Compulsory collection of information “at the door” to contain COVID-19

With the easing of COVID-19 restrictions, Victoria is managing the ongoing risks associated with the disease by requiring that particular organisations collect personal information about customers and visitors to their premises to assist with COVID-19 contact tracing.

The Victorian Government has issued specific Directions and Orders stating that contact information of customers and visitors must be sought as a condition of particular organisations re-opening.

If a Direction or Order applies to you, the collection of this personal information will be necessary for your organisation’s functions or activities.

Government orders to collect personal information

If you are subject of a Direction or Order, then this means the collection of contact information is permitted under the Privacy Act 1988.

The Restricted Activity Directions (No 9) – Public Health and Wellbeing Act 2008 (Vic) – (the Act) provides Directions or Orders for facilities, including:

• Community facilities which host essential public support such as food banks, or homeless persons services, or that host weddings or funerals;
• Places of worship; and
• Accommodation facilities (such as hotels, guesthouses or Airbnbs) which are operating for the purposes of providing emergency accommodation, including in relation to family violence or other vulnerable groups

Records required to be kept

The Acts states that these facilities are subject to a “records requirement” which requires them to request that each person who attends the facility for more than 15 minutes provide their first name and contact phone number.

The facility must keep a record of these details for 28 days together with the information about the date and time at which the person attended the facility and if there are multiple indoor spaces, the indoor space(s) which the person visited. 

We note that requirements in relation to signage, cleaning and the number of people permitted per indoor space are specific to each facility and detailed in the Act.

What do you need to do if you are required to collect personal information for contact tracing?

If you are required to collect contact information due to government Orders or Directions, you should abide by the following principles:

1. Notify people prior to collecting personal information and include details regarding: what information you are collecting, that the collection is required by law, the purpose of collection, who the information will be disclosed to and consequences of failing to provide the information (i.e. they will not be allowed into the facility).  
2. Only collect personal information which is required under the direction or order  i.e. only collect first names and phone numbers;
3. Securely store the information once you have collected it. Only provide access to staff that need to see it.
4. Only disclose if the Victorian health authority requests it.  You may not use the information for mailing lists or to share within your group.
5. Destroy the information as soon as reasonably practicable following 28 days after the visit, unless another statutory requirement permits or requires that the personal information is retained. If you have collected personal information and believe you have another obligation, for example to disclose the information under the Family Violence Information Sharing Scheme, quarantine the information and assess it against the guidelines, or seek advice.

What about services that rely on anonymity?

There are some exceptions to the “records requirement”, including for support groups held in community facilities or places of worship where confidentiality is typically required such as drug and alcohol or domestic violence support groups (such as Alcoholics Anonymous) and private worship at places of worship.

Your obligations to protect people may require you to nevertheless ask for personal information, for example, in an emergency or if a participant in an anonymous group falls ill during a meeting. 

Can you collect customer information if you are not required to?

If there isn’t a Direction or Order that applies to your operation, you are not required to ask for customer and visitor names and contact details for contact tracing purposes. However, you can still collect contact information if you would normally do so for the functions and activities of your business.

What about COVID-19 related information?

You can collect information from employees or visitors in relation to COVID-19 which is ‘reasonably necessary for preventing or managing COVID-19’ such as:

• Whether a person or a close contact has been exposed to a confirmed case of COVID-19
• Whether the person has recently travelled overseas and to which countries

If an employee or visitor has or may have contracted COVID-19, you should only disclose personal information which is reasonably necessary in order to prevent or manage COVID-19 in the workplace.

For more information on workplace obligations, please read our article on safeguarding against COVID-19.

Next steps

Organisations still need to be mindful of privacy laws when collecting information for the purposes of contact tracing, or to prevent or manage the spread of COVID-19. It is essential for employers to have clear policies and processes which detail how personal and health information is collected, stored, used or disclosed so that these processes can be adhered to during the process.

How we can help

If you need assistance with ensuring your privacy policy or processes are up to date, please do not hesitate to contact us.

A full list of operations subject of a direction or order is available here.

