education.vic.gov.au

School operations

Privacy and Information Sharing

On this page:

Protecting personally identifiable information guideline

The department, schools and government-owned early learning and childcare centres collect the personally identifiable information of staff, children, parents/carers and stakeholders as part of their core functions, operations and services.

This guideline supports staff with implementing best practice when managing personally identifiable information as part of their daily work.

What is personally identifiable information?

Personally identifiable information is any information that can help to confirm a person’s identity. It is a type of personal information, and it may be used on its own, or in context with other information. Personally identifiable information may be collected in digital or hardcopy format.

Personally identifiable information is critically important to individuals as, together with credentials, it makes up a person’s legal identity.

Personally identifiable information includes commonly used information specific to an individual like:

  • full name
  • address
  • date of birth
  • phone number
  • email address
  • photos
  • usernames and passwords
  • bank account details
  • school name.

Credentials (also known as Evidence of Identity documents) include:

  • driver’s licence
  • passport
  • birth certificate
  • Medicare card
  • Australian visa or citizenship certificate
  • student ID.

How to protect personal information

All school staff have a role to play in protecting the personal information of staff, students and the school community.

As part of their daily work, school staff must follow these practices to protect personal information:

  • do not collect personal information unless it is critical to the task or process
  • if personal information is required, collect the minimum necessary amount to undertake the task or process
  • do not retain personal information unless it is necessary, for example, evidence of identity documents may be destroyed as soon as the identity verification process is concluded. If schools are unsure if personal information should be retained, contact Records and Mail Services at archives.records@education.vic.gov.au for guidance
  • if personal information must be retained as a record, keep it in authorised systems and secure locations where access is restricted to authorised staff
  • do not share personal information with others, including within the department, unless there is a genuine need for the recipient to have access to this information
  • do not enter personal information, under any circumstances, into generative artificial intelligence tools
  • ensure third parties that the school engages with have safeguards in place to protect the personal information the school shares with them, for example, by following procurement processes and using the department’s contract templates.

How to avoid overcollection of personal information

Privacy law requires that schools only collect personal information that is needed. Collecting more personal information than is required increases the risk of that information being accessed, used or shared inappropriately.

Overcollection is when more personal information is collected than is needed for a particular purpose. Examples of overcollection include:

  • asking for date of birth for a student activity when only year level is needed
  • asking for copies of identity documentation to be supplied when sighting them would be sufficient
  • asking for details like gender or home address when these details are not relevant
  • asking for details of all health and wellbeing conditions, when only information about a specific condition is required to make a reasonable adjustment (to support an individual)
  • capturing images of parents/carers collecting or dropping off school children, when only identity verification by school staff is needed.

To avoid overcollection, consider the following questions:

  • Can the school fulfil the purpose with less personal information?
  • Can the school provide a valid reason for collecting this information, or is it being collected 'in case it might be useful'?
  • Is the school only using essential information fields in systems, or can the school achieve the purpose with less?

If a school can't directly relate the collection of personal information to the purpose, or the school is collecting it for a possible but not certain future use, this is overcollection.

Further information

Please contact the below teams for further support:

Includes information on what personally identifiable information is, how to protect personal information, and how to avoid overcollection of personal information.

Reviewed 09 April 2025

Guidance

Was this page helpful?