Document for release LEX 1600.pdf

Table of contents

Privacy Impact Assessment ........................................................................................................... 1
Table of contents ............................................................................................................................. 2
1
Executive Summary ............................................................................................................ 3
2
Applicable Privacy Laws .................................................................................................. 12
3
About this PIA .................................................................................................................... 12
4
Scope of PIA ...................................................................................................................... 14
5
Background ........................................................................................................................ 14
6
Nature of information involved ........................................................................................ 23
7
Privacy compliance analysis............................................................................................ 24
8
Community Expectations ................................................................................................. 69
Schedule 1: Information flow descriptions ................................................................................. 71
Schedule 2: Glossary ..................................................................................................................... 85
Schedule 3: Materials .................................................................................................................... 87
10268\10268\95818240\1
6 August 2024
Page 2 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
2

1  Executive Summary
Introduction
1.1
In 2023, the Australian Government al ocated $203.7 mil ion to help young people in every
school across Australia through the rollout of the Student Wel being Boost1. As part of the
Boost, $10.8 mil ion of the package, to be spent over two years, was dedicated to the
development of a new Voluntary Mental Health Check Tool to help schools identify declining
mental health in students and enable those schools to adjust their pastoral care programs to
meet the needs of their students.
1.2
The Department of Education (the Department) has engaged Macquarie University to
develop and implement a free, online, Voluntary Mental Health Check Tool which is to be
made available to all Australian schools, including government schools in jurisdictions where
state or territory Governments have opted to offer it to their schools. Macquarie University has
developed the Voluntary Mental Health Check Tool which is cal ed My Mind Check (MMC)
and consists of:
(a)
a public facing website from which individuals can learn about MMC, lodge enquiries
and requests for further information or start the process to obtain MMC for their
school;
(b)
a staff portal in which staff of schools who have chosen to implement MMC, can
create student profiles, set up sessions in which to conduct a point-in-time mental
health and wel being check-in assessment with groups of students, view visual
summaries of the assessments completed and link to further resources.
1.3
MMC for students wil  take the form of a self-paced online screening program that wil  provide
a point-in-time snapshot of a student’s mental health and wel being. In order to use MMC, the
school must first obtain consent from a caregiver or the student (should they have the
requisite capacity to consent).
1.4
MMC wil  be programmed to process the answers provided by students to create
visualisations of the results and enable authorised staff within the school to identify which
students are not coping, provide resources, and adjust or focus their pastoral care activities
accordingly to ensure students are supported to achieve their best.
1.5
The other component of the Student Wellbeing Boost to complement MMC was additional,
one-off funding for all schools to support student mental health and wellbeing.
1.6
The Department has commissioned this privacy impact assessment (PIA) to identify and
assess privacy compliance risks in respect of implementation of MMC, and to ensure any
issues identified can be removed or appropriately managed.

1 Joint Media Release Date, Half a billion-dollar investment into student wellbeing, Ministers The Hon Jason Clare MP, Minister
for Education and the Hon Emma McBride MP, Assistant Minister for Mental Health and Suicide Prevention Assistant Minister
for Rural and Regional Health, 2 February 2023.
10268\10268\95818240\1
6 August 2024
Page 3 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
3

2  Applicable Privacy Laws
2.1
Macquarie University is a public research university based in Sydney. It is established under
the Macquarie University Act 1989 (NSW) by the NSW Government and is therefore a
statutory body representing the Crown which is defined as a public sector agency for the
purposes of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act) and
the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).
2.2
As Macquarie University is a public sector agency for the purposes of both the PPIP Act and
HRIP Act, it must comply with the information protection principles and health privacy
principles contained in those Acts.
2.3
Under the Long Form Services Contract in Relation to the Provision of a Voluntary Mental
Health Check Tool made between the Commonwealth of Australia represented by the
Department of Education (ABN 12 862 898 150) and Macquarie University (ABN 90 952 801
237) on 13 June 2023, Macquarie University is also contractual y obliged to comply with the
Privacy Act 1988 (Cth) (Privacy Act).
3  About this PIA
What is a PIA
3.1
While NSW privacy legislation does not define a PIA, section 33D of the Privacy Act defines it
as a written, point in time assessment of an activity or function that:
(a)
identifies the impact that the activity or function might have on the privacy of
individuals; and
(b)
sets out recommendations for managing, minimising, or eliminating that impact.
3.2
A PIA is a process that helps identify, assess, and mitigate the impact a program may have
on the privacy of individuals. It helps organisations consider the different elements of the
proposed program, how it may involve the handling of personal information, and any inherent
privacy risks.
3.3
We are not aware of any obligation under the PPIP Act which requires public sector agencies
to undertake a PIA.
3.4
Whilst the Office of the Australian Information Commissioner’s (OAIC) power to direct
Commonwealth agencies to undertake a PIA does not apply to New South Wales
Government public sector agencies, we note Macquarie University is providing the services
on behalf of the Department, and there are many potential benefits that can be gained by
conducting a PIA. The OAIC encourages agencies and organisations more broadly to
undertake PIAs for projects that involve handling of personal information.
3.5
The Department has commissioned this PIA to consider the end-to-end information flows for
the MMC which is being developed and delivered by Macquarie University. The MMC wil  be
rolled out national y and wil  collect and handle both personal and health information about
students from participating schools. The implementation of the MMC wil  involve Macquarie
University col ecting and handling new information in a new way and the information that wil
be collected and handled is health information that is defined as sensitive information under
the Privacy Act. On that basis, we consider the implementation of the MMC to be a ‘high
privacy risk’ project for which the undertaking of a PIA is entirely appropriate.
10268\10268\95818240\1
6 August 2024
Page 12 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
12

3.6
In preparing a PIA, we map out the information flows to identify privacy impacts and risks and
then undertake an examination of how a project impacts on privacy, both negatively and
positively, having regard to how personal information is handled in the particular context,
analysing compliance with applicable privacy law.
3.7
We assess the project at each point in the personal information lifecycle (to the extent it
comes within the scope of the project). When undertaking a privacy compliance assessment
regard is had to compliance with privacy laws, as well as whether the proposal or project is
likely to meet the expectations of the community. A project may strictly comply with applicable
privacy laws however, if it does not meet the expectations of the community, this can
potentially derail a project and as such, it is important for a PIA to consider the broader
privacy implications and risks, from a community expectations perspective.
3.8
Generally, our assumptions on community expectations are based on the findings in the
OAIC’s Australian Community Attitudes to Privacy Survey 2023. We are instructed that
Macquarie University has undertaken some consultation in relation to the MMC and as such,
where possible we wil  also take this into consideration.
3.9
Matters discussed under the ‘Privacy compliance analysis’ heading (Part 7 of this PIA)
provide the context and grounds for the recommendations.
3.10  This PIA has been prepared in accordance with the OAIC Guide to undertaking privacy
impact assessments dated 2 September 2021 and the New South Wales Information and
Privacy Commission’s (IPC) A guide to Privacy Impact Assessments, updated May 2020.
Making recommendations
3.11  A PIA should identify privacy risks and recommend measures to remove or reduce those risks
to an appropriate level.
3.12  However, recommendations should seek to achieve a balance between the benefits to be
achieved by the Department in undertaking the activity, and the rights if the individual whose
privacy is affected by the activities.
3.13  The recommendations made in this PIA, reflect the above principles.
Methodology
3.14  To prepare this PIA, we have:
(a)
mapped the information flows in consultation with the Department and Macquarie
University (refer to Schedule 1);
(b)
considered the material in Schedule 3;
(c)
conducted a privacy compliance analysis for each of the information flows against the
applicable privacy laws; and
(d)
consulted the Department and Macquarie University in respect of the outcomes of our
analysis and PIA recommendations to finalise the PIA.
3.15  We have not consulted with external agencies, stakeholders, or interest groups, other than
the Department and Macquarie University, to prepare this PIA.
10268\10268\95818240\1
6 August 2024
Page 13 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
13

4  Scope of PIA
In scope
4.1
This PIA considers privacy compliance risks for Macquarie University and the Department in
relation to the implementation of MMC, as assessed against:
(a)
the PPIP Act and the information protection principles (IPPs);
(b)
the HRIP Act and the health privacy principles (HPPs); and
(c)
the Privacy Act and the Australian Privacy Principles (APPs),
and with reference to the information flows set out in Schedule 1 of this PIA.
Out of scope
4.2
This PIA does not assess:
(a)
compliance with applicable privacy laws for schools that elect to implement MMC;
(b)
Macquarie University’s separate use of de-identified student information for activities
which are not part of the contracted services (as specified in Schedule 1 of the
Contract) and includes, non-commercial research and development, education, and
publication activities;
(c)
collection, use and disclosure of personal and health information by subcontractors to
Macquarie University for the provision of the MMC tool as we have not received
instructions on these matters;
(d)
the Terms of Use for the MMC as this is outside the scope of the PIA; and
(e)
records management obligations of Macquarie University and the Department.
5  Background
Overview
5.1
Australian students have faced years of disruptions to schooling due to the COVID-19
pandemic and successive lockdowns, and the ever-increasing natural disasters resulting in
fires and floods, all which have significantly impacted on the mental health and wellbeing of
students2.
5.2
In its interim report, the Productivity Commission’s Review of the National School Reform
Agreement emphasised the importance of student wel being as an important outcome of
schooling as well as it being a vehicle to achieve improved learning outcomes3. As noted
above, the Department received funding in the 2022-23 Budget to develop and implement a
Voluntary Mental Health Check Tool (the MMC) to help schools identify and address declining
mental health in students.

2https:/ www.aph.gov.au/About Parliament/Parliamentary departments/Parliamentary Library/pubs/rp/BudgetReviewOctober2
02223/FundingSchoolsStudentWel being
3 Review of the National School Reform Agreement Study report, Commonwealth of Australia 2022, Part 5.
10268\10268\95818240\1
6 August 2024
Page 14 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
14

5.3
The Department has engaged the Macquarie University Faculty of Medicine, Health, and
Human Sciences to develop and implement the MMC. Macquarie University has established a
team to develop and deliver the solution, which they have been tasked to manage for
approximately one year under its current contract with the Department. Fol owing the initial
period of implementation, the Department wil  review the MMC solution including the interest
and take up of MMC by schools as well as community sentiment in relation to it and determine
appropriate next steps for MMC.
The MMC solution
5.4
Macquarie University has engaged Centorrino Technologies Pty Ltd (Centorrino) to create,
host and support the MMC solution s 47G(1)(a)

5.5
The platform which makes up the MMC is hosted on an instance of cloud database owned by
Centorrino Technologies and hosted within data centres in Melbourne and Sydney.
5.6
The MMC solution comprises the following three components:
(a)
the MMC public facing website managed using a Wordpress Content Management
System which wil  provide information about the MMC including:
(i)
information about who the MMC is for, who manages it, and possible actions
schools can take using the outcomes of the MMC as well as access to the
Terms of Use for the MMC and Privacy Col ection Notice,
(ii)
information for caregivers about how the MMC works, what wil  be required of
students who agree to use it and links to further resources;
(iii)
information for students about using the MMC; and
(iv)
frequently asked questions.
The website also contains the link to the Portal for staff and students and a link to an
enquiry webform;
(b)
the MMC staff portal with a front-end user interface, s 47G(1)(a)

The portal wil  have separate logins for students and staff;
(i)
staff wil  have access to the staff section of the portal for their school which
will enable authorised users to manage staff users, manage student users,
manage student groups, setup sessions, view sessions and outcomes of
check-ins and access further resources; and
(ii)
students wil  have access to the check-in modules selected by their school
and relevant to their age/year group via a session code authentication step;
and
(c)
a school support team which wil  guide and facilitate school’s access to MMC and
provide MMC technical support to schools during school hours.