The new Guardianship and Administration Act 2019 (new Act) commenced on 1 March 2020. VCAT has now handed down two decisions since the new Act commenced, and provides some guidance around what can be expected under the new Act. Many of our organisational clients interact with persons with a disability (whether their participants or residents), or work closely with administrators or guardians appointed by VCAT. It will be essential to understand the provisions of the new Act, which are a significant departure from the Guardianship and Administration Act 1986 (old Act).

New Act vs Old Act

There are substantial differences in the role of administrators and guardians under the new Act. The old Act required decisions to be made in the best interests of the represented person. The new Act requires decisions to be made, giving priority to the represented person’s will and preferences (unless, by doing so, there is a risk of serious harm to the person). It represents a shift from a paternalistic approach to persons with a disability, to a rights and person-centred approach to decision making.

Tribunal Decisions and the new Act

VCAT handed down its first decision under the new Act commenced on 29 April 2020. The decision of EHV (Guardianship) [2020] VCAT 501 considered whether EHV’s share in a property should be sold, where EHV’s “will and preference” was that the property not be sold. EHV participated in all hearings, and objected to the sale of the property. 

EHV is 63 and suffers from an acquired brain injury as a result of long term alcohol and drug abuse, and was living at an aged care facility at the time of the hearing. Each of his prior attempts to live in the property resulted in a relapse to substance use, admissions to hospital or arrest for intoxication-related offences. EHV’s income fell short of his basic expenses by $100 per fortnight, and he owed debts of approximately $11,000.

EHV’s administrator sought advice from VCAT about whether it could sell the property. The application was made under the old Act, but by the time it was heard the new Act was in force. The Tribunal determined that the property should be sold, and overriding EHV’s will and preference was necessary to avoid a risk of serious (financial) harm. The Tribunal also determined the sale of the property did not offend EHV’s rights under the Victorian Charter of Human Rights and Responsibilities Act for two reasons – while a person has a right to choose where they live, freedom to choose is dependent on a person’s ability to afford accommodation. Further, the Tribunal found the sale of the property did not amount to an unlawful or arbitrary sale, but rather a cautious and steady approach by the administrator.

Key lessons

The key take-aways from the first decision are:

• The new Act applies to administrators appointed under the new act, but the old Act applies to administrators appointed under the old Act
• The overarching principles of the new Act will be applied in all cases, including where the administrator or guardian was appointed under the old Act (although the decision maker’s obligations under the old Act will still apply)
• A human rights assessment will be increasingly incorporated in Tribunal decisions.

How we can help

If you have questions about your residents or your obligations when dealing with guardians and administrators, please do not hesitate to contact Jessica Latimer, Special Counsel and elder financial abuse expert on (03) 9843 2100 or via our contact us form.

The Victorian Court of Appeal decision in Re Marsella; Wareham v Marsella [2020] VSCA 92 follows Justice McMillan’s decision to set aside a distribution of superannuation death benefits for their improper exercise of discretion.

Read our summary of the parties, background of this case and initial decision here.

In the initial decision, Justice McMillan found that the deceased’s daughter, Carol, did not give real and genuine consideration to the potential beneficiaries of the death benefit in deciding to pay her mother’s entire death benefit to herself.

Key lessons

We have summarised some of the key lessons to be taken from this appeal below.

1. Emphasis placed on solicitors’ correspondence
   
   Before reaching Court in the first instance, the solicitors acting for each of Carol and the deceased’s husband, Riccardo, exchanged a number of letters attempting to set out their clients’ claims in respect of the death benefit. 
   
   The SMSF trustees asserted that such correspondence, which they argued addressed and refuted claims from Riccardo’s lawyer that he was a potential beneficiary was evidence of their real and genuine consideration to their decision to distribute to Carol.
   
   The Court of Appeal found that the correspondence in fact demonstrated the trustees’ deficiency in their understanding of the terms of the fund’s deed.  Their Honours stated that it is “scarcely likely that responsible lawyers would write such a letter if they had previously advised their client that Mr Marsella was both a Dependant and a Beneficiary under the terms of the trust deed”.  The series of letters essentially demonstrated that the trustees did not properly inform themselves of the terms of the deed, the circumstances or the applicable law.
    
