conditions in your school’s insurance policy. Please get in touch with our Education Team for more information.
Following our article published in 2023 on the proposed superannuation tax increase, the government has now released detail on the (as yet) unlegislated taxation of earnings on an individual’s total super balance over $3m.
The calculation of ‘earnings’ is complex and requires accounting advice but for simplicity, earnings are effectively the movement in value of the individual’s balance – adjusted for withdrawals and contributions – and (controversially) includes unrealised gains.
Once legislated, the additional 15% tax will come into force from 1 July 2025 and affect the 2025/26 and subsequent financial years. The $3m limit is static – it will not be indexed. Within the superannuation fund, balances on earnings less than $3m will continue to be taxed at the concessional rate of 15%.
The proposed new tax will be levied on the individual/member. It will not be able to be reduced by deductions, offsets or losses. A member can apply to release funds from super to pay the tax.
This is likely to create particular issues for self-managed super funds (SMSF) that have lumpy assets like business real property, or assets that are not readily able to be realised.
Reversionary pensions are usually put in place when the pension income stream commences.
The effect of a valid reversionary nomination is when the member passes away, their reversionary beneficiary (usually a spouse) will continue (automatically) to receive their tax-free income stream, which doesn’t count toward the beneficiary’s transfer balance account for 12 months after the member’s death. In other words, two potentially tax free income streams can apply (where the pensioner or recipient is over 60 years) until the beneficiary withdraws or commutes their own pension back to accumulation.
The hitch with the new legislation is that although the additional tax will not apply to the deceased member in the year of death, it immediately counts towards the receiving beneficiary/spouse’s total super balance account. This could tip the recipient’s total superannuation balance over $3m at the next 30 June, in which case the proposed new law would apply. The reason for the difference is that the 12 month delay applies to the transfer balance cap (the maximum allowable pension) whereas the new tax applies to the individuals total super balance (which is a different definition and is calculated at 30 June each year).
For example:
Homer and Marge Simpson have a self-managed super fund with $3.5m in total assets.
Homer’s total super balance on 28 June 2025 when he passed away was $1.9m (including $1.7m in pension and $200,000 in accumulation). Homer had nominated Marge as reversionary beneficiary when he established his pension account.
Because Homer’s total super balance is under $3m, the additional tax is not applicable – and even if his total was over $3m at 30 June in the year of his death, he would be exempt because of his death.
Prior to Homer’s death, Marge’s total super balance is $1.6m (all in pension phase). But as reversionary beneficiary of Homer’s pension, Marge’s new total super balance at 30 June 2025 is now $3.3m, representing both her and Homer’s pensions, tipping her above the $3m threshold.
The new tax requires a re-think of:
Although the legislation takes effect from 1 July 2025, advice should be sought early to leave enough time to implement any changes prior to that date.
Stay informed about the legislative updates and contact the Estate Planning team for expert advice and guidance in navigating the evolving landscape of superannuation.
Moores Practice Leader, Jennifer Dixon, and Senior Lawyer, Rowdy Johnson, sit down in a Moores Q&A to discuss the recently proposed superannuation tax and break down some common questions and concerns.
The Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability (Disability Royal Commission) has released its extensive final report which describes aspirations for an inclusive society. The final report seeks to inspire significant reform to remove multiple barriers to access and enable meaningful inclusion. As with the final report of the 2017 Royal Commission into Institutional Responses to Child Sexual Abuse, we predict the Disability Royal Commission’s recommendations foreshadow significant legislative and regulatory reform. For this reason, we set out here the recommendations of the royal commission likely to have the biggest impact on how schools provide education for disabled students; being:
Beyond responding to compliance obligations, Moores is proud to work with value-aligned clients who aim to provide the best educational opportunities for students, often above and beyond the law. The Disability Royal Commission provides a blueprint for how schools can improve their work with students with disability, ahead of legal reform. Our education clients tell us there is an increasing number and proportion of students with disability in our schools and increasing demand for adjustments. This is confirmed by the Disability Royal Commission. We want to work with our clients to support disabled students now, instead of waiting for legal reform.
