Significant privacy breach at Strathmore secondary college … including access to health and medication data
August 23, 2018 |
Yesterday there was a very significant privacy breach at a Victorian school, Strathmore Secondary College, involving the release of health information of students including mental health conditions, medications and learning and behavioural difficulties. It is reported in the Guardian and SBS, among others. The exposure of 300 school student’s records on the school’s intranet was likely the result of human error. That bespeaks a very ordinary privacy training and controls. Which is not uncommon.
These events provide a useful application of how the privacy legislation in Victoria may work for those who are affected by the breach. Under the Privacy and Data Protection Act 2014 those affected by this privacy breach may have basis for making a complaint under section 57. If the complaint is not resolved that complaint may be referred to the Victorian Civil and Administrative Tribunal and those affected may have a cause of action. The jurisprudence of VCAT in this area of the law does not inspire confidence. In the main its decisions are quite disappointing both in the findings and the analysis of the privacy principles. However given that highly sensitive personal information was disclosed without authorisation it would be difficult not to see how a case cold not be sustained.
The Guardian reports provides:
Melbourne student health records posted online in ‘appalling’ privacy breach
Health and medication data posted in error on Strathmore seconday college intranet
The personal records of hundreds of Melbourne high school students have been mistakenly published, sparking an investigation into an “appalling” privacy breach.
The Victoria education minister, James Merlino, said his department would launch an inquiry into the breach at Strathmore secondary college in the city’s north-west.
“It’s nothing short of appalling … it’s distressing for students and their parents because it may result in embarrassment, in bullying,” he told reporters on Wednesday. “These things should not happen.”
Human error was believed to be the cause of the publication of more than 300 students’ records on the school’s intranet service which, according to News Corp reports, included information about medical and mental health conditions, medications, and learning and behavioural difficulties.
The records were accidentally published as late as Monday and remained online until Tuesday, the Herald Sun reported, with parents and students seeing the information.
My Health Record: former privacy head warned of dangers six years ago
It listed conditions such as Asperger’s; autism, ADHD and medication including Ritalin.
Jillian English, the principal, said the school was looking at how the breach occurred to ensure it did not happen again.
“Our school takes privacy and data security very seriously and I recently arranged professional development for my staff to ensure they are able to follow best practice,” the newspaper quoted her as saying.
Merlino said education department privacy and IT staff would visit the school on Wednesday to make sure all staff understood privacy and IT issues.
“What I can say to parents and students across our education system, this looks to be a one-off human error, but it is a very serious matter,” he added.
The opposition education spokesman, Tim Smith, said it was more worrying if human error caused the breach.
“This is really serious data that’s been breached, it’s children’s private personal, medical and education data, and frankly it should be sacrosanct,” he said.
Strathmore college was contacted for comment.