2. Acting in conflict
   
   The trustees claimed that the previous decision was incorrect in that there was no conflict in deciding to pay the death benefit to Carol, asserting that the deceased’s intention for Carol to receive such benefit was inherent in appointing her as the co-trustee of the fund during her lifetime.  The argument was predicated on their assumption that in appointing Carol as trustee, it was foreseen that she would solely benefit from the fund and that because of this such conflict was authorised.
   
   The Court of Appeal confirmed that just because a deed contemplates the same individual acting as trustee and potential beneficiary of the fund, does not mean that a conflict of interest is authorised by the deed.  An express provision in the deed specifically addressing the conflict of interest would need to be found for this argument to succeed.
   
   In some circumstances, individuals are placed in a position of unavoidable conflict.  The deceased may have appointed them as the executor, the replacement trustee of the SMSF and a beneficiary of the estate. 
   
   This actual conflict should be carefully considered and the Court has directed trustees to obtain specialist advice to determine how (if at all) the conflict will affect their ability to fulfil their duties.
   
   Individuals who hold different positions even though they are the same person ought to seek independent advice from separate lawyers to advise them in each of these roles.
    
3. “Bad faith” is not the threshold
   
   The Court of Appeal was asked to overturn Justice McMillan’s decision, arguing that failure to give real and genuine consideration alone was not sufficient to conclude that they has not exercised their discretion properly. 
   
   The trustees relied on a previous decision which provided that trustee discretion is exercised properly if it is exercised:
   – in good faith;
   – upon real and genuine consideration; and
   – in accordance with the purpose for which the discretion was conferred.
   
   Importantly, however, the Court of Appeal contrasted the facts of this case and the earlier case, and confirmed that it was not necessary for the trustees to have acted in “bad faith” to overturn the exercise of their discretion.
   
   An “absolute” or “unfettered” discretion under a deed cannot be carelessly acted upon by the trustee.  It does not preclude the trustee from scrutiny and challenge.
    
4. Take steps in estate plan to avoid the risk of uncertainty after death
   
   Having documentation and structures in place as part of an overall estate plan can assist in providing clarity to executors, trustees and beneficiaries about a deceased’s intentions once they have died.
   
   Binding death benefit nominations are often permitted under deeds for SMSFs.  SMSF members direct the trustee where they want their death benefits to be paid – and if properly executed, will displace the trustee’s ability to exercise discretion as to who benefits from death benefits. 
   
   Provided the SMSF trustee-member rules and the fund deed are complied with, appointing an independent person to control the fund and exercise the discretions in the fund’s deed after death could also assist in minimising the potential for contests between potential beneficiaries. 
    
5. Seek advice before exercising trustee discretion
   
   The terms of a superannuation fund deed differ from fund to fund.  Before taking steps to administer the fund, or exercise any discretion available under the deed, it is important to understand the obligations and duties of this role. One of the key takeaways in this appeal decision is that seeking specialist advice is a ‘must’ and reference to the advice should be included in trustee minutes documenting the payment of death benefits.

How we can help

Seeking specialist advice will go a long way in ensuring trustees are aware of what the role requires and will provide trustees with guidance as to how best to fulfill their responsibilities. For further information or guidance, please do not hesitate to contact us.

We have previously reported on the provisions and commencement of the new Guardianship and Administration Act 2019 (new Act), which commenced on 1 March 2020.

VCAT has now handed down its first decision since the new Act commenced. The decision of EHV (Guardianship) [2020] VCAT 501 considered whether EHV’s share in a property should be sold, where EHV’s “will and preference” was that the property not be sold. EHV participated in all hearings, and objected to the sale of the property. 

Background

EHV is 63 and suffers from an acquired brain injury resulting from long term alcohol and drug abuse, and possibly an organic cause. EHV had “repeatedly and consistently expressed his firm wish, or his will and preference, to return to live in the property” although evidence was that his attempts to live in the property resulted in a return to substance abuse, admissions to hospital and/or arrest for intoxication-related offences, welfare organisations refusing to provide services to him at home and neighbours raising concerns about his behaviours.