As noted in our early article on the findings of the Disability Royal Commission, a key theme arising from the Disability Royal Commission was a shift away from segregated education. The commissioners were split on what form this should take. Three commissioners, including the two commissioners with lived experience of disability, recommended that the Australian Government and state and territory governments should recognise that inclusive education as required by article 24 of the Convention on the Rights of Persons with Disabilities is not compatible with sustaining special/segregated education as a long-term feature of education systems in Australia. In practical terms, they recommended the phasing out of all specialist schools by 2051, with no new enrolments of students with disability in specialist or segregated schools by 2032.1 As an alternative approach, the other three commissioners recommended a more conservative approach of co-locating non-mainstream schools alongside mainstream schools to facilitate partnerships and greater interchange between disabled and non-disabled students, and facilitate the transition of disabled students into mainstream school environments.2 Irrespective of any reform adopted in legislation or regulations, these recommendations indicate that mainstream schools must be cognisant of the need to facilitate inclusive education, including their existing obligations regarding reasonable adjustments, and may suggest a shift away from enabling schools the option of proposing enrolment exclusively at a specialist school on the basis that mainstream schools do not have the means to support disabled students.
The Disability Royal Commission recommends that state and territory governments amend education Acts to provide that the right to enrolment is subject only to ‘unjustifiable hardship’ in the sense used in the Disability Discrimination Act 1992 (Cth).3 This would require amendments to the Equal Opportunity Act 2010 (Vic) which currently permits a school to discriminate against a person on the basis of their disability in the enrolment process if the adjustment is not reasonable or the student could not participate in or derive any substantial benefit from the educational program even if adjustments were made.4
The Disability Royal Commission’s proposed amendment would reduce the need for schools to apply both state and federal laws to determining enrolment obligations and rights – thereby simplifying the law – but also perhaps reduce the ability for schools to turn away prospective students based on their inability to “derive any substantial benefit from the educational program”.
The Disability Royal Commission wants regulators to adopt the principle that schools should avoid the use of exclusionary discipline on students with disability unless exclusion is necessary as a last resort to avert the risk of serious harm to the student, other students or staff.5 Schools don’t need to wait for regulators to enact change. Instead, you may choose to reconsider disciplinary processes for students with disability and educate staff on how to avoid the use of exclusionary discipline. For example:
What is exclusionary discipline?
The Disability Royal Commission defines exclusionary discipline as actions by an educational authority or institution that results in the withdrawal of education or training from students with disability, including suspensions and expulsion.
The national and state-based Child Safe Standards already recognise student empowerment and parental and community participation as critical to a child safe organisation. The Royal Commission draws on this to recommend schools develop or update policies to include requirements for student and parental communication to be clear and accessible, be “co-designed with people with disability and their families” and indicate the type of decisions where the school will seek formal parental agreement, such as approaches to behaviour management.6
There is also a focus in the Disability Royal Commission’s recommendations for intersectional engagement, particularly with First Nations students and parents.
Another recommendation is that school registration requirements should include oversight by regulators of:
In Victoria, this would assumedly form part of the Victorian Registration and Qualifications Authority’s regular reviews of independent and Catholic schools. Similarly, the NSW Education Standards Authority, Non-state Schools Accreditation Board or other relevant regulators would take on this responsibility.
We often help clients navigate reasonable adjustments for students, but often this is at the end of a long process of behaviour management plans and various adjustments that haven’t supported the student as intended. We consider the Disability Royal Commission provides schools with a timely reminder (as the quiet, summer period may allow respite for policy review), that there is much they can do proactively to support both disabled students and their staff in providing an inclusive and accessible school environment.
Both our Education and Safeguarding teams can help by working with you through consultation, policy review, implementation of new practices through tools and training to implement systems that work in your specific school community, reflect the values and beliefs of the Disability Royal Commission and ultimately seek to improve the experience of education of disabled children. If you want to get started, we recently published a few tips for schools to ensure child safety for disabled students and comply with their legal obligations.