4 Voluntary Mental Health Check Tool: Final Design Plan, Version 1.0, 9.11.2023.
10268\10268\95818240\1
6 August 2024
Page 15 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
15

5.7
The MMC solution is standalone s 47G(1)(a)

5.8
MMC wil  be made available to all schools within Australia, including government schools
where the relevant state or territory government has decided to offer the MMC to their
schools, on a voluntary basis. Macquarie University wil  make information about the MMC
available to schools both directly and via the MMC website and it wil  be up to a school (and
their state or territory government in the case of government schools) whether they decide to
implement the MMC.
MMC process flow
5.9
The process flow for implementing the MMC within a school is as follows:
(a)
in order to gain access to and use MMC, a school wil  be required to enter into a
licence agreement with Macquarie University. It is at this point schools wil  select the
modules they wish to implement via MMC for their school which wil  dictate the
questions that are presented to the school’s students;
(b)
once the licence agreement has been completed, Macquarie University wil :
(i)
establish a school profile (school database) which is a dedicated, secure
area within the MMC Portal s 47G(1)(a)

(ii)
establish an MMC staff account for the school principal or their delegate as
well as another school staff member with administrator access; and
(iii)
send to the school necessary resources such as a template consent form for
obtaining student/caregiver consent and a template privacy collection notice;
(c)
once the school database is established the school principal or school administrator
wil  log into MMC and create staff accounts for all other staff members in the school
who wil  require access to it. When creating staff accounts, the principal or
administrator wil  enter in the fol owing details for each staff member given access:
(i)
first and last name; and
(ii)
work email address,
and wil  assign a role to each staff member which wil  determine their level of access
in the MMC portal. There are five types of roles which can be assigned to school staff
and each role wil  have the following s 47G(1)(a)
s 47G(1)(a)
(d)
the school wil  then communicate with their school community about the MMC and
obtain and store (using their own systems) consent from caregivers or students (if
they have capacity to consent);
10268\10268\95818240\1
6 August 2024
Page 16 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
16

(e)
s 47G(1)(a)

wil  contain the fol owing information
about the students who have consented to use the MMC:
(i)
student ID;
(ii)
preferred name (this can be any name the school recognises the individual by);
(iii)
last name; and
(iv)
year level,
(f)
s 47G(1)(a)

the student information is stored within the school’s database within the
MMC database. The processing that wil  be undertaken on the student data by the
API will involve:
(i)
a data match against school data already received (if any) and stored in the
school database, to determine if the details of the student have ever been
received for the school in the past: and
(A)
if so, to determine whether an update is required (i.e. because new
information is received); or
(B)
if no update is required, to return an error message for the particular
student advising of a duplicate record; or
(ii)
if the student does not currently exist in the database (i.e. because it is just
being established), to add the student details to the database;
(g)
once the student dataset for the school has been established, student profiles wil  be
accessible to authorised staff via the MMC staff portal. Authorised staff wil  be able to
set up groups by selecting the students and adding the into a selected group and
schedule point-in-time assessment sessions via the MMC staff portal;
(h)
just prior to a session commencing, a staff member with a MMC role of session
supervisor or school administrator wil  create printable session codes for the group/s
about to undertake the point-in-time assessment and hand them out to the student
they are associated to;
(i)
students wil  navigate to the MMC website, and under the ‘Portal access’ drop down,
select ‘Student check-in’. The student wil  be navigated to a page where they wil
enter in their session code to gain access to the MMC tool. The session code wil  link
the student’s responses to the student;
(j)
once in the MMC tool, students wil  work through the questions presented by selecting
the most appropriate answer to complete the MMC assessment. Al  answers are
multiple choice only, there wil  be no free text responses. The questions wil  be
presented in a number of modules and none of the questions wil  be mandatory. The
modules and questions the student wil  be presented with wil  depend on the package
selected by the school;
10268\10268\95818240\1
6 August 2024
Page 17 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
17

(k)
student responses are ingested by the MMC tool after each module is completed and
the MMC tool wil  process the responses and automatically generate a visual
summary of each child’s outcomes as wel  as outcomes for each group and the
school generally. The outcomes wil  be accessible to authorised staff members only;
(l)
student answers wil  be transferred and stored into the MMC database as they
complete each module. The MMC database stores response data in two separate
tables within the MMC database as follows:
(i)
identified outcomes data (The outcome indicators for each MMC module
completed and overal , for example, struggling, vulnerable, coping or not
enough information, but not the specific answer to each question) for each
individual student along with the fol owing information:
School data
(A)
school name;
(B)
year levels that the school covers;
(C)
state / territory in which the school is based;
(D)
postcode of the school;
(E)
Department identifier for that school;
(F)
which “screening package” the school has signed up to operate;
(G)
the sector within which the school operates (i.e. Catholic,
Independent or Public);
School Staffpoint
(H)
first and last name;
(I)
work email address;
(J)
role within the tool;
School Student
(K)
student identifier (mandatory and unique for that school);
(L)
preferred name / last name;
(M)
year level;
Student Assessment
(N)
Assessment date;
(O)
Student First Name / Last Name;
(P)
Overall Mental Health indicator (struggling / vulnerable / coping);
(Q)
Domain specific indicator (struggling / vulnerable / coping);
(R)
Protective Factors specific ratings (indicated / not indicated); and
10268\10268\95818240\1
6 August 2024
Page 18 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
18

(ii)
de-identified raw data5 (responses to each question without identifying
information)
(A)
school ID (MMC tool internal ID);
(B)
session date;
(C)
domain;
(D)
question; and
(E)
student answer.
5.10  Beyond the completion of the check-in, students will have no access to MMC. Schools may
share student check-in outcomes with students and/or caregivers (as relevant) based on
student outcomes and other information available to schools about students using their
normal communication systems, policies, and processes to guide this process. Staff members
who are authorised to access the outcomes data via the staff portal wil  only be able to view
the outcomes as the MMC has no print or extraction functions. Schools wil  not have access
to individual responses or raw data provided by students via MMC.
5.11  Staff with the requisite access wil  only be able to see the outcome indicators (struggling,
vulnerable, coping or not enough information) for individual students against each module
completed and for overall mental health and wel being.
5.12  In the event a student withdraws their consent to participate in MMC assessments, the school
wil  provide the student with the ‘Withdrawal of Consent Form – Student’. When a completed
‘Withdrawal of Consent’ form is submitted to the school, the school wil  be responsible for
‘deleting’ the student profile from the MMC portal (pending consideration of whether the
deletion of data is lawful).
5.13  s 47G(1)(a)


5.14  Deletion of data wil  be immediately reflected across both data centres which store MMC data
and in Macquarie University activity logs.
5.15  At the expiry of the contract for services between Macquarie University and the Department,
Macquarie University is required to provide all data collected via the MMC, including personal
and health information, to the Department, or another provider, as required by the
Department.
Session codes
5.16  s 47G(1)(a)

Session codes are automatically
generated by the MMC tool for each student in the group s 47G(1)(a)

5.17  The codes are only valid for the period that the session is active and wil  not work once the
session has been closed and cannot be re-used. s 47G(1)(a)



5 De-identified raw data is data that does not include either the student identifier or the session code for a student. There are no
attributes stored that could be used to link the answers back to the student identifier. Macquarie University wil  not have the
ability to link answers from dif erent sessions for a given student (as Macquarie University would need a student identifier to do
this).
10268\10268\95818240\1
6 August 2024
Page 19 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
19

5.18  This means that the student code is only valid for that student, during that session if the
session is active and the check in is being conducted between 8am and 5pm on a weekday.
Mental health and wel being point in time assessments
5.19  Macquarie University provides schools with instructions for facilitating mental health and
wellbeing point-in-time assessments. Macquarie University also provides guidance on how
often to conduct these assessments and as a general rule of thumb, recommends schools
undertake assessments twice per year, and at a maximum, no more than once a month.
5.20  Schools wil  be able to choose from four types of question packages to implement in their
MMC solution and the package chosen wil  dictate the questions that wil  be presented to
students. There is a core package, and two other optional packages schools may select from
so there are four packages available to choose from as follows:
(a)
the core package of questions;
(b)
the core package plus pack 1;
(c)
the core package plus pack 2; and
(d)
the core package by packs 1 and 2.
5.21  The questions in the modules wil  differ by student age group with students in foundational
classes up to year three being presented with visual presentations. These students will be
presented with two images and wil  select the image that best reflects them in response to the
question.
5.22  Students from years four and five, and years six to 12 are asked a series of questions with a
range of possible answers for them to select from.
5.23  At the start of the assessment al  students wil  be asked to respond to demographics
questions which ask:
(a)
how old are you?
(b)
how do you describe your gender? (male, female, another gender, unsure or I do not
want to answer); and
(c)
most of the time I live with? (two parents, one parent, other family members, foster
carers, other or I do not want to answer).
5.24  The student wil  then enter into the core package of questions which include the fol owing
modules:
Years 4-12
(a)
anxiety;
(b)
attention / activity;
(c)
family connections;
(d)
school belonging;
(e)
peer acceptance; and
(f)
mood; (years 6-12 only)
Years foundational to 3
10268\10268\95818240\1
6 August 2024
Page 20 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
20

(g)
internalising;
(h)
externalising; and
(i)
protective.
5.25  Modules for the optional domains include:
Years 4-12
(a)
peer victimisations;
(b)
body image / eating difficulties (years 6-12 only);
(c)
sleep (years 6-12 only);
(d)
cultural connections (years 6-12 only);
(e)
life satisfaction; and
(f)
life engagement (years 6-12 only).
5.26  At the end of the modules, all students wil  have a feedback module where they wil  be asked
questions about the MMC such as:
(a)
whether they think it is okay for the school to ask about student wel being;
(b)
whether they felt upset by answering any of the questions;
(c)
whether they would do the assessment again; and
(d)
if they think it is helpful.
Macquarie University use of de-identified data
5.27  Macquarie University wil  extract de-identified raw data from the MMC database for quality
assurance and service improvement purposes, as well as to fulfil its contractual reporting
requirements to the Commonwealth.
5.28  Macquarie University has a revocable licence from the Commonwealth to store and use this
de-identified raw data for non-commercial research and development, education, and
publication purposes that relate to developing and operating the MMC solution and
understanding and measuring youth mental health and wellbeing in a way that does not allow
comparison of mental health and wel being data across jurisdictions or education sectors.
5.29  Macquarie University will use de-identified data to publish information routinely col ected as
part of operating the MMC tool. This may include how it developed the initiative (e.g. the
consultation involved), the testing and refinement that was conducted, and ongoing
refinement/improvements especially with respect to the screening items. Macquarie University
may also publish changes in mental health and wellbeing trends over time (if meaningful data
emerges) but would ensure that any outcome information provided does not identify or enable
comparisons across jurisdictions or education sectors.
Reporting to the Department
5.30  Macquarie University is required to provide reports to the Commonwealth that include
statistical data about the uptake and usability of MMC at national aggregate levels. These
reports wil  not identify individual schools or students.
10268\10268\95818240\1
6 August 2024
Page 21 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
21

Further resources
5.31  After schools receive the point in time assessment results for their students, they wil  be
presented with a range of resources and links to assist with communicating outcomes to
students and caregivers such as:
(a)
the Mental Health and Wellbeing Starter Guide – this is a document/resource to
support how school staff share outcomes with students/caregivers. It gives context
and training to school staff, so they share outcomes appropriately. It is a training
resource for school staff to ensure they are communicating outcomes appropriately.
This resource does not integrate with the portal nor contain any personal information,
but it is a generic document that can be downloaded and used by school staff;
(b)
Student Action Plan – this is a downloadable document that schools can complete
with the student/caregiver to assist the student with “next steps” and draw on
supports. It wil  not integrate with the portal and if the school chooses to use the
document they wil  download it to their own devices, edit/add text to it and save it
locally (i.e. it is not possible to upload this back to the MMC portal);
(c)
a link to the MMC website’s curated list of resources including fact sheets, programs,
service finders that students/caregivers can view/connect with if they would like to find
out more or access support on a topic area measured by the MMC tool. No data wil
be recorded about accessing these resources, and accessing services is independent
of MMC (and in most cases, the student’s school).These resources are linked in the
follow-up modal within the staff portal so schools can easily access domain-specific
information that is always publicly available on the MMC website;
(d)
a link to a template record of communication/observation document that includes
suggested text that schools may want to use to ensure they are documenting their
actions. Use of the text/template is optional for schools and completed templates wil
not be stored or saved in the MMC portal. The template document is available for
schools to download and then copy/paste/save the document for example, within their
regular student management systems; and
(e)
a link to conduct student observations using the BeYou BETLS Observation Tool.
This is a link to a suggested additional resource that schools may want to consider if
they would like to conduct further observation (i.e. teacher report) of student
wellbeing. This is a separate tool, independent of the MMC tool. The link is included
as a resource to support schools in considering the most appropriate next steps to
support students following a check in. MQ wil  not have access to anything recorded
by a school who chooses to implement a BETLS.

10268\10268\95818240\1
6 August 2024
Page 22 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
22

6  Nature of information involved
Personal information involved in the project
6.1
MMC wil  involve the collection and handling of the fol owing personal information about
individuals who lodge an enquiry or provide feedback on the website:
(a)
direct identifiers and contact details such as name and email address;
(b)
location, state;
(c)
school details such as school name and type; and
(d)
enquiry details if the enquirer chooses to use the optional free text field to include a
question or comment.
6.2
MMC wil  involve the collection and handling of name and contact details for individuals who
choose to subscribe to MMC newsletters and updates from Macquarie University.
6.3
MMC will involve the collection and handling of the fol owing personal information about
school staff if the school registers to use the MMC:
(a)
direct identifiers – first and last name;
(b)
contact information – work email address; and
(c)
MMC profile – role assigned in the MMC.
6.4
MMC wil  involve the collection and handling of the fol owing personal information about
school students:
(a)
direct identifiers – preferred name and last name; and
(b)
school information – student ID and year level.
Sensitive information involved in the project
6.5
Section 6 of the HRIP Act defines health information as including personal information that is
information or an opinion about the … mental health (at any time) of an individual.
6.6
Health information is defined under section 6FA of the Privacy Act as including information or
an opinion about the health (at any time) of an individual.
6.7
The project wil  involve the collection and handling of information about the mental health and
wellbeing of students and therefore wil  involve the handling of health information when:
(a)
school students respond to the questions in the MMC modules; and
(b)
the MMC tool generates an outcome indicator for the student based on their
responses to MMC questions.
6.8
Personal and sensitive information wil  be sourced from:
(a)
individuals when they:
(i)
lodge an enquiry or provide feedback via the website or an email;
(ii)
complete a consent form; and
(iii)
log in and complete a point-in-time mental health and wellbeing assessment
by responding to the MMC questions; and
10268\10268\95818240\1
6 August 2024
Page 23 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
23

