The online environment during the COVID recovery: child protection, duty of care and privacy
While schools continued to operate during lockdowns, many activities, including teaching and learning, continued online rather than in the classroom. Now that new digital technologies and online systems are in place, some school learning activities and communication will continue to take place through online platforms, which blur the lines between being ‘at school’, ‘at work’ and ‘at home’.
As we continue to live with COVID-19, educators should take the time now to consider the duty of care owed to students in this context and how these online activities may raise concerns around child protection and impact the privacy of students and staff.
Child Safe Standards
The Royal Commission into Institutional Responses to Child Sexual Abuse identified that online child safety was a growing area of concern for communities and institutions with the advent and spread of digital media and online technologies creating additional risks for children.
The work of the Royal Commission led to the development of the National Principles for Child Safe Organisations which embed the ten Child Safe Standards and support organisations to develop a strong child safe culture. In particular, Standard 8 provides that:
‘Physical and online environments minimise the opportunity for abuse to occur’
In NSW, the national Child Safe Standards have now been mandated for all child-related organisations. Victoria has also mandated a similar set of Child Safe Standards (which include one additional Standard). While other states and territories have taken a similar approach to implementing the Standards, it is necessary to keep in mind that child protection legislation is complex and the requirements in the different jurisdictions may vary.
Many schools already have policies in place that meet the requirements of the Child Safe Standards. However, some of the Standards will require additional work and considered analysis to bring practices and procedures up-to-date, to educate staff and develop a stronger child safe culture.
Schools are encouraged to do a ‘gap analysis’ and determine any areas where they may fall short of the Standards, including an increased focus on child safety in the online school environment.
Online safety and the eSafety Commissioner
The eSafety Commissioner was established in July 2015 originally as the Children’s eSafety Commissioner. A key function of the Commissioner was to administer the Cyberbullying Complaints Scheme. The new Online Safety Act 2021 (Cth) built on these foundations and enhanced the protections available to protect all Australians from online harm.
The new online safety framework commenced on 23 January 2022 and includes:
- a broader Cyberbullying Scheme for children, which now includes harm occurring on services other than social media;
- updates to the Image-Based Abuse Scheme that allows eSafety to seek the removal of intimate images or videos shared online without a person’s consent (also known as ‘revenge porn’);
- a world-first Adult Cyber Abuse Scheme, a new complaints-based removal notice scheme for cyber-abuse against Australian adults;
- giving the eSafety Commissioner power to require internet service providers to block access to material showing abhorrent, violent conduct such as terrorist acts; and
- new Basic Online Safety Expectations for online service providers and a new requirement for service providers to respond to an eSafety removal notice within 24 hours (previously 48 hours).
The eSafety website also has extensive resources available to educators, parents, young people and other vulnerable groups. Resources for schools include the Best Practice Framework for Online Safety Education.
The Duty of Care
We know schools owe a duty of care to their students, but how far does this duty extend ‘beyond the school gates’ and into the online environment? Where a duty of care is owed, schools must consider:
- whether the risk of injury is reasonably foreseeable;
- what may be the likelihood of the risk eventuating (as in, is it a more than insignificant risk?);
- what is a reasonable standard of care; in other words, what could reasonably be done to mitigate the risk or has there been a breach of the duty of care?; and
- if this failure caused or contributed to the injury, loss or damage.
When we are considering bullying, including cyberbullying, between children who attend the same school, there is unlikely to be much of an issue with demonstrating foreseeability or probability. The real issues to consider are:
- what precautions should have been taken, that were reasonable in the circumstances, to prevent the risk of harm to students through bullying and cyberbullying; and
- whether the failure to take such precautions caused or contributed to the loss or damage.
As cyberbullying will, in certain circumstances, fall within a school’s duty of care, all schools should take action to help prevent cyberbullying. It is essential that bullying policies, student discipline/behaviour policies and codes of conduct address cyberbullying and also deal with acceptable online conduct and appropriate use of digital technologies, including with regard to use of the school’s network, online platforms, school devices and personal devices used for school activities.
Finally, schools also need to consider privacy obligations while operating in the online environment. While child protection and safety may be paramount, students still have a right to privacy.
There are many laws that place obligations on schools regarding privacy. For government schools in NSW, the Privacy and Personal Information Protection Act 1998 (NSW) provides for the protection of personal information and imposes obligations on government agencies in the collection, storage, use and dissemination of personal information.
Independent schools are covered by the Privacy Act 1988 (Cth) as they collect and hold health information (and are also unlikely to fall within the small business exemption). Schedule 1 to the Privacy Act contains the Australian Privacy Principles (APPs), which govern standards, rights and obligations around:
- the collection, use and disclosure of personal information;
- an organisation’s governance and accountability;
- integrity and correction of personal information; and
- the rights of individuals to access their personal information.
A breach of an APP is considered an interference with the privacy of an individual and can lead to regulatory action and penalties, including financial penalties. There is also specific legislation dealing with the privacy of health information.
The introduction and use of online platforms for schools and other related activities requires a school to analyse the safety of these programs, the security of data and compliance with the APPs. In particular, overseas based platforms, programs and services may not comply with privacy protection requirements under Australian legislation and this will require investigation.
Schools collect a great deal of personal information from parents and students. Schools must ensure that personal information is collected only where reasonably necessary for (APP 3) and is held securely. Information which is no longer required is destroyed (APP 11).
Schools investigating new technologies should consider whether these meet the standards imposed under the APPs before use. Access to online platforms and audio-visual links such as Zoom should always be password protected (enabled at the individual meeting level at the user, group, or account level) to ensure security and privacy of online school activities. Where information is sensitive (such as counselling records), restrict access only to staff with a genuine need to access such records.
The rapid evolution of the online environment and its very nature (involving a lack of supervision and visibility) creates risks for schools that need to be identified and minimised. Schools should focus on education for students, staff and community members and use freely available resources to develop policies and procedures that focus on online safety, privacy and data protection.