For a broader perspective on the Disability Royal Commission from our Safeguarding team, we have also published:
1Disability Royal Commission, Recommendation 7.14.
2Disability Royal Commission, Recommendation 7.15.
3Disability Royal Commission, Recommendation 7.1.
4Equal Opportunity Act 2010 (Vic) s 41.
5Disability Royal Commission, Recommendation 7.2.
6Disability Royal Commission, Recommendation 7.6.
7Disability Royal Commission, Recommendation 7.11.
On 14 November 2023, the Australian Signals Directorate (ASD) published its 2022-2023 Annual Cyber Threat Report (Report). This Report reveals key trends to understand in cybercrime facing Australian governments, business and individuals.
This Report can help those in the education and for-purpose sectors to understand how the current state of cybercrime in Australia may affect their organisation.
The ASD runs the Australian Cyber Security Centre (ACSC), which is the Australian Government’s technical authority on cyber security and has a 24-hour hotline for advice about and reporting of cyber threats and incidents (1300 CYBER1, or 1300 292 371).
The graph above shows the top 10 sectors of reporting to the ACSC and the percentage the reporting represents of the entire financial year. Most relevant to the Moores community of value-align clients is that both education and training, and healthcare and social assistance were sectors in the top 5.
While this shows a high risk of being a target of a cybercrime, it can also reveal strong awareness in these industries with high levels of reporting.
The ASD recommends all Australian organisations:
The 2022-2023 Annual Cyber Threat Report reveals the significant threat of ransomware.
Around 10% of all cyber security incidents in 2022-23 involved ransomware. The ASD advises against paying ransoms.
The report also reveals that 8.7% of reported ransomware-related cyber security incidents came from the healthcare and social assistance sector.
It is important to note that a quarter of the ransomware reports also involved confirmed data exfiltration where the actor extorts the victim for both data decryption and the non-publication of data.
Understanding the education and for-purpose sectors in which our clients operate, we can provide tailored cyber security and privacy advice and support. We can help you take practical steps to uplift your cyber security, looking to the human elements as well as the technical. We like to think about information management as an opportunity to grow your organisation.
Under the European General Data Protection Regulation (GDPR) the Irish Data Protection Commission (DPC) recently fined TikTok 345 million euros. The fine was the result of a inquiry launched by the DPC regarding TikTok’s processing of children’s personal data.
The DPC’s decision demonstrates the growing focus from privacy regulators on how organisations handle children’s personal information.
The decision is the result of an own-volition inquiry launched by the DPC in September 2021. The inquiry covered solely the period between 31 July 2020 -31 December 2020. Since then, TikTok Technology Limited (TTL) has made several service modifications addressing most of the criticisms within the decision.
TikTok’s terms do not allow users under the age of 13 to use the platform. The decision focuses on the processing of personal data relating to users aged 13-17, but also examines TTL’s compliance regarding personal data of children under 13 in the context of the company’s age-verification measures.
The case went through the GDPR’s dispute resolution mechanism under Article 65. While there was general consensus to the DPC’s proposed findings in its draft decision, objections were raised by the Italian and the Berlin supervisory authorities. Despite the fact that these objections were a small minority opinion among the collective EDPB, the Article 65 process mandates that even just one unresolved objection must trigger the whole machinery of the GDPR’s process, thus these objections were referred to the EDPB for determination.
The EDPB adopted its binding decision on these objections 2 August 2023, requiring the DPC to include a new finding of infringement of the fairness principle and an order to bring the relevant processing operations into compliance, while also requiring the DPC to amend its conclusion regarding its draft determination on whether TTL’s age-verification measures were GDPR-compliant.