Legal issues and the new Act

Both the new Act and the old Act allow an administrator to sell, exchange, partition or convert into money any property. However, under the new Act, VCAT was required to apply the general principles under section 8 to any decision including supporting EHV to make and participate in decisions affecting him and to express his will and preferences among other things. The new Act provides that the will and preferences of the represented person should direct as far as practicable decisions made for that person.

So what of EHV’s firm wish, or will and preference, to return to live in the property? And how did VCAT balance the new Act against EHV’s right to freedom of movement and property rights under the Charter? And what of EHV’s human rights?

VCAT considered the administrator’s obligations generally, and financial factors relevant to EHV’s will and preference as well as accommodation alternatives for EHV.  VCAT ultimately overrode EHV’s will and preference, on the basis that the sale of the property was necessary to prevent serious harm.  Serious harm was both financial harm (EHV continuing to bear unpaid debts and a shortfall of income for his living expenses) and personal harm (in the past, EHV had been unable to live unsupervised in the community without relapsing and hospitalisation) and the loss of opportunity to remain in aged care for financial reasons and behavioural reasons with the risk that he may become homeless.  From a human rights perspective, the Tribunal concluded that to limit EHV’s right to freedom to choose where to live was justified given his dire financial circumstances, in turn giving rise to a need to sell the property.

Next steps

The new legislation adopts a substantially different fundamental approach and in line with the UN Convention on the Rights of Persons with a Disability.  This will require administrators, family members and those subject or potentially subject to administration orders to consider how best to approach any Tribunal hearings. Documenting a person’s “will and preference” will assist both the person and the Tribunal to weigh up complex competing rights and obligations.

For more information or if you or your clients require assistance, please contact us.

Trusts are established for many reasons. One of the most common is asset protection.

The recent decision of Boensch v Pascoe [2019] HCA 49 from the High Court gives some insight into how that asset protection could be undone in the event of the bankruptcy of an individual trustee.

Facts

As part of a matrimonial settlement between Mr Boensch and his former wife, it was agreed that a jointly owned property (“the Rydalmere property”) would be held on trust by Mr Boensch for the benefit of their shared children. A simple memorandum of trust was executed by them, although the memorandum contemplated a further ‘detailed trust document’ would be prepared.  No steps were taken to prepare the further trust document or transfer the Rydalmere property to Mr Boensch as sole trustee until some years later when Mr Boensch had been served with notice of bankruptcy proceedings against him. Mr Boensch had occupied the Rydalmere property and personally paid its expenses including mortgage and rates.

Mr Pascoe was appointed the trustee in bankruptcy for Mr Boensch. He formed a view that the trust was a sham to defeat creditors and proceeded to lodge a caveat against the Rydalmere property claiming a ‘Legal Interest Pursuant to the Bankruptcy Act 1966’.

In extensive subsequent proceedings, it was found that the trust was not a sham given it had been initially documented well prior to the bankruptcy. Mr Pascoe therefore allowed the caveat to lapse and did not pursue any further claim against the Rydalmere property.

The matter before the court was actually a subsequent claim by Mr Boensch against Mr Pascoe seeking compensation for an improperly lodged caveat under Section 74P(1) of the Real Property Act 1900 (NSW).

Relevant Bankruptcy Provisions

The Bankruptcy Act 1966 (Cth) provides that:

• Section 58(1) – upon a person becoming bankrupt all property then belonging to the bankrupt that is divisible amongst their creditors, together with any rights and powers in relation to that property, vests in the trustee in bankruptcy.
• Section 116(2)(a) – property held on trust for another person is excluded from being property that is divisible amongst their creditors.

Findings

The High Court considered how the provisions under the Bankruptcy Act relate to property held on trust by a bankrupt as this informed whether Mr Pascoe had a proper basis for his caveat.