(b)
third parties when:
(i)
the school principal or school administrator create staff profiles within the
MMC staff portal for their school; and
(ii)
a parent or guardian completes a consent form to enable their child/ren to
undertake mental health and wel being assessments using the MMC.
7  Privacy compliance analysis
Consent based participation
7.1
Student participation in mental health and wel being assessments wil  be voluntary and based
on either the student or the students’ parent or guardian providing their consent and their
details to participate. In accordance with the terms and conditions in the MMC Software
Licence entered into between Macquarie University and schools who choose to implement the
MMC, the school wil  be responsible for col ecting and managing consent for its participating
students.
7.2
The scope of the consent is intended to include the col ection, use and disclosure of student
personal and health information by Macquarie University as wel  as by the school.
7.3
After entering into a licence agreement, Macquarie University provides to participating
schools, template consent forms which the school wil  be required to customise and use when
collecting consent or withdrawal of consent, from students (or their parent or guardian).
7.4
For consent to be valid6:
(a)
the individual must be adequately informed before giving consent;
(b)
the individual must give their consent voluntarily;
(c)
the consent must be current and specific; and
(d)
the individual must have the capacity to understand and communicate their consent.
Template consent forms
7.5
The template Information and Consent form (Consent form) includes instruction notes at the
top of the form reminding schools of their obligation to collect student consent prior to creating
a student MMC profile.
7.6
There are two consent forms provided to schools, one for parents/guardians and one for
students. A template ‘Withdrawal of Consent’ form is also provided to schools.
Informed Consent
7.7
In relation to the consent being informed, we note the following in relation to the Consent form
for parents/guardians:
(a)
the notes section of the form states that it is provided to assist schools however, in
order to ensure that schools are collecting consent which covers both Macquarie
University’s handling of personal and health information as wel  as their own, it should
be made clear to schools that they are required to use the form;

6 APP Guidelines paragraph B.38.
10268\10268\95818240\1
6 August 2024
Page 24 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
24

(b)
the Consent form states that it is to be read in connection with the Privacy Collection
Notice which provides information about how personal and health information wil  be
collected and handled by Macquarie University. Whilst it does note that mental health
assessment outcomes wil  be made accessible to schools and schools may disclose
that information to parents and guardians, there is very little information provided
about how schools wil  handle the assessment outcomes;
(c)
the Consent form states that the consent received wil  be valid only up until
30 June 2025 however there is no indication about what wil  occur after that period
including whether student wil  be able to continue to use the MMC or whether the
school will continue to have access to it and the student’s outcomes;
(d)
under the ‘What is the MMC’ section and in relation to the MMC tool, this section
provides parents with very limited information about the tool itself. Dealing with child
mental health is not an insignificant issue and as such, it should be expected that
parents wil  be quite invested and wil  want details about the tool itself in order to
make an informed decision about whether they want to provide their consent for their
child to participate. The Consent form informs parents that the MMC tool is based on
research but not whether that research has been tested or peer reviewed, whether
the accuracy of the tool’s outcomes has been tested or whether the research is AI
based and if so, whether the AI system was trained on ethically obtained data.
Alternatively, if the MMC tool is built on evidence-based frameworks, the Consent
form does not advise whether those evidence-based frameworks are tried and tested,
what sample sets the algorithm being used was trained on (if applicable) and whether
that sample set is appropriate/fit for purpose for the Australian school system;
(e)
under the ‘What happens after a check-in’ section, it states that “student check-in
responses are compared against a large sample of Australian school students to
check if they may be experiencing or are at risk of mental health difficulties” however
it is not clear how mental health difficulties can be ascertained by comparing answers
of school children and why this is necessary. As such, we consider this wil  leave
parents with more questions than answers. Further, in terms of a visual summary, we
consider it may be helpful to include an image of what the results wil  look like and
how responses are being interpreted or a link to such images if they are available
elsewhere on the website;
(f)
further, in the same section, it advises parents that they wil  be notified if the check-in
suggests their child may be having difficulties within an area of mental health. This
statement raises certain expectations in parents so wil  need to be clear about the
circumstances when parents wil  and wil  not be consulted and what information they
may or may not be entitled to receive about their child. For example, wil  parents be
consulted if it is revealed that they are the source of the mental health difficulties the
student is experiencing or if a student specifical y requests that they not be informed.
These are all very important issues that should be considered so that clear and
informative details can be provided to parents to inform their consent and set their
expectations;
(g)
in relation to the actual consent section of the form on the last page, the last point has
been recently added and is in draft form however, as currently drafted, it is confusing
and suggests that the de-identified information wil  also constitute personal and health
information. We are instructed that Macquarie University wil  only use de-identified
10268\10268\95818240\1
6 August 2024
Page 25 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
25

information for the purposes listed. Personal information that has been properly de-
identified means that it no longer comes within the definition of ‘personal information’
for the purposes of the PPIP Act, HRIP Act and Privacy Act.
(h)
we are also instructed that Macquarie University is not intending to seek consent for
its uses of de-identified information and as such, it is not clear why the last dot point
has been added to both the summary of main points above the consent as well as to
the list of matters the parent wil  consent to; and
(i)
we note that there is no information either in the Consent form or the Privacy
Collection Notice about how long student data is to be retained for, how schools will
collect and handle student personal and health information and what wil  occur with
participant data after 30 June 2025.
7.8
In relation to the Consent form for Students, we note it contains the same information so the
above points wil  apply however, we also note the following:
(a)
the students who wil  be reading this form are students who are considered to have
the capacity to consent and as such, we note that some information provided for
those students is not relevant to them, for example, the information about what
children in year three and below wil  be shown; and
(b)
the language used in the Student Consent form as well as the Privacy Col ection
Notice is quite sophisticated and has not been amended in any way to ensure it is
targeted and appropriate for their age level. Privacy and other notices can be difficult
to comprehend for anyone let alone students who may not be al  that used to reading
them. Notices that are difficult for young people to understand, can hinder their
comprehension of data processes and result in a lack of informed consent.
Voluntary consent
7.9
For consent to be voluntary individuals must have a genuine opportunity to provide or
withhold their consent7. In relation to the Consent form, we note that the form clearly advises
parents that participation is voluntary and can be withdrawn at any time.
7.10  Bundling together multiple requests for an individual’s consent to a wide range of collections,
uses and disclosures of personal information, without giving the individual the opportunity to
choose which col ections, uses and disclosures they agree to and which they do not will
undermine the voluntary nature of the consent. This should be borne in mind when setting out
exactly what a parent/guardian or student is consenting to by submitting the form. This wil  be
relevant if school collection and handling of personal and health information is included on the
Consent form and the school has multiple ways in which they intend to use and disclose
student mental health outcomes.
Current and specific
7.11  Consent wil  generally be current and specific if it is col ected at the time (or just before) the
information is collected and is no broader than is necessary for performing the MMC
services8. The level of specificity required wil  depend on the circumstances, including the
sensitivity of the personal information.

7 APP Guidelines, paragraph B.46.
8 APP Guidelines, paragraph B.53.
10268\10268\95818240\1
6 August 2024
Page 26 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
26

7.12  We are instructed that schools wil  be required to col ect consent from students (or
parents/guardians) prior to collecting student information and creating their profile in the MMC
portal. The Consent form advises students and parent/guardians that the consent is valid for
the initial period only which is up to 30 June 2025.
7.13  We note that the consent relates to Macquarie University hosting and managing the MMC on
behalf of the Commonwealth and as such, the consent is relevant to those circumstances only
after which, a further consent wil  be required to be obtained for the collection, use and/or
disclosure of personal and health information for the purposes of the MMC tool.
Capacity to consent
7.14  In relation to capacity to consent, the information collected by Macquarie University wil  be
predominantly in relation to individuals under the age of 18 years. Neither the PPIP Act nor
the HRIP Act specify an age after which individuals can make their own privacy decisions.
NSW privacy guidance on consent states that an individual wil  have the capacity to consent if
they are able to understand the general nature and effect of a particular proposed use or
disclosure of their personal information and can communicate their consent9.
7.15  Section 7 of the HRIP Act provides that a person wil  be considered to have capacity if they
are able to understand the general nature and effect of the act and can communicate their
intentions with respect to the act. If the individual is not capable of doing these things, an
authorised representative of an individual may do it on their behalf.
7.16  OAIC guidance provides that individuals under the age of 18 years wil  have sufficient consent
if they have sufficient understanding and maturity to understand what is being proposed
however10,
If it is not practicable or reasonable for an APP entity to assess the capacity of
individuals under the age of 18 on a case-by-case basis, the entity may presume that
an individual aged 15 or over has capacity to consent, unless there is something to
suggest otherwise.
7.17  OAIC guidance also suggests that an individual who lacks the capacity to consent should
nevertheless be involved, as far as practicable, in any decision-making process11.
7.18  As the responsibility for obtaining and managing consent for the purposes of using the MMC
sits with the school, we are instructed that it wil  be the responsibility of the school to also
assess capacity to consent from al  individuals it collects consent from.
7.19  In this regard, we note that the Software Licence requires schools to collect consent in
accordance with the Privacy Act and also that the Consent form outlines the school’s
responsibility in this regard in the ‘Notes to school section’ of the Consent form. We consider it
would also assist with the collection of valid consent, to include some guidance for parents in
the Consent form about involving children in the decision-making process by explaining to
them what the MMC is, how it works, its purpose and the outcomes it wil  generate, prior to
providing consent.

9 https://www.ipc.nsw.gov.au/checklist-consent.
10 https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-b-key-
concepts#consent.
11 APP Guidelines, paragraph B.58.
10268\10268\95818240\1
6 August 2024
Page 27 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
27

(b)
have a clearly expressed and up‑to‑date policy (the APP privacy policy) about the
management of personal information by the entity (APPs 1.3 and 1.4); and
(c)
take reasonable steps to make its privacy policy available free of charge
(APPs 1.5 and 1.6).
Practices, procedures, and systems to ensure APP, IPP and HPP compliance
Privacy Management Plan
7.23  Macquarie University has in place a Privacy Management Plan which is published on its
website. The Privacy Management Plan was developed in accordance with section 33 of the
PPIP Act and explains the practices and procedures the University has put in place to ensure
its handling of personal information and its handling of health information is consistent with its
obligations under the IPPs and HPPs. In relation to research activities the Privacy
Management Plan states that:
(a)
human-based research projects require prior approval by the University’s Human
Ethics Research Committee (HREC), and as part of this process, consent is normally
obtained in respect of the collection, use and disclosure of personal or health
information for research purposes;
(b)
that the University has put in place policies and procedures to ensure that relevant
governance structures are in place for securing the personal and health information
the University col ects, including:
(i)
University Privacy Policy;
(ii)
Information Security Policy;
(iii)
Information Security Procedure;
(iv)
Data Classification Procedure and Standards;
(v)
Records and Information Management Policy;
(vi)
Records and Information Access and Security Procedure;
(vii)
Records and Information Retention and Disposal Procedure;
(viii)
Right to Information at Macquarie;
(ix)
CCTV Policy; and
(x)
Workplace Surveil ance Policy; and
(c)
the Information classification label ing and handling practices that must be applied to
all data that is stored, processed, or transmitted on University IT resources with
minimum standards that should be applied to Confidential, Control ed and Published
data categories to ensure it receives the appropriate level of protection and comply
with the relevant laws and regulations.
Ongoing Privacy Review
7.24  We are instructed that the MMC has been released for staff in government education
departments or peak body representatives however, we have not been instructed of any
outcomes for the trial or whether any issues have been identified with the functioning of the
MMC solution.
10268\10268\95818240\1
6 August 2024
Page 30 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
30

7.25  We are also instructed that Macquarie University is, at this stage, only to host and manage
the MMC website and portal until 30 June 2025 after which it is unclear what wil  occur with
the data and the MMC tool.
7.26  Should any material changes to the information flows set out in Schedule 1 result from:
(a)
the trial of the MMC; or
(b)
the expiry of the contract with Macquarie University and prior to any other entity
hosting or managing the MMC tool,
we recommend Macquarie University complete a privacy threshold assessment (PTA) and if
required, further assessment of privacy and compliance risks (which could be in the form of a
Supplementary PIA) (Recommendation 4).
7.27  Once the MMC solution goes live nationally, to ensure privacy compliance issues are
managed in an ongoing and proactive way, we recommend Macquarie University periodically
review the end-to-end MMC solution and information flows to ensure the new functions,
capabilities and processes implemented are operating as intended and continue to comply
with Macquarie University’s obligations under applicable privacy laws (Recommendation 5).
Agreement between the Department and Macquarie University
7.28  An agency cannot contract out of or devolve its APP obligations by handing over certain
services to a contracted service provider. Further, in accordance with section 95B of the
Privacy Act, the Department is required to take contractual measures to ensure its contracted
service providers, and any subcontractors, comply with the APPs as if they were the
Department.
7.29  For the purposes of this PIA, we have reviewed:
(a)
the Long Form Services Contract in Relation to the Provisions of a Voluntary Mental
Health Check Tool between the Commonwealth of Australia as represented by the
Department of Education and Macquarie University, executed on 13 June 2023 (the
Contract);
(b)
the Deed of Variation in Relation to the Provision of a Voluntary Mental Health Check
Tool between the Commonwealth of Australia as represented by the Department of
Education and Macquarie University, executed on 15 March 2024 (Variation 1); and
(c)
draft Proposed Changes under Schedule 1 of the Contract, received by us on
28 May 2024 (Variation 2).
7.30  Privacy obligations are contained in clause 21 of the Contract and oblige Macquarie
University to:
(a)
only use or disclose personal information obtained for the purposes of providing the
contracted services, for that purpose;
(b)
safeguard personal information against loss, unauthorised access, use, modification,
or disclosure;
(c)
not to do an act or engage in a practice that would breach an APP if done or engaged
in by an agency;
(d)
carry out and discharge the obligations contained in the APPs as if it were an agency
under the Privacy Act;
10268\10268\95818240\1
6 August 2024
Page 31 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
31