It should be emphasized that the relevant period of the DPC’s inquiry pre-dated the DPC’s guidance on children’s data, The Fundamentals for a Child-Oriented Approach to Data Processing. The decision therefore assesses TTL’s compliance by reference to the GDPR itself and does not refer to the Fundamentals — however, the DPC carefully clarifies that the Fundamentals introduce “child-specific data protection interpretative principles” and that it would still be permissible to refer to principles derived from the GDPR.
The “Family Pairing” feature gave certain parental-type controls over the child user’s account to another user. Notably, the DPC acknowledged that, in general, the “Family Pairing” options allowed the paired account user to make privacy settings more strict for the child user’s account — by narrowing available content, disabling search and direct messages, making the account private and limiting comments.
However, the other user could also enable direct messages for accounts of child users over the age of 16 (although, based on the quoted TTL submissions to the DPC, this was only with regards to “Friends”) where the child user had themselves switched off this feature. The accounts were paired so that a QR code was generated to the nonchild user. This code had to then be scanned by the child user, who confirmed if they wished for the accounts to be linked. The DPC took the view that despite this process, there was no verification of the relationship between the two users.
The DPC considered that allowing a user, who was not a verified parent/guardian, to enable direct messages in this way for child users over age 16 posed risks. This enabled third parties to contact the child user and would thereby constitute unauthorised processing of their personal data, since they had not selected to have their data processed in this manner.
On this basis, the DPC concluded that TTL failed to apply appropriate technical and organisational measures to effectively implement the integrity and confidentiality principle and to integrate safeguards to meet GDPR requirements.
This finding again demonstrates the increased risk to children that the DPC associates with being able to directly contact children, whether through the comments function or via direct messaging.
TikTok had age-verification measures in place to prevent users under 13 from accessing the platform. These consisted of an age gate requesting the user’s birthdate, along with technical measures to prevent users from re-submitting an older age, and ex-post measures to identify and remove accounts of underage users.
TTL’s data protection impact assessment on age-appropriate design did not identify the specific risks of users under age 13 accessing the platform and the further risks arising from this, which was viewed by the DPC as a lack of appropriate measures to demonstrate and ensure compliance with the GDPR, contrary to Article 24(1). This is an important indicator of the regulatory expectation that digital services with minimum user thresholds must still account for risks to users under the service’s permitted minimum age for use, including via DPIAs.
The DPC proposed in its draft decision to find that TTL’s age-verification measures otherwise complied with the GDPR. Following an objection from the Italian supervisory authority, the EDPB analysed this point, concluding there was not sufficient information to conclusively assess TTL’s compliance on this point, and instructed the DPC to amend its finding accordingly.
As such, the DPC’s decision included a statement to the effect that it could not be concluded that the age-verification measures deployed by TikTok infringed the GDPR. In other words, the positive statement in the draft decision expressing the DPC’s view that TikTok had complied with Article 25 in this regard was removed at the direction of the EDPB.
The decision also contains a comment on requiring hard identifiers as a method of age verification. The DPC accepted TTL’s contention that this would be a disproportionate measure. The DPC’s view was given that children are unlikely to hold or have access to hard identifiers, this would act to exclude or lock out child users who would otherwise be able to utilise the platform.
For organisations with mixed-age user populations of both adults and children on their services that impose minimum user ages, the portion of the decision relating to age verification is potentially the most significant. This is due to the fact that the EDPB carried out a lengthy analysis of TTL’s age-verification measures, taking into account — as required by Article 25(1) of the GDPR — the nature, scope, context and purposes of processing, the risks to child users, the state of the art and the costs of implementation.
In its analysis, the EDPB pointed out that regarding the requirement for “appropriate” technical and organisational measures under Article 25, appropriate means effective and this in turn requires a robustness of measures. The EDPB expressed serious doubts on the effectiveness of TTL’s neutral age gate as an age-verification solution given the high risk of the processing. The EDPB noted that the age gate can be easily circumvented, that presenting the age gate in a neutral manner does not itself sufficiently discourage users from entering an incorrect birth date, that once a method of circumvention is known this can be easily shared with peers, and that since TikTok was rated for age 12+ in the Apple store, users could easily infer they had to enter a birth date above the age of 12 to use the platform.