The High Court found that:

• In the scenario where a bankrupt holds property as trustee, if they have any vested or contingent interest in the trust property (no matter how remote), then the trust property will vest in their trustee in bankruptcy (albeit still subject to the terms of the trust). Further, it is ordinarily for the bankrupt to prove the absence of such a beneficial interest.
• Even if the bankrupt is not a beneficiary under the trust, they can still hold a beneficial interest via the trustee’s right of indemnity. That is, because Mr Boensch, as trustee of the trust, had paid the mortgage and other costs for the trust personally he was entitled to be repaid from the trust and that right of repayment passed to his trustee in bankruptcy.
• The caveat therefore had a proper basis as the trust property vested in Mr Pascoe due to the trustee’s right of indemnity owed to Mr Boensch. It did not matter that Mr Pascoe had not pursued the right of indemnity and allowed the caveat to lapse, the point was that it had nevertheless been a proper caveat.
• A trustee in bankruptcy is warranted in lodging a caveat over property held by a bankrupt as trustee if there is an honest belief that the bankrupt has a beneficial interest in the trust (including by way of trustee’s right of indemnity).

Lessons

The decision will be of crucial importance for bankruptcy practitioners, but also contains useful lessons from an estate planning and structuring perspective:

• The decision reaffirms that a corporate trustee should be an essential component of trust structuring. Acting as the individual trustee invites examination of the trust property on bankruptcy and could well result in the trust property vesting in the trustee in bankruptcy.
• Trustees must be clear as to trust assets and personal assets. Mixing the two, for example by paying trust expenses out of your personal account, can dilute asset protection and open the trust to a trustee in bankruptcy.
• Similarly, loan accounts, unpaid entitlements and other contributions to the trust must be managed if asset protection for the trust property is to be maintained.
• Establishing a trust requires careful consideration of its purpose and circumstances. Selecting the key controllers can be critical.

For more information or guidance, please do not hesitate to contact us.

In the wake of numerous high profile underpayment cases that occurred as a consequence of deficient or unmonitored salary arrangements (footnote – Coles, Woolworths, George Columbaris to name a few), the Fair Work Commission has, effective 1 March 2020, varied a number of modern awards to impose additional obligations on employers that seek to utilise salary arrangements for their workforce.

The Clerks – Private Sector Award 2010 (Clerks Award), an occupational award that covers a myriad of clerical and administrative employees, is one of the awards impacted the changes.

Historically, salary arrangements have been regulated largely by the common law – the general proposition being that a salary can only ‘buy out’ minimum award entitlements if the employer stipulates (e.g. in an employment agreement) the specific entitlements that are satisfied by the salary.

Prior to 1 March 2020, a limited number of modern awards contained obligations that mirrored this common law requirement (including the Clerks Award). However, from 1 March 2020, employers covered by specified awards (including the Clerks Award) are required to:

1. Advise employees in writing of the number of overtime hours the employee would be required to work without being entitled to further payments;
2. Undertake annual reconciliations in respect of the salary paid to the employee (to ensure it meets award minima); and
3. Keep and maintain records of the starting and finishing times of work, and any unpaid breaks taken, of each employee subject to an annualised wage arrangement.

The merits behind the recent changes were extensively deliberated in a number of hearings before the Full Bench of the Fair Work Commission throughout 2019 as part of its four yearly review of modern awards. In those decisions, the FWC suggested that the changes are not intended to interfere with historical common law offsetting principles. The FWC has expressed the following view:

“[E]mployers may, pursuant to private contractual arrangements, pay employees in accordance with a salary arrangement that compensates for or “buys out” identified award entitlements without engaging with the annualised wage arrangements provision in the applicable award (emphasis added).”

At first blush – many employers would air a sigh of relief from the Commissioner’s comments. But employers should exercise caution in relying too heavily on the Commission’s observations.

Summarising two general legal propositions:

1. Peripheral explanatory observations are not relevant where legislation is clear and unambiguous; and
2. Where there is conflict between the common law and legislation, legislation overrides the common law.

The newly introduced annualised wage provisions are expressed as obligations – in that employers “must” comply with certain obligations (for example, in relation to record keeping).

However, this doesn’t mean that there aren’t options. Employers wishing to provide annualised salaries may be able to rely on modern award annualised arrangements, common law offset clauses, individual flexibility agreements, guarantee of annual earnings or enterprise agreements.