(e)
immediately notify the Department if it becomes aware of:
(i)
a breach or possible breach of clause 21 of the Contract;
(ii)
an eligible data breach in relation to personal information received, created,
or held for the purposes of the Contract;
(iii)
a disclosure that is required by law; or
(iv)
an approach from the Australian Information Commissioner or an individual
claiming their privacy has been interfered with;
(f)
comply with any guidelines, directions, rules, or determinations of the Australian
Information Commissioner;
(g)
ensure that any of Macquarie University’s personnel required to deal with personal
information for the purposes of performing the contracted services are made aware of
and undertake in writing to observe, the APPs and the University’s obligations under
clause 21 of the Contract; and
(h)
ensure any subcontract entered into for the purposes of the Contract contains
provisions to ensure that the subcontractor has the same awareness and obligations
as Macquarie University under clause 21.
7.31  Clause 10 of the Contract relates to Security and obliges Macquarie University to comply with
the security requirements in the Protective Security Policy Framework (to the extent
applicable to the contracted services).
7.32  Clause 22.5 in the Contract relates to audit and access rights and obliges Macquarie
University to:
(a)
provide the Department with access to its or its subcontractor’s premises, personnel,
computer systems, documents, and other records, for any purposes associated with
the Contract or any review of the University’s performance under the Contract; and
(b)
permit the Department to inspect and take copies of any records or other material.
7.33  Item 17 of Schedule 1 of the Contract relates to Privacy Requirements, Directions, Guidelines,
Determinations and Recommendations and currently obliges Macquarie University to, if
requested by the Department, at the end of the Contract, return al  Contract Material
containing personal information to the Project Officer, or de-identify or destroy that Material in
the presence of a person authorised by the Project Officer or as otherwise instructed by the
Project Officer (item 17(b)).
s 47C
7.34
7.35  Item 21 of Schedule 1 of the Contract obliges Macquarie University to comply with all relevant
legislation and policies that may apply to the delivery of the contracted services, including the
Privacy Act.
7.36  The privacy and data security clauses in the Contract are robust and ensure compliance with
the Department’s obligations under section 95B of the Privacy Act. In relation to the
management of data at the expiry of the contract, we refer to Recommendation 15, below.
10268\10268\95818240\1
6 August 2024
Page 32 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
32

Agreement between Macquarie University and its subcontractors
7.37  We have not had the benefit of reviewing any subcontracts Macquarie University has entered
into for the purposes of providing the contracted services however, we are instructed by
Macquarie University that al  contracts they have entered into with subcontractors have
passed on Macquarie University’s obligations under clause 21 of the Contract with the
Department, to each of its subcontractors.
Privacy Policy
7.38  Under APP 1, a clearly expressed and up-to-date policy privacy policy is required to contain
all of the matters set out under APP 1.4 which are:
(a)
the kinds of personal information that the entity collects and holds;
(b)
how the entity collects and holds personal information;
(c)
the purposes for which the entity collects, holds, uses, and discloses personal
information;
(d)
how an individual may access personal information about the individual that is held by
the entity and seek the correction of such information;
(e)
how an individual may complain about a breach of the Australian Privacy Principles,
or a registered APP code (if any) that binds the entity, and how the entity wil  deal with
such a complaint;
(f)
whether the entity is likely to disclose personal information to overseas recipients; and
(g)
if the entity is likely to disclose personal information to overseas recipients—the
countries in which such recipients are likely to be located if it is practicable to specify
those countries in the policy.
7.39  Macquarie University has a privacy policy published on its website, which explains how it
handles personal information. Relevant to the collection, use and disclosure of personal
information for the purposes of the MMC, Macquarie University’s privacy policy sets out the
following:
(a)
that the University aligns its practices and activities with the IPPs, and HPPs as
outlined in the University’s Privacy Management Plan and provides a link to the
Privacy Management Plan;
(b)
whilst the University is not bound to comply with the Privacy Act, it strives to apply the
APPs to its own practices to achieve consistency in protecting the privacy of
individuals across University entities;
(c)
that the University may collect and use personal and health Information only for lawful
purposes that are directly related to a function or activity of the University, and where
the information is reasonably necessary for that purpose; for a directly related
purpose that the individual would expect; or for a purpose for which the individual has
given consent, unless an exemption applies;
(d)
the purposes under which the University wil  disclose personal and health information
which include where disclosure is authorised under section 18 of the PPIP Act and/or
section 11 of the HRIP Act;
10268\10268\95818240\1
6 August 2024
Page 33 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
33

(e)
that the University wil  only retain personal information for as long as necessary for
the purpose for which it may lawful y be used, subject to the requirements of any
other law;
(f)
where individuals may find instructions on how to seek access to or correction of their
personal information held by the University and how individuals may make a
complaint if they feel their privacy has been interfered with by the University.
Privacy Management Plan
7.40  Macquarie University’s Privacy Management Plan is also published on its website and
generally available to the public. The Privacy Management Plan states that it is prepared in
accordance with section 33 of the PPIP Act. The Privacy Management Plan sets out the
following information:
(a)
the purposes for which Macquarie University collects and holds personal information
including for research and for business dealings that support the functions of the
University;
(b)
the types of personal information it col ects and holds in relation to individuals external
to the University including personal identifiers such as name and contact information;
(c)
that the University col ects and manages health information as a provider of certain
health services, mostly in the context of the University as a provider of education and
training of health care professionals or in the context of its campus clinics;
(d)
that health information is to be stored in health record systems;
(e)
how Macquarie University complies with its obligations under the PPIP Act and HRIP
Act;
(f)
contact details for and information about how individuals can make a complaint if they
consider their privacy has been interfered with and the process used by the University
to address such complaints;
(g)
a list of key policies and procedures related to the University’s information handling
practices; and
(h)
other public awareness activities the University undertakes to promote its compliance
with its privacy obligations as wel  as contact details for the University’s privacy
officer.
7.41  On the basis that Macquarie University is currently only contracted to host and maintain the
MMC for the one year from its launch12, we consider Macquarie University’s privacy policy
and privacy management plan together, contain sufficient information for the University to
comply with its obligations under section 33 of the PPIP Act and APPs 1.3 and 1.4.
7.42  Should the situation change and Macquarie University is required to host and maintain the
MMC on an ongoing basis, we recommend its privacy management plan is updated to include
information about the MMC including the fact that the University hosts and maintains it and
collects, uses and discloses personal and health information for the purposes of providing the
MMC services, the types of information it col ects, where it is stored and how it is used for the
purposes of providing the MMC services (Recommendation 6).

12 Item 2.1.1(z) of Schedule 1 of the Contract
10268\10268\95818240\1
6 August 2024
Page 34 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
34

7.45  The purpose of the MCC is to undertake a mental health and wel being assessment for
students and, at an identifiable level, enable schools to identify who is not coping or who is
struggling and provide appropriate supports to ensure the student is assisted through the
difficulties. On the basis that the intention of the tool is to work with identifiable individuals, it is
our view that it would be impracticable to deal with students who are anonymous or who are
using a pseudonym.
Collection of solicited personal and health information.
PPIP Act
7.46  Under the PPIP Act, a public sector agency must:
(a)
only col ect personal information for a lawful purpose, which is directly related to the
agency’s function or activities and necessary for that purpose (section 8);
(b)
only col ect personal information directly from the person concerned, unless they have
authorised col ection from someone else, or if the person is under the age of 16 and
the information has been provided by a parent or guardian (section 9); and
(c)
ensure that the personal information is relevant, accurate, complete, up-to-date, and
not excessive and that the collection does not unreasonably intrude into the personal
affairs of the individual (section 11).
HRIP Act
7.47  Under the HRIP Act, an organisation:
(a)
can only collect health information for a lawful purpose that is directly related to the
organisation’s activities and necessary for that purpose. An organisation should not
collect health information by any unlawful means;
(b)
must ensure that health information it col ects is relevant, accurate, complete, up to
date and not excessive. The collection should not unreasonably intrude into your
personal affairs; and
(c)
must collect health information directly from the individual unless it is unreasonable or
impracticable to do so.
Privacy Act
7.48  APP 3.1 requires APP entities to not collect personal information unless the information is
reasonably necessary for, or directly related to, on or more of the entity’s functions or
activities.
7.49  APP 3.5 requires APP entities to only collect personal information by lawful and fair means.
7.50  APP 3.6 requires APP entities to only collect personal information directly from the individual
to which the information relates, unless:
(a)
the individual consents to the collection of the information from someone other than
the individual; or
(b)
the entity is required or authorised by or under an Australian law, or a court/tribunal
order, to collect the information from someone other than the individual; or
(c)
it is unreasonable or impracticable to do so.
10268\10268\95818240\1
6 August 2024
Page 36 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
36

7.51  Macquarie University wil  collect personal information as follows:
(a)
when individuals submit an enquiry or feedback via the website or email;
(b)
when a school representative enquires about implementing the MMC;
(c)
when individuals subscribe to the MMC newsletter and updates;
(d)
when a school executes a licence agreement with Macquarie University;
(e)
when a school principal or administrator establishes staff accounts;
(f)
when a staff member logs into the MMC staff portal by submitting their staff email
addresses to generate an access code;
(g)
when a school uploads student details into the MMC tool;
(h)
when a staff member sets up a session in the MMC staff portal and attaches a group
to the session;
(i)
when the system generates session codes for each individual in a group prior to a
session, at the request of a session supervisor;
(j)
when students answer the questions in an MMC module;
(k)
when students complete the feedback module in the MMC assessment; and
(l)
when staff are asked to provide their feedback.
7.52  The Department wil  col ect personal information when it col ects Contract Material from
Macquarie University at the cessation of the expiry of the Contract.
Enquiries and comments
7.53  Macquarie University wil  collect personal information when an individual submits and enquiry
or feedback via the MMC website. This might include:
(a)
general enquiries from the public seeking information about MMC and its application;
(b)
enquiries from parents who are seeking further information about the col ection and
handling of personal and health information about their child who is a student at a
school that is considering implementing or has implemented MMC in their school; or
(c)
from a staff member making enquiries on behalf of their school.
7.54  It might also include comments about the MMC itself, about its application or about the use of
a tool such as the MMC in schools.
7.55  The mandatory information collected by Macquarie University is limited to ful  name of the
enquirer, email address and state in which the enquirer is located. The enquirer may provide
further information if they choose to do so in a free text field as wel  as information about their
school.
7.56  Macquarie University are collecting personal information to respond to enquiries about the
MMC which the University is responsible for hosting and administering for a year. As part of
the contracted services Macquarie University must provide, they are required to promote the
MMC tool and increase awareness regarding its usage and impact.
10268\10268\95818240\1
6 August 2024
Page 37 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
37

7.57  We are instructed that state and territory jurisdictions and non-government school sector peak
bodies determine the approach to making MMC available to their schools. As such,
information about the location of a school an enquiry relates to is important to ensuring an
appropriate and tailored response to an enquiry is able to be provided by the University.
7.58  On that basis, we consider the col ection of the mandatory and optional data elements
identified to respond to enquiries and receive feedback on the MMC tool, can be
characterised as a col ection that is:
(a)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services;
(b)
directly from the individual making the enquiry;
(c)
is not excessive or unreasonably intrusive in the circumstances.
7.59  Based on the above, we consider that the col ection of the mandatory and optional information
requested in the enquiry form is consistent with Macquarie University’s obligations under
sections 8, 9 and 11 of PPIP Act and APP 3.
Subscriptions
7.60  Individuals wil  be able to subscribe to receive newsletters and updates on the MMC tool by
providing a first name, last name, and email address into the relevant fields on the website
and hitting the ‘Subscribe’ button. Undertaking awareness raising, promotion and
communications activities for the MMC tool form part of the contracted services as set out in
Schedule 1 of the Contract (refer to Items 2.1.1(w) and (x) of Schedule 1 of the Contract).
7.61  On that basis, we consider the col ection of the personal information in a subscription request,
can be characterised as a collection that is:
(a)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services;
(b)
collected directly from the individual subscribing; and
(c)
in our view, not excessive or unreasonably intrusive in the circumstances.
7.62  Based on the above, we consider that the col ection of name and email address is consistent
with Macquarie University’s obligations under sections 8, 9 and 11 of PPIP Act and APP 3.
Entering into a licence agreement
7.63  When Macquarie University enters into a licence agreement with schools that choose to
implement the MMC tool in their school, Macquarie University wil  collect:
(a)
the name, title, phone number and email address for a school contact; and
(b)
the name, email address and role within the school for the school principal and a
person who is nominated to hold the role of school administrator in the MMC tool for
the school.
7.64  We are instructed that Macquarie University collects personal information for a school contact,
and individuals to hold the role of school principal and school administrator in the MMC tool in
order to facilitate access to the MMC tool for a school and manage the contract.
10268\10268\95818240\1
6 August 2024
Page 38 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
38

7.65  Under the Contract between the Department and Macquarie University, Macquarie University
is required to, (among other things):
(a)
ensure that the MMC tool is available nationally and freely available to schools;
(b)
ensure that the MMC tool includes a school based, voluntary mental health screening
portal;
(c)
ensure the MMC tool can be accessed by schools and students online via a
standalone and secure website; and
(d)
ensure that schools are aware of their responsibilities.
7.66  When entering into a Software Licence with Macquarie University, each school is required to
agree to the Terms and Conditions contained in the Deed. The terms of the Deed include that:
(a)
the School must comply with applicable Privacy Laws13 in relation to the handling of
personal information for the purposes of the Deed; and
(b)
the school must obtain the prior consent for all Personnel14 in accordance with
applicable privacy laws, to the collection and handling of personal information of its
Personnel by the University in accordance with the Privacy Collection Notice.
7.67  Having regard to the services Macquarie University is contracted to provide and the terms of
the Software Licence schools wil  be required to agree to before gaining access to the MMC
tool, we consider the collection of personal information for a school contact, and two
individuals who wil  hold the role of school principal and school administrator within the tool, is
a collection of personal information that can be characterised as:
(a)
being for a lawful purpose which is directly related to Macquarie University’s functions
and activities and necessary for the purposes of providing the contracted services;
(b)
not excessive or unreasonably intrusive in the circumstances; and
(c)
collected either directly from the individual or from the school only with the consent of
the staff member/Personnel.
7.68  On that basis, we consider the collection of the relevant personal information will be
authorised under sections 8, 9 and 11 of the PPIP Act and APP 3.
Establishing staff accounts
7.69  Once a school account is established in the MMC, the member of staff in the relevant school
with the role of school principal or school administrator wil  create MMC staff accounts for
other staff members who require access to the MMC tool. In establishing the staff accounts,
either the school principal or the individual with school administrator access, wil  enter the full
name, work email address and the role they are to be assigned in the tool for al  school staff
who are permitted access to the MMC tool.
7.70  Macquarie University wil  collect the identified staff personal information in order to facilitate
the creation and maintenance of a staff profile within the MMC tool which enables the staff
members access to the tool in accordance with their role (as set by the school).