Similarly, the EDPB expressed doubts on the effectiveness of TTL’s ex-post measures to identify and remove users under age 13 from the platform. Despite these concerns, the EDPB considered it did not have sufficient information to conclusively assess the state-of-the-art element related to TTL’s age-verification measures, and as such, it could not conclusively assess TTL’s compliance with data protection by design.
While the EDPB’s decision does not explain why it felt there was not enough information to reach a conclusion here, it is worth noting that its analysis concerned the six months between July and December 2020 and it is possible that the need to carry out a historical examination some three years back may have been a factor.
It’s worth noting the EDPB’s view that the appropriateness of age-verification measures changes regularly, due to the link to the state of the art and the associated risks, and a controller must periodically review whether such measures remain appropriate.
Overall, though, controllers should not read the lack of an infringement finding concerning the use of the age gate in this case as a green light to use this means of age verification.
The last finding in the DPC’s decision, regarding the infringement of the fairness principle, was not a finding originally proposed by the DPC. It was instead mandated by the EDPB’s binding decision and is the result of an objection raised by the Berlin supervisory authority on behalf of both it and the Baden-Württemberg supervisory authority.
More specifically, the EDPB concluded that the design of the “Registration Pop-Up,” with the “Go Private” or “Skip” options, and the “Video Posting Pop-Up,” with the “Cancel” or “Post Now” options, nudged the user to a certain decision, “leading them subconsciously to decisions violating their privacy interests.” The EDPB took into account the chosen language, sharing the DPC’s view that the word “Skip” seemed to incentivise or even trivialise the decision to opt for a private account, which shows the use of nudging. It also considered the location of the “Skip” and “Post Now” buttons on the right-hand side of the screen, which according to the EDPB, would lead most users to choose the option as they are accustomed to clicking to continue there, as well as the different color gradient for each option — light gray for “Cancel” and black for “Post Now.”
The EDPB’s direction in its binding decision on this point, requiring the DPC to insert a finding of an infringement of the fairness principle, demonstrates the EDPB’s propensity to use the general principles provision in Article 5(1)(a) as a route for finding additional umbrella-type infringements, even where the lead supervisory authority’s investigation did include such an issue within its scope.
With regards to the above infringements, the decision exercises the following corrective powers:
The DPC did not impose a fine for infringements of Article 24, regarding the public-by-default setting and TTL’s age-verification measures, given that the GDPR does not provide for an administrative fine for this infringement. The DPC also did not impose a fine for the infringement of the fairness principle — although this was requested by the Berlin supervisory authority in its objection. Instead, TTL was ordered to bring its processing into compliance.
Finally, it should be noted that TTL has appealed the DPC’s decision to the Irish High Court and has also issued annulment proceedings before the Court of Justice of the European Union against the EDPB in relation to its binding decision.
With the growing focus from both Europe and Australia on children’s data, organisations that work with children must take careful consideration of how they handle personal information.
Our privacy and data security team work with organisations to create workable and compliant privacy frameworks, and implement information handling practices that are resilient to data security threats. Our deep understanding of the education and not-for-profit sectors means that we are well equipped to support organisation that work with children on privacy requirements.
In September 2023 TikTok was fined 345 million euros (the equivalent of $575 million AUD) by the Irish Data Protection Commission (DPC) under the European General Data Protection Regulation (GDPR) for breaches in its processes of children’s personal data. The basis for the fine is a lack of transparency through vague language explaining TikTok’s data handling processes and a failure to implement privacy-by-design in automatically making children’s accounts public. Another important part of the decision is consideration of age-verification measures.
We have written previously about children’s privacy, as it is an intersection of privacy and child safety similar to our annual eSafety campaigns for Safer Internet Day each February. More information on these topics is here:
This article considers three key aspects of the TikTok fine – transparency, privacy-by-design, and age-verification measures – in the context of Australian privacy regulation as it is relevant for charities and schools who work with children.