So what can you do?

Obtain legal advice. You can be forgiven for being confused, particularly since the reforms were introduced in the early stages of COVID-19 disruptions.

Our team of expert workplace relations specialists can give strategic guidance on how to practically respond to the changes and help you meet your legal and commercial objectives.

For further guidance, please do not hesitate to contact us.

On 17 April 2020, Moores ran a webinar for schools and organisations that work with children on maintaining a child safe online environment as a result of COVID-19. While some states have begun to ease restrictions, it is clear that online platforms will continue to be used by schools and organisations to engage with children. In other states such as Victoria and Tasmania, schools are expected to stay remote for the remainder of Term 2 unless medical guidance changes.

Following the webinar we received a significant number of questions, highlighting the complexity and uncertainty of remote learning. This article covers some of the FAQs.

Should organisations record one-on-one interactions between staff and children?

In general, we recommend against recording one-on-one interactions for the following reasons:

• Concerns regarding the organisation’s ability to securely store these recordings in accordance with your privacy policy and obligations (noting that some platforms such as Zoom automatically store recordings on the individual’s device as opposed to online platforms);
• Discomfort amongst children and staff members about being recorded;
• The need for revised consent forms, particularly if video recording;
• Manipulation of images captured to create inappropriate content (e.g. the use of Deep Fake or Photoshop); and
• Child safety concerns in relation to any sharing of confidential or private information that’s recorded.

Instead, we recommend that organisations provide guidance on what one-on-one interactions should look like such as requiring them to occur on the organisation’s platforms only and during school hours (or shortly before / after). Organisations should also ask staff members to keep a file note of any one-on-one interactions and should be ensuring they can have oversight of these occurring. This should be documented in policies such as a Remote Learning Code of Conduct.

If an organisation does choose to require recording, what are some safeguards that should be put in place?

Each organisation should carefully consider the unique child safety risks associated with its operations and whether it is appropriate to record interactions between staff and children. If an organisation resolves to direct staff to record their interactions with children, we recommend that it considers the following safeguards:

• Avoid video recording if possible (e.g. recording lessons online with slides and voice only is preferable to video recording);
• Only allow staff members to record interactions, and provide them with guidance on how to securely store the file;
• If video recording, encourage staff and students to blur backgrounds or use template backgrounds and ensure their location (and the location of children) is not obvious from the video;
• Consider if it is appropriate to delete the videos after a certain amount of time; and
• Be careful of meta-data that is recorded and stored.

What are some red flags for child abuse in the online environment that we should be aware of?

It is important that organisations continue to provide training and guidance to their staff members on identifying and responding to child safety concerns in an online context. Red flags may include:

• Signs of physical abuse if children are participating in video meetings;
• Recurring absence of attendance;
• Yelling or shouting in the background of meetings or communication with children;
• Children verbalising distress and requesting to attend schools physically;
• Signs of neglect such as children being in a different location each time or their location being an unsuitable living environment;
• Material that might come through in their other interactions with the organisation (e.g. writing about abusive content in their English assignment); and
• words or behaviour of parents / carers during staff member / parent discussions, such as abusive language towards their child or a lack of interest.

Where can we find your webinar on commonly used Apps by children and young people?

Moores recorded a webinar for Safer Internet Day on 11 February 2020, including an interview with Associate Professor Nicola Henry from RMIT University regarding commonly used Apps amongst children and young people and the child safety risks. You can find the recording on our news hub here.

What policies and procedures do you recommend that organisations put in place in relation to remote learning?

It is critical that organisations put in place policies and processes for online interactions with children. In particular, we recommend that organisations review, provide or implement:

• An online Code of Conduct for staff members that sets out key expectations when interacting with children online.
• An online Code of Conduct for children so that more mature children can understand the expectations on them, especially in relation to inappropriate behaviour such as cyberbullying.
• Guidance for parents – organisations need to recognise that as children are learning from home, and organisations have far less oversight of their activities than they would have in person. It is important that guidance is provided to parents such as popular online apps and games being used, and how they can play a role in ensuring child safety.
• Guidance for child safety officers – COVID-19 has presented complex challenges for the delivery of education and other services, but it is important that child safety does not fall to the side. Regulators have emphasised that child safety obligations continue to apply. Consider providing guidance and support to your child safety officers so that they can continue to champion child safety and facilitate compliance with reporting obligations.