13 Defined as meaning the PPIP Act, HRIP Act and any other applicable legislation with similar objectives.
14 Defined under the Deed as including officers, employees, agents, contractors, and subcontractors of the school).
10268\10268\95818240\1
6 August 2024
Page 39 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
39

7.71  As discussed in paragraph 7.62 above, prior to gaining access to the MMC tool, a school
must enter into a binding Deed with Macquarie University (Software Licence) which contains
terms and conditions which attach to the schools use of the MMC tool. One of the terms15 of
the Software Licence requires the school to obtain the prior consent of school Personnel16 in
accordance with applicable Privacy Laws17 to the col ection and handling of personal
information about its Personnel by the University in accordance with the Privacy Collection
Notice.
7.72  Having regard to:
(a)
the contracted services which Macquarie University is required to deliver under the
Contract, namely, to provide an easy to use and navigate MMC tool for staff and
students (item 2.1.1(n) of Schedule 1 in the Contract); and
(b)
the terms of the binding Software Licence the schools are required to enter into prior
to gaining access to the MMC tool,
we consider the collection of staff member full name, work email address, and the role they
are to be assigned in the tool, can be characterised as a collection that is:
(c)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services;
(d)
the minimum amount of information required to perform the services and as such, not
excessive or unreasonably intrusive in the circumstances; and
(e)
collected directly from the individual or from the school only with the consent of the
staff member/Personnel.
7.73  Based on our findings above, it is our view that the col ection of staff name, work email
address and role within the MMC tool is consistent with sections 8, 9 and 11 of the PPIP Act
and APP 3.
Generating access codes for staff MMC access
7.74  Macquarie University wil  collect an access code by creation when the MMC system
generates an access code for a staff member who is logging into their MMC staff account.
The purpose of generating the access code is to apply a two-factor authentication method for
staff access into the MMC staff portal. The purpose of the two-factor authentication method is
to ensure rigour around access controls into a schools MMC portal so that only those staff
members authorised to access student data are able to gain access to it.
7.75  On that basis, we consider the col ection of an access code for staff members is:
(a)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services; and
(b)
is not excessive or unreasonably intrusive in the circumstances.

15 Paragraph 10 in the draft Software Licence (My Mind Check), draft date 23.04.2024.
16 Defined as including employees, officers, agents, contractors, and subcontractors of the school.
17 Defined as meaning the PPIP Act, HRIP Act and any other applicable legislation with similar objectives.
10268\10268\95818240\1
6 August 2024
Page 40 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
40

7.76  Whilst the collection of the access code is not directly from the staff member, it is generated
by the MMC tool as the staff member signs in and requests access. Provided that school staff
members are given clear information about what information wil  be col ected about them and
how it is to be collected (discussed in further detail below), including for the creation of two
factor authentication access codes, we consider the collection wil  be with the implied consent
of the staff member.
7.77  On that basis, we consider the col ection of staff access codes via generation is:
(a)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services;
(b)
not excessive or unreasonably intrusive in the circumstances; and
(c)
collected from the school only with the consent of the staff member/Personnel.
7.78  Based on our comments above, we consider the collection is authorised under sections 8,9
and 11 of the PPIP Act and APP 3.
Uploading of student details into the MMC tool
7.79  In order to create a student profile in the MMC tool, schools wil  upload s 47G(1)(a)

students who have or whose caregiver (on the
student’s behalf) has provided consent on the student’s behalf. The information uploaded is
student ID, name, and year level. The purpose of creating a student profile in the MMC tool is
to enable the student’s access to the MMC and to collect and process the results of a point in
time assessment for the student and display those results against the correct student, to the
school.
7.80  The student profile is an integral part the MMC tool. The collection of personal information
about students is not directly from the student but from the school after receiving the consent
of the student or their parent or guardian (on behalf of the student).
7.81  The Software Licence entered into between the school and Macquarie University prior to the
school gaining access to MMC includes, as a term of the binding Deed, that18:
The school must not upload student information into the My Mind Check Portal or
permit any student access or use of the My Mind Check Tool (including with the
support of relevant Personnel) unless the school has obtained the prior consent of the
student (or their parent or guardian, as applicable), in accordance with the
requirements of the applicable Privacy Laws (which for the avoidance of doubt,
includes the Privacy Act 1988 (Cth) (including the Australian Privacy Principles)
whether or not the School is subject to that Act) and other rules, regulations and
obligations relating to ethics or child safety, to the collection and handling of the
student’s Personal Information by the University in accordance with the Privacy
Collection Notice.
The school is solely responsible for the access and use of My Mind Check by the
School’s Personnel and students….

18 Paragraphs 13 and 14 in the Software Licence (My Mind Check), Draft dated 23.04.2024
10268\10268\95818240\1
6 August 2024
Page 41 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
41

7.82  Whilst we understand the intent of the Software Licence term transcribed above, we consider
the wording could be simplified somewhat as fol ows:
The School must not upload student information into the My Mind Check Portal or permit any
student access or use of the My Mind Check Tool (including with the support of relevant
Personnel) unless the school has obtained the prior consent of the student (or their parent or
guardian, as applicable), to the col ection and handling of the student’s Personal Information by
the University in accordance with the Privacy Col ection Notice.
Schools are required to use the Information and Consent Forms supplied to it by Macquarie
University in order to collect consent from students or their parent or guardian as applicable.
The School wil  be responsible for ensuring its col ection of student information complies with
any other rules, regulations and obligations which may apply to the School’s collection and
handling of student information for such purposes.
7.83  Having regard to:
(a)
the contracted services Macquarie University is required to provide under the
Contract (as set out in Schedule 1 of the Contract); and
(b)
the terms of the binding Deed that al  schools are required to enter into with
Macquarie University in order to access and use the MMC tool, and
provided a valid consent is collected by the school (refer to Recommendations 1, 2 and 3),
we consider the collection of student personal information in order to create a student profile in
the MMC Portal, in the circumstances described, may be characterised as a col ection that is:
(c)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services;
(d)
not excessive or unreasonably intrusive in the circumstances; and
(e)
in relation to student’s under the age of 16 years, is provided by a parent or guardian
when they complete the consent form and provide the students details or, for students
over the age of 16 years, is provided directly by the student when they complete the
consent form (noting that the school wil  only enter the details from the form into the
MMC).
7.84  On that basis, we consider the col ection of student information from schools in the
circumstances outlined, wil  be authorised under sections 8, 9 and 11 of the PPIP Act and
APP 3.
Setting up sessions and generating session codes
7.85  Macquarie University wil  collect personal information when an authorised staff member sets
up a session within the MMC and attaches the students to a session, and when the member
of staff requests session codes to be generated for a session.
7.86  The information col ected wil  include what students wil  attend the session and the session
code that wil  be attached to the student for that session. This information is used by the
University to facilitate the MMC session for those students identified in the session.
10268\10268\95818240\1
6 August 2024
Page 42 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
42

7.87  On that basis, we consider the col ection of session details for students is a collection that can
be characterised as a col ection that is:
(a)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services;
(b)
not excessive or unreasonably intrusive in the circumstances; and
(c)
wil  be collected from the school or generated by the MMC tool to which the student
(or their parent or guardian on their behalf) has consented to when providing their
consent to participate.
7.88  Based on the above, we consider the col ection of session details and session codes wil  be
consistent with sections 8, 9 and 11 of the PPIP Act and APP 3.
Student mental health and wel being assessment information
7.89  Macquarie University wil  collect personal and health information when students complete the
mental health and wel being assessment via the MMC portal. The health information that wil
be collected relates to student mental health and covers topics such as family connections,
peer acceptance, school belonging, anxiety, attention / activity, mood, peer victimisation, body
image / eating difficulties, sleep, cultural connections, life satisfaction, life engagement,
internalising and externalising.
7.90  There are no free text sections within the mental health and wel being assessment
undertaken by students, only multiple choice and the student wil  select the most appropriate
answer for them.
7.91  Not al  questions wil  be asked to all students. The questions students wil  respond to wil  be
those considered appropriate for their age. The services Macquarie University has been
contracted to provide include19:
(a)
develop and deliver a voluntary mental health assessment tool to enable schools to
undertake a point in time assessment of their student’s mental health and wel being;
(b)
ensure the voluntary mental health assessment tool wil  enhance each school’s
awareness of the current state of wel being amongst their students; and
(c)
ensure the voluntary mental health assessment tool wil  support schools to identify
trends in how the wel being of their student’s changes over time.
7.92  Having regard to:
(a)
the types of information col ected by Macquarie University;
(b)
the voluntary nature of the MMC tool and the fact that no questions are mandatory to
respond to in the MMC tool, and students can stop or withdraw their consent at any
time;
(c)
the contracted services Macquarie University is required to provide under the
Contract (as set out in Schedule 1 of the Contract), and
provided Macquarie University collect a valid consent from al  students or their parent or
guardian on their behalf (refer to Recommendations 1, 2 and 3), we consider the collection
of personal and health information by Macquarie University when students complete a mental

19 Schedule 1 of the Contract.
10268\10268\95818240\1
6 August 2024
Page 43 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
43

health and wellbeing assessment via the MMC portal, can be characterised as a collection
that is:
(d)
for a lawful purpose that is directly related to the Macquarie University’s activities and
necessary for that purpose;
(e)
not col ected by any unlawful or unfair means;
(f)
relevant, accurate, complete, up to date and not excessive;
(g)
is not unreasonably intrusive into student’s personal affairs; and
(h)
is collected directly from students after the student (or their parent or guardian) has
provided consent to participate.
7.93  On that basis, we consider the col ection of personal and health information in the
circumstances discussed, is authorised in accordance with Section 8, 9 and 11 of the PPIP
Act, HPPs 1, 2 and 3 and APP 3.
Generating outcome indicators for students based on student responses
7.94  As students complete the MMC modules their responses to the questions wil  be ingested by
the MMC tool and an outcome indicator wil  be generated by the tool based on the student’s
answer. The outcome indicators that wil  be generated are ‘vulnerable’, ‘struggling’, and
‘coping’. These indicators are generated to enable schools to gain a point in time view of their
student’s mental health and wellbeing.
7.95  Provided:
(a)
the outcome indicators generated are accurate (refer to Recommendation 14 below);
and
(b)
a valid consent to participate in mental health and wellbeing assessments has been
obtained from al  students participating, or their parent or guardian on their behalf
(refer to Recommendations 1, 2 and 3), and
having regard to the contracted services which Macquarie University are required to provide,
we consider the collection of outcome indicators can be characterised as a collection that is:
(c)
for a lawful purpose that is directly related to Macquarie University’s activities and
necessary for that purpose;
(d)
not col ected by any unlawful or unfair means;
(e)
not excessive or unreasonably intrusive into student’s personal affairs; and
(f)
is collected directly from student.
7.96  We consider the col ection of student mental health and wel being information in the
circumstances set out above wil  be consistent with sections 8, 9 and 11 of the PPIP Act,
HPPs 1, 2 and 3 and APP 3. In relation to the accuracy of the outcome indicators, we refer to
the discussion in paragraphs 7.179 to 7.183 below.
Feedback from students
7.97  Students have the option of responding to feedback questions which is the last module of the
mental health and wel being assessment. The questions are designed to inform Macquarie
University and the school about the level of comfort students feel by undertaking the mental
health and wellbeing assessment and with the questions being asked.
10268\10268\95818240\1
6 August 2024
Page 44 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
44

7.98  The responses to these questions wil  assist guide the Commonwealth’s approach to making
such tools available to schools and any adjustments Macquarie University may need to make
to the tool.
7.99  The questions are voluntary, and students have the option of answering as many or as few of
the questions as they like. Where Macquarie University do not require the feedback from
identifiable individuals, we recommend it col ect the feedback on an anonymous basis
(Recommendation 7).
7.100  Where Macquarie University require feedback in an identifiable form, having regard to the
contracted services that Macquarie University have been contracted to provide, we consider
the col ection of personal information when students complete the feedback module in the
mental health and wel being assessment, can be characterised as a col ection that is:
(a)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services;
(b)
not excessive or unreasonably intrusive in the circumstances; and
(c)
wil  be collected directly from the student.
7.101  Based on the above, we consider the col ection is authorised in accordance with sections 8, 9
and 11 of the PPIP Act, and APP 3.
Feedback from staff
7.102  We are instructed that school staff may be asked to provide their feedback on the MMC tool
and the processes for conducting mental health and wellbeing assessments and these may
occur via a survey or request for feedback questionnaire or email. We have not reviewed any
documentation in relation to such staff requests for feedback however, we are instructed that,
similar to the student feedback questions, the questions wil  be around the methods used and
the outcomes and results gained from the use and implementation of the MMC tool in the
school.
7.103  We have not received instructions about whether the request for feedback from school staff
wil  be on an identifiable basis or whether Macquarie University wil  require anonymous
feedback only. We are instructed that feedback wil  be voluntary.
7.104  Where Macquarie University do not require the feedback from identifiable individuals, we
recommend it col ect the feedback on an anonymous basis (Recommendation 7).
7.105  Where the feedback is needed from identifiable individuals, having regard to the contracted
services that Macquarie University have been contracted to provide, we consider the
collection of feedback from staff who voluntarily provide it, can be characterised as a
collection that is:
(a)
for a lawful purpose which is directly related to Macquarie University’s functions and
activities and necessary for the purposes of providing the contracted services;
(b)
not excessive or unreasonably intrusive in the circumstances; and
(c)
wil  be collected directly from the member of staff.
7.106  Based on the above, we consider the col ection is authorised in accordance with sections 8, 9
and 11 of the PPIP Act, and APP 3.
10268\10268\95818240\1
6 August 2024
Page 45 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
45