Transparency is a pillar of privacy regulation, in both Europe and Australia. In the TikTok decision, the DPC took issue with certain vague words: the use of “public,” “everyone” and “anyone” to describe who could see a user’s account was not sufficiently clear as to whether that meant all registered TikTok users or anyone who could access the platform. Another transparency breach was the failure to provide information about TikTok’s information handling processes in a concise, transparent, intelligible and easily accessible form, using clear and plain language. We encourage all organisations to ensure their privacy policies and collection notices are clear, easy to understand and tailored to their particular audience.
In Australia, Australian Privacy Principle 1 enshrines openness and transparency as requirements for how organisations handle personal information. Specifically, openness and transparency means:
Further, improving transparency of organisations and control of individuals is a key aim of proposed amendments to the Privacy Act 1988 (Cth).1 The reforms propose to increase transparency and control with improved notice and consent mechanisms. This is, in part, in response to the 2023 Office of the Australian Information Commissioner (OAIC) Australian Community Attitudes to Privacy Survey which showed that 84% of Australians want more control over the collection and use of their personal information.
For charities and schools, ensuring you provide transparency and control is critical to maintaining a strong and healthy relationship of trust with your community members. Transparency is a pillar of privacy regulation because privacy recognises that handling over information about ourselves or our children can be personal; similar to handling over part of our identity. Privacy, and transparency, is inherently about trust.
We previously discussed what we mean by privacy-by-design in a recent article. For TikTok, it was found that making children’s accounts public by default is inconsistent with the GDPR’s data protection by design and default obligations. This was partly because TikTok, through its web browser version, can be access by non-registered users; i.e., the public at large. An additional, specific setting was required to “Go private”.
In Australia, no obligation regarding privacy-be-design currently exists. The inclusion of a privacy-by-design requirement is possible in the proposed amendments. What the government has committed to is to implement “new organisational accountability requirements [that] will encourage entities to incorporate privacy-by-design into their operating processes.” Regardless of a compliance obligation, privacy-by-design is a strong risk mitigation step against the threat of data breaches because:
Privacy-by-design is particularly relevant to children’s privacy, as the Government agrees with the recommendation from the Attorney-General’s Department to introduce a Children’s Online Privacy code.2 The code would apply to online services that are likely to be accessed by children.
However, the decision is novel from a pan-European/EDPB (European Data Protection Board) perspective insofar as it is the first to examine age-verification measures against the backdrop of the GDPR. While the EDPB’s dispute resolution procedure, in an arguably rather odd way, directed the DPC to reach an inconclusive outcome, there are some important markers digital services with a mixed user population should note, as they may be indicators of future regulatory approaches to age verification.
The decision reaffirms the major focus of European regulators — and moreover the DPC as the bloc leader in this area — on children’s data. This is a topic we expect to see increasingly more often in regulatory investigations and enforcement decisions.
The DPC’s findings regarding the risks to children from the processing of their data are informative of how the DPC will expect organisations to assess such risks in relation to their own processing operations.
Finally, the decision also signals the EDPB’s willingness to use the fairness principle to bolt on additional findings of infringement at the dispute resolution stage, even where the lead supervisory authority’s investigation did include such an issue within its scope.
Read our latest article more detail on how the DCP came to their decision against TikTok.
1Australian Government, Government Response to the Privacy Act Review Report (28 September 2023).
2Australian Government, Government Response to the Privacy Act Review Report (28 September 2023), page 13; Attorney-General’s Department, Privacy Act Review: Final Report (23 February 2023) Proposal 16.5.
The changes to the vacant residential land tax (VRLT) laws flagged in our recent article have now passed into law, with the new bill receiving Royal Assent on 12 December 2023.
After updates made during Parliamentary debate, these changes now address one of the major concerns affecting people with holiday homes located in Victoria raised in our previous article, but still leaves major uncertainty for the owners of holiday homes which are owned in trusts or company structures.