Our previous article covers off on some other key tips for ensuring a child safe remote learning environment

What are some of the privacy considerations we need to be aware of?

An important part of child safety in an online context is protecting the privacy of children. Organisations will be collecting significantly more personal and sensitive information on children, potentially on platforms that they are not familiar with. We recommend that organisations review their privacy policy and make any changes needed to ensure compliance with the policy. For organisations using videoconferencing, please refer to our article on relevant privacy considerations.

How we can help

For more information or guidance regarding your child safety and privacy policy, get in touch with our expert child safety team. Please do not hesitate to contact us here.

Online meeting technology exploded into popularity as social distancing was implemented across the world in response to the COVID-19 crisis. The most popular program, Zoom, went from 10 million daily users in December 2019 to 200 million daily users in March 2020. The sudden increase in both personal and business use of online meeting technology has created a raft of reports of privacy and security issues.

Issues such as data sharing with Facebook and the privacy of conversations taking place in “chat rooms” have been raised. Security concerns have included reports of “zoombombing”, where Zoom meetings were bombarded by users with racial slurs and pornographic motifs and a security vulnerability that allowed Mac users to be forced into calls without their knowledge. Serious questions have also been raised about encryption software and whether or not users’ data is being encrypted to ensure it is being kept safe.  

Privacy authorities are poised to focus on video and teleconferencing apps with  Privacy Commissioner Angelene Falk warning of “new risks to privacy” , requesting providers to be transparent about how they handle personal information, make their controls user-friendly and build in privacy and security “by default”. Ms Falk also states that “organisations that shift to using new mediums for doing business need to replicate, as far as possible, privacy and security measures that would apply in their regular environment”.

What you can do to fulfil your obligations under the Privacy Act

At the moment, it’s more important than ever to assess privacy risks and take active measures to protect personal and private internal information.

As a first step, we recommend that organisations adopt new practices to ensure that their security is protected (as far as possible).

You should consider:

1. Conducting a Privacy Impact Assessment on each main software program used for remote working/learning purposes (stay tuned for our ‘5 Minute Privacy Impact Assessment’ article);
2. Instituting guidelines and privacy protocols in relation to the usage of these programs – these should be distributed to all users;
3. Consider what information and documents can be (safely) shared using these software programs;
4. Educate your employees on the features of the software, and what to be aware of to identify potential security threats; and
5. Ensure that your privacy policy aligns with the collection, use and disclosure of information that particular software programs may use.

Whilst using videoconferencing facilities, you should follow the guidelines below to ensure privacy and data stays safe:

• if you are a host, ensure that you use a password protected meeting invite;
• if you are a host (using Zoom), there is a feature that allows participants to provide consent before recording a meeting, you should ensure that this feature is turned on (it is turned off by default);
• if you are an attendee, ensure your host is using a password-protected link, and also use an automatically generated meeting ID for each invite;
• if you do not want to receive targeted ads from Zoom, you can click the “Cookie Preferences” (on the Zoom website) link at the very bottom of any page on the site and adjust the slider to “Required Cookies”; and
• mute your microphone (and even sometimes turn your camera off) if you are not speaking.

Online Learning

The rapid transition to online learning has been made possible by videoconferencing apps. However, it is important to be mindful of the privacy and security risks that are associated with using the software.

We recommend teachers specifically take the following precautions when teaching via videoconferencing apps:

• use the lock meeting option once all classroom attendees have joined the session. This prevents unauthorised access to the room;
• use randomly generated meeting IDs;
• where necessary and appropriate, try and obtain parental consent as students’ data may be stored;
• do not create screen captures of students;
• teachers can block students from joining the room before they themselves do; and
• consider muting participants to block unwanted and distracted noise.