Col ection of MMC information by the Department
7.107  We are instructed that at the expiry of Macquarie University’s contract on 30 June 2025, the
Department would like the option of collecting all of the data obtained by Macquarie University
in performing the contracted services in the event that either:
(a)
the Department takes on the management and administration of the MMC itself; or
(b)
the Department selects another provider (i.e. other than Macquarie University) to
administer and manage the MMC.
7.108  We are further instructed that Macquarie University is currently considering whether the
records it is col ecting when performing the contracted services constitute a ‘Commonwealth
record’ for the purposes of the Archives Act 1983 (Cth) (Archives Act). If they are, the
Department would like al  of the records obtained by Macquarie University during the course
of the Contract to be transferred to it at the expiry of the Contract so that those records can be
archived in accordance with the Archives Act.
Department administering and managing the MMC
7.109  The collection and storage of large amounts of sensitive health information about students by
the Department, in circumstances where that information:
(a)
is not required for the Department’s functions and activities (i.e. if it is not managing
and administering the MMC tool); and
(b)
where the purpose of col ection is to provide a point in time snapshot of the mental
health of the student at that point in time and that information is not intended to inform
ongoing or long-term analysis,
raises potential privacy compliance risks under the HRIP Act and the Privacy Act for the
Department.
7.110  In relation to the Department taking on the role of administering and managing the MMC, it is
not clear to us that student health information would be required to be transferred to the
Department for such purposes on the basis that it is collected to provide a point-in-time
snapshot of the student’s mental health and wellbeing only, and on that basis, it would appear
that it is not intended to be maintained long term. Because it is collected to provide a
snapshot, point-in-time assessment to schools, there does not appear to be any purpose for
which the Department would be required to collect student mental health assessment
information or MMC outcomes in order to manage the MMC.
7.111  We note that the scope of the current Consent form (refer to paragraph 7.13, above) is only
limited to seeking consent for Macquarie University’s collection of personal and health
information about a student and as such, does not extend to the Department’s collection of
student information.
7.112  As the col ection of student mental health and wel being assessment responses and outcome
information that was collected by Macquarie University does not appear to be necessary to
enable the Department to manage and administer the MMC after the expiry of Macquarie
University’s contract, we do not consider the col ection of that information by the Department
would be:
(a)
for a lawful purpose which is directly related to the Department’s functions and
activities and necessary for providing MMC services;
10268\10268\95818240\1
6 August 2024
Page 46 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
46

(b)
it would appear to be excessive and unreasonably intrusive; and
(c)
wil  not be collected directly from the individual, and unless a fresh consent is
collected, not with the consent of the individual to whom that information relates (or
their parent or guardian as the case requires).
7.113  Based on our comments above, we do not consider the Departments collection of student
mental health and wel being assessment responses and outcome information from Macquarie
University in order to manage and administer the MMC, would be authorised under HPPs 1, 2
and 3 or APP 3. As such, we recommend the Department not col ect student mental health
and wellbeing assessment responses and outcome information from Macquarie University
(Recommendation 8).
7.114  We understand that profile information about school staff and students is necessary in order
to provide staff and students access to the MMC. As noted above, the scope of the current
consent col ected from students or their parent or guardian, does not include col ection of
student personal information by the Department. Whilst we have not viewed the consent that
is sought from school personnel, based on the fact that post Contract expiry administration of
the MMC has yet to be determined, any consent col ected from school personnel is unlikely to
extend to the col ection of their personal information by the Department and if it does, is
unlikely to be valid as it is not current.
7.115  Notwithstanding the above, we are instructed that the Department has obtained legal advice
to confirm that the administration and management of the MMC tool is consistent with its
scope of powers under the Constitution.
7.116  On that basis, and provided the Department seek a fresh consent from al  school personnel
and students who have an MMC profile to col ect their profile information from Macquarie
University to enable the Department to take on administration and management of the MMC
(Recommendation 8), we consider the col ection of that information in the circumstances,
would be:
(a)
for a lawful purpose that is directly related to the Department’s activities and
necessary for that purpose;
(b)
not col ected by any unlawful or unfair means;
(c)
not excessive or unreasonably intrusive into student’s personal affairs; and
(d)
for individuals aged over 16 years, collected from Macquarie University only with the
consent of that individual, or in relation to students under the age of 16 years,
collected directly from the parent or guardian when a fresh consent form is completed.
7.117  With respect to the fresh col ect, the Department wil  need to ensure that any consent
collected for a student under the age of 16 years from a parent or guardian includes a
requirement for the parent or guardian to include the student’s details that it wishes to collect
to ensure the collection is from the parent and consistent with section 9 of the PPIP Act
(Recommendation 8).
7.118  In circumstances where the personal and health information about students is not required by
the Department for a lawful purpose that is directly related to its activities and necessary for
that purpose, the collection of such information by the Department wil  not be authorised
under the HRIP Act or the Privacy Act.
10268\10268\95818240\1
6 August 2024
Page 47 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
47

Notification of col ection of personal and health information
PPIP Act
7.128  Section 10 of the PPIP Act requires a public sector agency to take such steps as are
reasonable in the circumstances to ensure that, before the information is collected or as soon
as practicable after col ection, the individual to whom the information relates is made aware of
the following:
(a)
the fact that the information is being collected;
(b)
the purposes for which the information is being col ected;
(c)
the intended recipients of the information;
(d)
whether the supply of the information by the individual is required by law or is
voluntary, and any consequences for the individual if the information (or any part of it)
is not provided;
(e)
the existence of any right of access to, and correction of, the information; and
(f)
the name and address of the agency that is collecting the information and the agency
that is to hold the information.
HRIP Act
7.129  Under the HPP 4, an organisation is required to make individuals aware of the fol owing
matters:
(a)
the identity of the organisation and how to contact it;
(b)
the fact that the individual is able to request access to the information;
(c)
the purposes for which the information is col ected;
(d)
the persons to whom (or the types of persons to whom) the organisation usually
discloses information of that kind;
(e)
any law that requires the particular information to be collected; and
(f)
the main consequences (if any) for the individual if all or part of the information is not
provided.
Privacy Act
7.130  APP 5 requires APP entities to take such steps (if any) as are reasonable in the
circumstances to notify an individual of such certain matters, as are reasonable in the
circumstances, or otherwise ensure that the individual is aware of any such matters.
7.131  APP 5.2 sets out the matters an individual must be notified or made aware of and includes:
(a)
the facts and circumstances of collection;
(b)
the purpose(s) for which the APP entity collects personal information;
(c)
any third parties, or types of third parties, to which the entity usual y discloses
personal information of the kind col ected by the entity;
(d)
whether the APP entity is likely to disclose personal information to overseas
recipients;
10268\10268\95818240\1
6 August 2024
Page 50 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
50

(e)
the main consequences (if any) for the individual if all or some of the personal
information is not collected by the APP entity; and
(f)
that the APP privacy policy of the APP entity contains information about how the
individual may seek access to or correction of their personal information that is held
and how they make a complaint about a breach of the APPs, or a registered APP
code (if any) that binds the entity, and how the entity wil  deal with such a complaint.
7.132  A privacy collection notice is different to a privacy policy in that it is required to provide more
detailed information about a particular collection of personal information.
7.133  The ‘reasonable steps’ an APP entity is required to take for the purposes of APP 5 will
depend on the circumstances, which wil  include consideration of:
(a)
the sensitivity of the personal information involved, the more sensitive the information,
it is likely more effort to inform wil  be required;
(b)
the possible adverse consequences for the individual if they are not made aware of
matters relating to the col ection of their information;
(c)
any special needs of the individual; and
(d)
the practicability of giving an APP 5 collection notice, including time and cost involved.
7.134  In relation to the draft My Mind Check Privacy Collection Notice20,we provide the following
comments:
(a)
it is not clear who the Privacy Collection Notice is directed to as some parts appear to
be directed to a parent and also suggest that MMC accounts can be created for
parents, for example:
(i)
When you access and use My Mind Check, we wil  col ect, use, disclose and
handle your or your child’s personal information as set out in this Privacy
Collection Notice;
(ii)
...….if a school creates a student account for you or your child on the My
Mind Check Portal, we will collect:…; or
(iii)
if a school creates a student account for you or your child on the My Mind
Check Portal, we will collect;
(b)
the Privacy Collection Notice states that, “By accessing My Mind Check you agree to
be bound by this Privacy Collection Notice and My Mind Check’s Terms of Use” which
are linked however, we note that:
(i)
the Privacy Collection Notice is not a document that is to be used to bind
parties at law;
(ii)
the intention of the Privacy Collection Notice is to provide information to
individuals whose information is to be collected and handled by Macquarie
University, about the ways in which Macquarie University wil  handle their
personal information if they choose to provide it; and

20 Version 1, 26 April 2024
10268\10268\95818240\1
6 August 2024
Page 51 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
51

(iii)
it is unclear to us how Macquarie University is able to enter into a contract
with a student who will lack capacity to consent and presumably, capacity to
understand the Terms of Use and its implications;
(c)
the Privacy Collection Notice does not advise readers that participation in mental
health and wellbeing assessments is voluntary, that they do not have to answer any
question they do not want to or can stop or withdraw their consent at any time and the
process for doing so. We note that the Consent form provides this information
however, it should be kept in mind that parents or guardians wil  be the ones reading
the Consent form and most students as wel  as the general public wishing to know
more about the MMC, wil  likely not read the Consent form so it is important to ensure
the Privacy Collection Notice contains al  relevant information regarding the handling
of personal information for the purposes of the MMC;
(d)
the purpose of the Privacy Collection Notice is to inform individuals to whom the
information relates (i.e. in relation to mental health and wel being assessments, this
wil  be information about students) about certain matters including how their personal
and health information wil  be collected and handled;
(e)
the language used in the draft Privacy Collection Notice is, having regard to its
intended audience, quite sophisticated and complex; and
(f)
whilst the Privacy Col ection Notice notes that Macquarie University is supported by
its subcontractors, there is no mention of who these subcontractors are and what, if
any personal or health information they wil  collect, use and/or disclose through their
involvement in providing MMC contracted services.
7.135  In the Privacy Act Review Report released by the Attorney-General’s Department in 2022 the
report discussed the issue of child appropriate col ection notices and noted the proposal to
‘amend the Privacy Act to require that col ection notices and privacy policies be clear and
understandable, in particular for any information addressed specifically to a child’21, was in
response to concerns raised about privacy notices being difficult for children to understand,
which can hinder their comprehension of online data processes and result in a lack of
informed consent.
7.136  Based on our comments above, and particularly noting that the main audience for the Privacy
Collection Notice is young persons and children under the age of 18 years, we recommend
Macquarie University create two MMC Privacy Col ection Notices, one for adults (i.e. staff,
caregivers, and curious adults in the community), and one specifical y for children whose
information wil  be handled through the MMC (Recommendation 10).
7.137  When developing a child appropriate Privacy Col ection Notice, Macquarie University should:
(a)
use language that is appropriate for children and young people to ensure it is fit for
purpose and should be presented in ways which take into account the age of the
readers and their ability or wil ingness to read large amounts of text in relation to
complex matters;
(b)
consider the language used in the Student Consent form and ensure it is fit for
purpose, taking into account the age of the readers and their ability or wil ingness to
read large amounts of text in relation to complex matters; and

21 Proposal 16.3.
10268\10268\95818240\1
6 August 2024
Page 52 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
52

7.141  Section 18 of the PPIP Act relates to disclosure of personal information and states that, a
public sector agency that holds personal information must not disclose the information to a
person (other than the individual to whom the information relates) or other body, whether or
not such other person or body is a public sector agency, unless:
(a)
the disclosure is directly related to the purpose for which the information was
collected, and the agency disclosing the information has no reason to believe that the
individual concerned would object to the disclosure, or
(b)
the individual concerned is reasonably likely to have been aware, or has been made
aware in accordance with section 10, that information of that kind is usually disclosed
to that other person or body, or
(c)
the agency believes on reasonable grounds that the disclosure is necessary to
prevent or lessen a serious and imminent threat to the life or health of the individual
concerned or another person.
7.142  Subsection 18(2) of the PPIP Act provides that, if personal information is disclosed in
accordance with subsection (1) to a person or body that is a public sector agency, that agency
must not use or disclose the information for a purpose other than the purpose for which the
information was given to it.
HRIP Act
7.143  Under HPP 10, an organisation that holds health information must not use the information for
a purpose (a secondary purpose) other than the purpose (the primary purpose) for which it
was collected unless the individual to whom the information relates consents to the use for the
secondary purpose or another exception applies to authorise the use.
7.144  HPP 11 requires that an organisation that holds health information, not disclose the
information for a purpose (a secondary purpose) other than the purpose (the primary purpose)
for which it was collected unless he individual to whom the information relates has consented
to the disclosure of the information for that secondary purpose, or another exception applies
to authorise the disclosure.
Privacy Act
7.145  APP 6.1 provides that an APP entity can only use or disclose personal information it has
collected for a particular purpose (the primary purpose) unless the individual to whom the
information relates has consented to its use or disclosure for another purpose (a secondary
purpose) or an exception under APP 6.2 applies to authorise the use or disclosure for the
secondary purpose.
7.146  Exceptions under APP 6.2 include where the use or disclosure is authorised or required under
an Australia law (APP 6.2(b)).
Use of personal information
7.147  For the purposes of the Project, Macquarie University will use personal information as fol ows:
(a)
to respond to enquiries;
(b)
to establish staff portal accounts and send a welcome email;
(c)
to generate access codes to enable staff entry into the portal;
(d)
to process student information and establish student profiles within the MMC portal;
10268\10268\95818240\1
6 August 2024
Page 55 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
55

