Privacy advocates have raised concerns about functionality built into Western Australian school student email accounts that offers some education staff unsupervised access to stored messages.
The ‘duty of care’ feature was built into WA schools' Microsoft Office for Education cloud email service in late 2013, according to the WA Department of Education’s annual report.
The bespoke functionality, developed by Dimension Data, allows teachers to access the mailboxes of any of the state’s 265,000 public school students using the Microsoft accounts, in an effort to allay safety concerns and keep tabs on misuse.
A spokesperson for the department told sister publication iTnews that state policy obliges teachers to request access and read a student’s messages “if they have evidence of, or reasonable grounds for suspicion of, inappropriate use of the service”.
The department confirmed that the state's 770 public school principals were responsible for granting access privileges to the mailboxes.
“Schools have their own policies about access to student emails,” the spokesperson said.
“By default only one administrator role in each school has access; after that it is a local school decision to further delegate access.”
Privacy groups have flagged concerns about a lack of independent oversight of the practice.
President of the Australian Council for State School Organisations, Peter Garrigan, has been a vocal advocate for protecting cloud-based student email accounts from “data mining” by service providers.
He said he felt uneasy about WA’s approach to the privacy of young people in its care.
“I would like to see responsibility for signing off on access taken much further up the tree than the school principal, and for access events to be recorded and made accessible to independent scrutiny,” he told iTnews.
At present, cases of data access are only logged centrally by default when they involve a member of school staff other than the appointed administrator.
Some schools have employed additional tracking, the department spokeswoman said, but she could not provide any data on how many times the ‘duty of care’ privileges have been used since technology was switched on, saying the figures are “not readily available”.
“The student email service is provided by the department for the sole purpose of facilitating students’ learning. Students are made aware of the purpose and the likely monitoring of the system by both teachers and ICT staff," the WA Education spokeswoman said.
“The department has not been given any cause for concern about potential abuses or risks to student privacy due to the system of email monitoring."
“I don’t think anyone with a genuine interest in protecting personal privacy would hold any faith in them.”
Wilson warned that the sort of unfettered access WA schools appeared to have been given risked undermining the relationship of trust between a student and teacher – a concern Garrigan echoed.
“There is a need for young people to feel safe using these communications tools,” Garrigan said.
“Principals and teachers should go to the appropriate authorities if they have a concern about a child. I am uneasy about WA building mechanisms into the email that simply make it easier to achieve this access.”
Western Australia remains the only Australian state or territory government without its own legislative privacy regime governing public sector data stores. Its Freedom of Information Act contains a handful of confidentiality provisions.
The office of the Australian Privacy Commissioner Timothy Pilgrim declined to comment on the WA Education policy.