Next steps

Zoom has just implemented a specific K-12 privacy policy that can be accessed here. We suggest you read this privacy policy to ensure it aligns with your own privacy policy and you are fully informed about what data is being collected.

For more information or guidance, please do not hesitate to contact us.

In a move designed to encourage non-government schools to open to all students by 1 June 2020, the Federal government wrote to schools on 28 April 2020 offering earlier access to funding upon certain conditions being met.

The conditions are that the school should provide a physical learning environment from Term 2 and commit to having 50% of students in classroom learning by 1 June 2020. Meeting those conditions sees two payments of July funding made to the State by 21 May and 9 June 2020 respectively. Replies are sought by 1 May 2020, after which they may not be considered.

The conundrum is that schools were not prepared for this advice, and many have been gearing up, particularly in Victoria, to implement change from 11 May 2020, the date of the State premier’s announcement on restrictions. The Victorian government position, although non-binding on non-government schools, is that schools should offer onsite learning to only vulnerable students and those whose parents cannot work from home (aimed at essential service workers).

School boards make the call on this one and will need to meet in the next day to decide whether they want or need the funding and the implications for fee relief or JobKeeper entitlement calculations.

The Government’s Return to Classroom based learning Factsheet contains its recommendations about practices which will need to be followed to keep students safe.

Next steps

It will be important for schools to make this assessment independently, especially as there is no change to minimum standards. The management of risk, with student welfare at the centre, rather than the management of money, will need to be the primary consideration.

For further support or guidance, please do not hesitate to contact us.

With the advancement of modern technology, organisations (including schools) are lucky enough to be able to manage the impact of COVID-19 through remote working and learning arrangements.

However, many schools are navigating unchartered waters trying to determine what resources and tools are needed to ensure students and teachers are supported and whether these tools can easily be used from home.

A privacy impact assessment provides a useful framework to screen for privacy issues and may help to further mitigate any privacy risks associated with remote learning arrangements.

Why assess privacy risks at the moment?

Right now, it’s more important than ever, because we are sharing and disclosing a magnitude of personal, confidential and sometimes even sensitive information online.

Under Australian Privacy Principle 11, organisations must take active measures to protect personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure. Organisations also have obligations under the Notifiable Data Breach Scheme.

Assessment – key considerations

Collection:

• What personal/confidential/sensitive information will be collected?
• How will it be collected?
• How will consent to use and disclosure be obtained?

Consider these questions in the context of each learning platform that you’re using.

Use:

• Is the user aware of uses of their personal information?
• What measures are in place to ensure the information is used only the primary purpose of collection OR related secondary purpose?
• If the information is sensitive information, will use by with consent or only for primary purpose?

Disclosure:

• To whom will information be disclosed?
• Will information be disclosed only for the purposes for which it was collected?
• What measures are in place to vet the privacy practices of any recipient?

NB: You should also consider whether the Collection, Use and Disclosure of the information is consistent with your own internal privacy policy.

Security:

• What security measures apply to this personal information?  Do we have adequate cybersecurity and suitable policies?
• Do all devices, and firewalls have the necessary updates and the most recent security patches (including to operating systems and antivirus software) and have strong passwords?
• Have you implemented a secure method for staff to access your network and system?
• Do you have a system in place that all users are aware of in the event of a potential data breach?

Education:

• Are staff members educated on ICT and cyber security practices, such as identifying hazards, how to ‘lock rooms’, disciplining or removing students from rooms, and use of passwords and encryption?
• Are staff members educated on physical security and the handling of personal information when working from home?
• Is there a policy that covers information security when staff members work offsite, such as from home, a secondary site office or a temporary office?

How we can help

If you’re uncertain as to how your current policies and practices may equip you for the new environment, may wish to consider:

1. Reviewing, updating and amending your privacy policy;
2. Implementing and/or reviewing a data breach response plan;
3. Drafting consent forms for parents and students, detailing the types of programs they will be using and what information may be collected/used/disclosed; and
4. Training your staff on their rights and obligations.

Moores can provide assistance with all of the above and be available for online training with staff members. For more information, please do not hesitate to contact us.