The ‘holiday home’ exemption from VRLT will now apply where the owner or the owner’s relatives use and occupy the holiday home for four weeks each year (whether continuous or in aggregate). Previously, the exemption only applied to use by the owners themselves.
‘Relatives’ include the owner’s spouse/domestic partner, lineal ancestors and descendants, siblings, and includes the owner’s spouses siblings, as well as spouses of the owner’s children and siblings.
This is welcome news for families who share use of a holiday home held in personal names.
While the changes made by Parliament go some way in providing a common-sense approach to the exemption in the context of the VRLT catchment area being expanded State-wide, what remains outstanding is the application of VRLT to holiday homes owned within a company or trust structure.
This issue was considered in Parliament, but was not addressed in the final bill. Attorney-General Jaclyn Symes has stated that the government is “committed” to extending the exemption to holiday homes owned this way, but indicated that due to a “complexity” in incorporating such changes, this issue will be reconsidered in the first half of 2024.
Therefore at this stage, there is no legislated exemption from VRLT for holiday homes owned in trusts or company structures, and unless the Government follows through on the comments above, holiday homes held under such structures will be liable for VRLT from 2025.
Because there is no guarantee that changes will be made in this regard, owners of such properties would be wise to consider whether they wish to lease those properties out for at least 6 months of the 2024 year so as to ensure they won’t receive a VRLT assessment for 2025.
The team at Moores is across the complex issues raised by the VRLT changes, and would be glad to help you or your clients to navigate the new rules.
We can assist with:
Please contact us for more detailed and tailored help
School record keeping obligations are multifaceted and data retention remains an ongoing and complicated issue. Retaining data for too long raises the risk of data breaches being more damaging and significant for schools. However, we acknowledge schools are also grappling with retention requirements, particularly regarding child safety information.
But how long is too long? Schools are not at liberty to simply dispose of all information relevant to a student once they have ceased being educated by that school. For example, Victorian schools are obliged under the Ministerial Order 1359 (MO1359) to create, maintain and dispose of records relevant to child safety and wellbeing in accordance with the Public Records Office Victoria (PROV) Recordkeeping Standards, including minimum retention periods (clause 6.2(f)).
School recordkeeping obligations require schools to define their maximum retention periods for different categories of records and ensure these are applied across physical and digital information assets.
The reference to ‘child safety and wellbeing’ in MO1359 is broader than the PROV standard, PROS 19/08, introduced in response to the Royal Commission into Institutional Responses to Child Sexual Abuse. This standard requires organisations, in relation to records about organisational responses to child sexual abuse, to:
What about documents that are not ‘records about organisational responses to child sexual abuse’? This is where schools need to balance competing obligations, such as contractual and legal requirements, including under privacy law, which requires organisations to destroy records when they are no longer required. Student data may involve sensitive and health information and other detailed personal information which carry specific privacy obligations.
There are several matters to consider when balancing privacy and the MO1359 requirement to retain records relevant to ‘child safety and wellbeing’. We recommend all schools create a Data Retention Policy that outlines those considerations and identifies the retention periods for different categories of student data to have a clear understanding of their framework for data management and retention.
There is no ‘one size fits all’ document that will serve the school’s purpose in this regard. Each school will have to make decisions itself and develop its own policy.
The shift to digitised and digital records also means that Schools need to consider privacy and data retention in their systems and applications. Privacy and data security risks can be managed by undertaking a privacy impact assessment to consider how school requirements translate into new systems and processes.
Moores has helped a number of schools and other education providers with the creation of Data Retention Policy’s since MO1359 was enacted in July 2022.
We have also facilitated privacy risk assessments for new systems and processes that impact student data and records management.
We are more than happy to guide you through the steps required to ensure you are creating adequate retention periods, implementing new systems in alignment with your privacy requirements, and also advising how best to avoid a data breach in respect of such personal and sensitive information.
This article was originally published October 2022. Updated December 2023.