(e)
when the system establishes a session and arranges students into groups;
(f)
to create session codes for each student in a group;
(g)
to enable a student access into a session;
(h)
to convert student responses into outcome indicators;
(i)
to create a visual representation of the student’s outcomes; and
(j)
when it separates the data collected from students into two separate databases.
Disclosure of personal information
7.148  For the purposes of the Project, Macquarie University will disclose personal information as
follows:
(a)
when it makes student outcome indicators to accessible to the school; and
(b)
when it makes a visual representation of the student’s outcomes accessible to the
school.
Uses of personal and health information
7.149  We are instructed by Macquarie University that, for the purposes listed above in
paragraph 7.127, it wil  use personal and health information collected by it through the MMC
website, MMC portal or via email, only for the purposes for which it was collected.
7.150  We have not been instructed of any secondary purposes for which Macquarie University
intends to use the personal and/or health information it collects, and, on that basis, we
consider the use of personal and health information by Macquarie University, for the purposes
set out in paragraph 1.27 above, wil  constitute a use for the primary purpose of collection and
wil  be authorised in accordance with section 17 of the PPIP Act, HPP 10 and APP 6.
7.151  We are instructed that Macquarie University wil  use de-identified information only to create
reports for the Department as required under the Contract and that no personal information
wil  be used or disclosed for such purposes.
7.152  In relation to Macquarie University’s deletion of health records, section 25 of the HRIP Act
requires a health service provider who deletes or disposes of health information to keep a
record of the name of the individual to whom the health information related, the period
covered by it and the date on which it was deleted or disposed of.
7.153  A ‘health service provider’ is defined in the HRIP Act as an organisation that provides a health
service22. A ‘health service’ includes mental health services23. On that basis, we consider that
Macquarie University is a health service provider for the HRIP Act to the extent it is providing
the MMC services. As such, Macquarie University is required to keep a record of the name of
the students whose mental health and wellbeing assessment records it deletes in accordance
with section 25 of the HRIP Act (Recommendation 13).

22 Section 4 of the HRIP Act
23 Section 4 of the HRIP Act
10268\10268\95818240\1
6 August 2024
Page 56 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
56

(b)
where the individual has consented to the use or disclosure of the information for that
purpose and in each direct marketing communication with the individual:
(i)
the organisation includes a prominent statement that the individual may make
such a request; or
(ii)
the organisation otherwise draws the individual’s attention to the fact that the
individual may make such a request; and
the individual has not made such a request to the organisation.(APP 7.3);
7.159  There do not appear to be any similar obligations to APP 7 contained in either the PPIP Act or
the HRIP Act.
7.160  We are instructed that Macquarie University wil  direct market to those in individuals in
Macquarie University’s database who have subscribed to the eNewsletter and ongoing
communications.
7.161  Whilst we do not consider that Macquarie University comes within the definition of an
‘organisation’ for the purposes of the Privacy Act, it wil  only send marketing materials to
individuals who have specifically requested to receive such material from Macquarie
University.
7.162  We are instructed that Macquarie University marketing materials have an unsubscribe option
easily accessible at the bottom of all marketing emails to enable individuals to withdraw their
consent to receiving marketing materials (i.e. unsubscribe). On that basis, we do not consider
the implementation of the MMC is likely to raise any material APP 7 compliance risks.
Transborder and cross border disclosures
PPIP Act
7.163  Subsection 19(2) of the PPIP Act provides that a public sector agency that holds personal
information about an individual must not disclose the information to any person or body who is
in a jurisdiction outside New South Wales or to a Commonwealth agency unless certain
circumstances apply, including where the individual expressly consents to the disclosure.
HRIP Act
7.164  HPP 14 provides that an organisation must not transfer health information about an individual
to any person or body who is in a jurisdiction outside New South Wales or to a
Commonwealth agency unless certain circumstances apply, including where the individual
consents to the transfer.
Privacy Act
7.165  APP 8.1 requires an APP entity to take reasonable steps to ensure any overseas recipient of
personal information does not breach the APPs when handling that information.
Transborder dataflows
7.166  Macquarie university wil  be disclosing health information about students who complete the
MMC modules with their school, back to their school. The students wil  only be participating in
the mental health and wel being assessments if they or a parent or guardian has consented to
their participation and al  of what that entails, including the disclosure of their assessment
outcomes to the school.
10268\10268\95818240\1
6 August 2024
Page 58 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
58

7.167  Provided a valid consent is obtained that includes within its scope consent for Macquarie
University to disclose student health information to their school (refer to Recommendations 2
and 3, above), the disclosure wil  be consistent with subsection 19(2) of the PPIP Act and
HPP 14.
Cross border disclosures
7.168  We are instructed that the implementation of the MMC wil  not involve any cross-border
disclosures of personal or health information by Macquarie University or the Department. On
that basis, we do not consider the implementation of the MMC tool is likely to raise any
material APP 8 compliance risks.
Identifiers
HRIP Act
7.169  HPP 12 provides that, an organisation may only assign identifiers to individuals if the
assignment of identifiers is reasonably necessary to enable the organisation to carry out any
of its functions efficiently. Further, if the use or disclosure of an identifier assigned to an
individual by a public sector agency is necessary for a private sector person to fulfil its
obligations to, or the requirements of, the public sector agency, a private sector person may
either:
(a)
adopt as its own identifier of an individual an identifier of the individual that has been
assigned by the public sector agency; or
(b)
use or disclose an identifier of the individual that has been assigned by the public
sector agency.
Privacy Act
7.170  APP 9 provides that an organisation must not adopt a government related identifier of an
individual as its own identifier of the individual unless:
(a)
the adoption of the government related identifier is required or authorised by or under
an Australian law or a court/tribunal order; or
(b)
the identifier is prescribed by the regulations, the organisation is prescribed by the
regulations, or is included in a class of organisations prescribed by the regulations
and, the adoption, use or disclosure occurs in the circumstances prescribed by the
regulations.
HRIP Act
7.171  We are instructed that Macquarie University obtain student identifiers from schools when the
school signs up students after they have provided consent to participate. Macquarie
University wil  use this information to present the health and wel being outcomes back to the
school and to enable the school to identify those to whom the outcomes relate.
7.172  Having regard to the contracted services Macquarie University are required to provide,
including:
(a)
ensuring the MMC wil  help schools to identify students with, or at risk of declining
mental health and wel being;
(b)
to enable schools to undertake a point in time assessment of its student’s mental
health and wellbeing; and
10268\10268\95818240\1
6 August 2024
Page 59 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
59

(c)
that allows schools to measure the mental health and wellbeing of their students,
we consider the use of the student identifier is for the purpose of enabling Macquarie
University to carry out its functions efficiently and meet its contractual obligations.
7.173  On the basis that the Department wil  not be col ecting any health information as defined
under the HRIP Act, we do not consider the implementation of the MMC tool wil  raise any
material HPP 12 compliance risks.
Privacy Act
7.174  APP 9 does not apply to Department or Macquarie University as they are not an ‘organisation’
for the purposes of the Privacy Act, and section 7A is not applicable in the context of the
Project. On that basis, the Project wil  not raise any APP 9 compliance issues.
Data Quality
PPIP Act and HRIP Act
7.175  Section 11(a) of the PPIP Act and HPP 2(a) requires a public sector agency/organisation
collecting personal information from an individual, to take such steps as are reasonable in the
circumstances (having regard to the purposes for which the information is col ected) to ensure
that the information collected is relevant to that purpose, is not excessive, and is accurate, up
to date and complete.
7.176  Section 16 of the PPIP Act and HPP 9 requires that a public sector agency/organisation that
holds personal information, not use the information without taking such steps as are
reasonable in the circumstances to ensure that, having regard to the purpose for which the
information is proposed to be used, the information is relevant, accurate, up to date, complete
and not misleading.
Privacy Act
7.177  APP 10 requires the APP entity to take reasonable steps to ensure that:
(a)
the personal information it collects is accurate, up-to-date, and complete (APP 10.1);
and
(b)
the personal information it uses and discloses is (having regard to the purposes for its
use or disclosure) accurate, up-to-date, complete, and relevant, having regard to the
purpose of the use or disclosure (APP 10.2).
7.178  The reasonable steps an APP entity should take wil  depend on the circumstances,
including24:
(a)
the sensitivity of the personal information;
(b)
the nature of the APP entity holding the personal information;
(c)
the possible adverse consequences for an individual if the quality of personal
information is not ensured; and
(d)
the practicability, including time and cost involved.

24 OACI, APP Guidelines, paragraph 10.6.
10268\10268\95818240\1
6 August 2024
Page 60 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
60

Personal information
7.179  In relation to personal information col ected from various individuals in relation to enquiries,
feedback, questions (i.e. not sensitive or health information), this information collected is
minimal, is stored in a separate database to health information and is general y collected from
the individual directly. On that basis, we do not consider the col ection, use or storage of
personal information that is not health information, raises any material APP 10 compliance
risks.
Health information
7.180  In relation to the accuracy of the outcome indicators that are generated by the MMC tool, we
have not received any instructions about:
(a)
the core principles upon which the tool (or the algorithm that underpins the tool) is
built including whether the algorithm is built on an evidence-based framework (i.e.
principles of cognitive behavioural therapy) or is an artificial intelligence-based
system;
(b)
whether the tool is a score-based system and if so whether the scores are based on
research that has been peer reviewed and is a proven based method;
(c)
what data was used to train the tool and whether that dataset is fit for purpose and
applicable to the Australian school environment (i.e. if the tool were trained using data
from Australian students or using data from another country i.e. the United Kingdom
and whether the sample dataset differs in material ways to the Australia environment
such that it would result in inaccurate outcomes);
(d)
whether the MMC tool outcomes have been tested to ensure accuracy and if so, how,
and how robust were the testing methods and what were the outcomes of that testing;
or
(e)
if the tool is AI based, whether the tool was trained on ethical y and legal y obtained
data.
7.181  Based on the outcomes derived by the MMC tool and shared with schools, this wil  inform the
school’s further actions in relation to the student to whom those outcomes relate and could
result in communication with that student’s parent/s or guardian/s about the state of their
mental health.
7.182  Such outcomes where the result is incorrect, has the potential to be damaging to a student
who may not necessarily understand how the result came about or why certain actions are
being taken because of it.
7.183  The MMC tool is automated and as such, it is not subject to the standards of care which wil
apply to a registered mental health professional who can speak directly to an individual and
take into account various things such as body language and presentation, and also gather
information that is relevant to the individual and their circumstances.
7.184  We recommend that the Department ensure that it has, in procuring the MMC tool,
undertaken due diligence and reviewed sufficient evidence, including from research trials and
in relation to the evidence-based frameworks on which it is built (if applicable) to ensure that
the tool (and in particular the part of the tool which generates mental health outcome
indicators) (Recommendation 14):
10268\10268\95818240\1
6 August 2024
Page 61 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
61

(b)
the amount and sensitivity of the personal information held;
(c)
the possible adverse consequences for an individual in the case of a breach;
(d)
the practical implications of implementing the security measures, including time and
cost involved; and
(e)
whether a security measure is in itself privacy invasive.
7.188  Reasonable steps an APP entity should take to meet its APP 11 obligations should involve
consideration of the fol owing matters:
(a)
governance, culture, and training;
(b)
internal practices, procedures, and systems;
(c)
ICT security;
(d)
access security;
(e)
contractual obligations with third party providers;
(f)
implementing a data breach response plan;
(g)
physical security;
(h)
destruction and de-identification of data where appropriate; and
(i)
compliance with data security standards.
Governance
7.189  We are instructed that Macquarie University conducts regular reviews of its cyber security
risks and controls to ensure they are performing as intended and remain appropriate
according to the level of risk.
7.190  We are further instructed that a working group has been established for the project which
includes:
(a)
Macquarie University’s Chief Information Officer;
(b)
the Macquarie University Voluntary Mental Health Assessment Tool IT Program
Manager;
(c)
Centorrino Technologies Chief Technology Officer; and
(d)
Centorrino Technologies Voluntary Mental Health Assessment Tool Technical
Delivery Lead.
7.191  This working group wil  meet on a monthly basis and is responsible for providing high level
steering to the Project Director including risk review. Any issues identified by this group wil  be
escalated to the Steering Committee for the project via the Project Director.
7.192  According to the Cyber Security Policy:
(a)
Macquarie University Chief Information and Digital Officer is responsible for ensuring
that the MMC Cyber Security Policy and related procedures align with the University’s
goals and applicable government regulations, and are reviewed and updated in
accordance with operational needs; and
(b)
managers and supervisors are responsible for ensuring individuals under their
supervision undergo cyber security training provided by the University, and are aware
10268\10268\95818240\1
6 August 2024
Page 63 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
63

of the MMC Cyber Security Policy, the Privacy Policy, and related procedures before
access to systems or information is granted.
ICT Security
7.193  We are instructed that Macquarie University adopts cyber security principles consistent with
the Information Security Manual produced by the Australian Signals Directorate26.
7.194  Macquarie University has developed a Cyber Security Policy specifically for the MMC which,
we are instructed, is intended to work in combination with Macquarie University’s general
Cyber Security Policy and other related standards, requirements, and policies.
7.195  We note that the MMC Cyber Security Policy requires the fol owing:
(a)
all MMC assets must be recorded in an asset register which must be kept up to date
and modifications to the register can only be made by authorised personnel;
(b)
all Macquarie University staff must receive cyber security training on an annual or
more frequent basis;
(c)
password management for MMC front end and back-end administrators wil  be put in
place and that all passwords are adequately complex;
(d)
multi-factor authentication for MMC to be enforced;
(e)
vulnerability scanning technology to be deployed; network-based firewal s to be
implemented between MMC and the internet and capable of generating cyber security
alerts;
(f)
MMC security assets configured to generate security event logs; and
(g)
security event logs are protected against modification and must be regularly reviewed
and analysed.
7.196  Al  data wil  be encrypted in-transit and at rest27 and when at rest, wil  be encrypted at the disk
storage level28. We are further instructed that some personal information will also have
encryption applied at the database level29.
7.197  Access to the MMC wil  be restricted to only those users who are authorised to access for the
purposes of supporting the delivery of the MMC and access to the data wil  be via functions in
the MMC, which wil  enforce appropriate authentication and authorisation.
7.198  We are instructed that Centorrino have demonstrated experience in hosting and managing
student data in a highly secure manner and are familiar with the requirements associated with
meeting an independent IRAP assessment30. We are instructed that a security assessment
was conducted on the MMC in February 2024 by the NCC Group. Al  risks identified were
rated as low (2 risks) or for information only (6 risks).

26 Voluntary Mental Health Check Tool: Final Design Plan, Version 1.0, 9.11.2023 page 17.
27 Voluntary Mental Health Check Tool: Final Design Plan, Version 1.0, 9.11.2023.
28 My Mind Check Data Management Plan and Cyber Security Overview, draft version 0.5, 10 May 2024.
29 My Mind Check Data Management Plan and Cyber Security Overview, draft version 0.5, 10 May 2024.
30 Voluntary Mental Health Check Tool: Final Design Plan, Version 1.0, 9.11.2023, page 3.
10268\10268\95818240\1
6 August 2024
Page 64 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
64

7.199  We are further instructed that an independent, external penetration test was conducted and
did not result in any critical, high , medium, or low issues being detected or remaining
outstanding31.
7.200  Whilst Macquarie University’s Privacy Management Plan states that it conducts Information
security awareness training activities periodical y for the University’s staff and students, we
note that the delivery of the MMC tool is not an ordinary function or activity for the University
and as such, we recommend that al  University staff and its subcontractors undertake specific
privacy awareness training which includes training on obligations in relation to the handling of
health information, prior to go live or as soon after as possible to ensure all individuals
handling student health information have a solid understanding of their privacy obligations in
relation to it (Recommendation 15).
Data retention and destruction
7.201  We have not been provided any instructions in relation a data retention and destruction plan
for the MMC. As noted above in paragraph 1.3, the health information collected about
students is intended to provide a point in time snapshot of mental health only and we have not
received any instructions which suggest the information is intended to be maintained in an
identifiable form for any uses which require it to be stored for a long period of time (i.e.
longitudinal studies).
7.202  We recommend an MMC data retention and destruction plan is developed and implemented
by Macquarie University (in cooperation with the department, where necessary) that ensures
student health information as well as other personal information it col ects for the purposes of
delivering the MMC is only stored in identifiable form for as long it is required to provide the
MMC contracted services and in accordance with any records management obligations under
law. Once the information collected by Macquarie University is no longer required to provide
the MMC services, it should be securely destroyed or de-identified, unless it is required to be
maintained under law (Recommendation 16).
Data Breach Response Plan
7.203  Under section 59ZD of the PPIP Act, a public sector agency is required to publish a data
breach policy and establish and maintain an internal register for eligible data breaches. The
register must include details of the fol owing, where practicable, for al  eligible data breaches:
(a)
who was notified of the breach,
(b)
when the breach was notified,
(c)
the type of breach,
(d)
details of steps taken by the public sector agency to mitigate harm done by the
breach,
(e)
details of the actions taken to prevent future breaches,
(f)
the estimated cost of the breach.

31 My Mind Check Data Management Plan and Cyber Security Overview, draft version 0.5, 10 May 2024.
10268\10268\95818240\1
6 August 2024
Page 65 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
65

Data access
PPIP Act
7.206  Section 13 of the PPIP Act provides that a public sector agency that holds personal
information must take such steps as are, in the circumstances, reasonable to enable any
person to ascertain—
(a)
whether the agency holds personal information, and
(b)
whether the agency holds personal information relating to that person, and
(c)
if the agency holds personal information relating to that person:
(i)
the nature of that information, and
(ii)
the main purposes for which the information is used, and
(iii)
that person’s entitlement to gain access to the information.
7.207  Section 14 of the PPIP Act provides that a public sector agency that holds personal
information must, at the request of the individual to whom the information relates and without
excessive delay or expense, provide the individual with access to the information.
HRIP Act
7.208  HPP 7 provides that, an organisation that holds health information must, at the request of the
individual to whom the information relates and without excessive delay or expense, provide
the individual with access to the information.
Privacy Act
7.209  Under APP 12, individuals must be given access to their own personal information (subject to
certain exceptions).
7.210  Macquarie University advises individuals via its MMC Privacy Collection Notice that they may
request access to the personal information that Macquarie University holds about you via the
“Enquire Now” form on the MMC website or by contacting them via their dedicated privacy
email address (xxxxxxx@xxxxxxxxxxx.xxx.xx).
7.211  We are instructed that the Department’s existing mechanisms and processes in place to
facilitate and respond to requests for access to personal information held by the Department
wil  apply to any personal information it may col ect in relation to the MMC.
7.212  On that basis, we do not consider the implementation of the MMC to raise any material
compliance risks in relation to sections 13 and 14 of the PPIP Act, HPP 7 and APP 12.
Data correction
PPIP Act
7.213  Section 15 of the PPIP Act provides that, a public sector agency that holds personal
information must, at the request of the individual to whom the information relates, make
appropriate amendments (whether by way of corrections, deletions or additions) to ensure
that the personal information is accurate, and having regard to the purpose for which the
information was collected (or is to be used) and to any purpose that is directly related to that
purpose, is relevant, up to date, complete and not misleading.

10268\10268\95818240\1
6 August 2024
Page 67 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
67

HRIP Act
7.214  HPP 8 requires and an organisation that holds health information must, at the request of the
individual to whom the information relates, make appropriate amendments (whether by way of
corrections, deletions or additions) to ensure that the health information is accurate, and
having regard to the purpose for which the information was collected (or is to be used) and to
any purpose that is directly related to that purpose, is relevant, up to date, complete and not
misleading.
Privacy Act
7.215  APP 13 requires APP entities to take reasonable steps, on request by an individual, to correct
any personal information they hold to ensure it is accurate, relevant, up to date, complete and
not misleading, having regard to the purpose for which it is held.
7.216  Macquarie University advises individuals via its MMC Privacy Collection Notice that
individuals may seek correction of the personal information Macquarie University holds about
them by contacting them using the contact details provided in the Privacy Col ection Notice.
7.217  We are instructed that the Department’s existing mechanisms and processes in place to
facilitate and respond to requests for correction of personal information held by the
Department.
7.218  On that basis, we do not consider the implementation of the MMC to raise any material
compliance risks in relation to section 15 of the PPIP Act, HPP 8 and APP 13.

10268\10268\95818240\1
6 August 2024
Page 68 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
68

8  Community Expectations
8.1
The lawful col ection, use or disclosure of personal information may ensure that a particular
activity complies with the Privacy Act, and even with general y accepted privacy principles.
However, that does not mean it wil  necessarily meet community expectations.
8.2
The former Australian Privacy Commissioner Malcolm Crompton has noted that:
Consumers everywhere eventually reach a level of concern where they no longer accept a
situation of low security and regular loss of privacy through inappropriate use and sharing of
information, even if legal.33
8.3
Furthermore, community expectations about what constitutes an invasion of privacy are not
necessarily reflected in the law, with some surveys of lodged privacy complaints suggesting
that many complainants’ expectations about how the law is supposed to protect their privacy
are not being met by privacy laws, including the Privacy Act, in practice.
8.4
Reliable indicators of community expectations are notoriously difficult to produce however,
some assumptions may be drawn from the findings of OAIC’s Australian Community Attitudes
to Privacy Survey 2023. This survey provides valuable insight into community expectations
generally. Relevant findings from the most recent OAIC survey include:
(a)
62% see the protection of their personal information as a major concern in their life34;
(b)
74% of Australians feel data breaches are one of the biggest privacy risks they face
today35; and
(c)
protecting their child’s personal information is a major concern for 79% of parents.
However, only half (50%) feel they are in control of their child’s data privacy36; and
(d)
the vast majority of parents support organisations adopting a child-centric approach to
handling personal information about children. This includes organisations considering
what is in the best interests of children when handling their personal information (93%
support) and providing important data privacy information to children in clear
language that is not misleading (91% support)37.
8.5
As can been noted from both the submissions into the Privacy Act Review and also the
responses to OAIC’s survey, the community expects that activities that require or include the
handling of personal information about children, should involve children being informed about
how their personal information wil  be col ected and handled in a way and using language that
wil  enable their comprehension of that information.

33 Information Integrity Solutions, The trust cluster: dealing effectively with security, privacy, identity and authentication at the
heart of connected government dated 2005.
34 Main findings, page 8.
35 Main Findings, page 8.
36 Children’s Privacy, page 11.
37 Children’s Privacy, page 11.
10268\10268\95818240\1
6 August 2024
Page 69 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
69

8.6
Further, many of the children who are likely to be involved with the use of the MMC, wil  not
likely have the capacity to consent to participate and wil  have a parent or guardian consent to
their participation on their behalf. Just because a child does not have the capacity to consent
does not mean they should not be involved in the decision-making process and have a voice
about whether or not they would like to participate. In this regard, we refer to
Recommendation 2, above.
8.7
The MMC wil  handle very sensitive health information about students in Australian schools.
To enable a strong uptake in the usage of the MMC, it wil  be of the utmost importance for
Macquarie University to build and maintain community trust in its ability to securely collect and
manage the health information of students through the MMC website and portal and to
generate accurate results using the MMC tool.
8.8
Clear and detailed notification and transparency around:
(a)
how the MMC tool works;
(b)
who is handling what and for what purposes in respect of MMC services; and
(c)
what happens with the information once it is no longer required,
wil  be important factors in building community trust and maintaining social licence to deliver
the contracted services. In this regard, we refer to Recommendations 10, 11 and 16.
8.9
Another aspect to building and maintaining community trust will be the ability of the
Department, and Macquarie University to ensure the MMC produces accurate results in
relation to student mental health and wellbeing the robust testing and assurance activities
undertaken on the MMC tool to ensure its results are accurate. In this regard, we refer to
Recommendation 13.

10268\10268\95818240\1
6 August 2024
Page 70 of 88
Privacy Impact Assessment Report: Voluntary Mental Health Check Tool
Sparke Helmore Lawyers │MAS975-00002
Private & Confidential │Subject to Legal Professional Privilege
70

s 47G(1)(a)
s 47G(1)(a)
74

s 47G(1)(a)
s 47G(1)(a)
s 47G(1)(a)
s 47G(1)(a)
75

s 47G(1)(a)
s 47G(1)(a)
76

s 47G(1)(a)
77

s 47G(1)(a)
83

Schedule 3: Materials
Macquarie University Materials
My Mind Check – Privacy Collection Notice, Version 1, 26 April 2024
Information & Consent Form – Parent/Guardian, version 1.1, 10 May 2024
Information & Consent Form – Student, version 1.1, 10 May 2024
Template Withdrawal of Consent Form for Parents/Guardians
Template Withdrawal of Consent Form for Students
Draft Software Licence (My Mind Check), 23 April 2024
Draft My Mind Check Terms of Use, 26 April 2024
My Mind Check items, 26 April 2024
Long Form Services Contract in Relation to the Provisions of a Voluntary Mental Health Check Tool
between the Commonwealth of Australian as represented by the Department of Education and
Macquarie University, executed on 13 June 2023
Deed of Variation in Relation to the Provision of a Voluntary Mental Health Check Tool between the
Commonwealth of Australian as represented by the Department of Education and Macquarie
University, executed on 15 March 2024
Draft Proposed Changes under Schedule 1 of the Contract received by Sparke Helmore on 28 May 2024
Voluntary Mental Health Check Tool Threshold Assessment completed by Pamela Banerjee on
12 October 2022
My Mind Check Data Management Plan and Cyber Security Overview
My Mind Check Access and Authentication Standards
My Mind Check Cyber Security Policy
Voluntary Mental Health Check Tool: Final Design Plan, version 1.0, 9 November 2023
nccgroup Voluntary Mental Health Check Tool Security Assessment, version 1.0, 1 February 2024
OAIC Documents
Australian Privacy Principle Guidelines
Australian Community Attitudes to Privacy Survey 2023 Report
Guide to undertaking privacy impact assessments (September 2021)
Legislation
Privacy and Personal Information Protection Act 1998 (NSW)
Health Records and Information Privacy Act 2002 (NSW)
Privacy Act 1988 (Cth)
Privacy (Australia Government Agencies – Governance) APP Code 2017
10268\10268\95818240\1

87