The School is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988. In relation to health records, the School is also bound by the New South Wales Health Privacy Principles which are contained in the Health Records and Information Privacy Act 2002 (Health Records Act).
This policy is to be read in conjunction with ‘Information Sharing Between Principals and Schools’ document created by AIS, CED and DEC.
The type of information the School collects and holds includes (but is not limited to) personal information, including health and other sensitive information, about:
Personal Information you provide: The School will generally collect personal information held about an individual by way of forms filled out by parents or students, face-to-face meetings and interviews, emails and telephone calls. On occasions, people other than parents and students provide personal information.
Personal Information provided by other people: In some circumstances, the School may be provided with personal information about an individual from a third party, for example, a report provided by a medical professional or a reference from another school.
The School will use personal information it collects from you for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected by you, or to which you have consented.
Students and Parents: In relation to personal information of students and parents, the School’s primary purpose of collection is to enable the School to provide schooling to students enrolled at the School, exercise duty of care, and perform necessary associated administrative activities, which will enable students to take part in all the activities of the School. This includes satisfying the needs of parents, the needs of the student and the needs of the School throughout the whole period the student is enrolled at the School.
The purposes for which the School uses personal information of students and parents include:
In some cases where the School requests personal information about a student or parent, if the information requested is not provided, the School may not be able to enrol or continue the enrolment of the student or permit the student to take part in a particular activity.
Job applicants and contractors: In relation to personal information of job applicants and contractors, the School’s primary purpose of collection is to assess and (if successful) to engage the applicant or contractor, as the case may be.
The purposes for which the School uses personal information of job applicants, staff members and contractors include:
Volunteers: The School also obtains personal information about volunteers who assist the School in its functions or conduct associated activities, such as alumni associations, to enable the School and the volunteers to work together.
Marketing and fundraising: The School treats marketing and seeking donations for the future growth and development of the School as an important part of ensuring that the School continues to provide a quality learning environment in which both students and staff thrive. Personal information held by the School may be disclosed to organisations that assist in the School’s fundraising, for example, the School’s Foundation or alumni organisation (or, on occasions, external fundraising organisations).
Parents, staff, contractors and other members of the wider School community may from time to time receive fundraising information. School publications, like newsletters and magazines, which include personal information, may be used for marketing purposes.
The School may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:
Sending and storing information overseas: The School may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange. However, the School will not send personal information about an individual outside Australia without:
The School may use online or ‘cloud’ service providers to store personal information and to provide services to the School that involve the use of personal information, such as services relating to email, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service provides to enable them to authenticate users that access their services. This personal information may be stored in the ‘cloud’ which means that it may reside on a cloud service provider’s servers which may be situated outside Australia.**
An example of such a cloud service provider is Google. Google provides the ‘Google Apps for Education’ (GAFE) including Gmail, and stores and processes limited personal information for this purpose. School personnel and its service providers may have the ability to access, monitor, use or disclose emails, communications (e.g., instant messaging), documents and associated administrative data for the purposes of administering GAFE and ensuring its proper use. **
** If applicable
In referring to ‘sensitive information’, the School means: information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices or criminal record, that is also personal information; health information and biometric information about an individual.
Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or the use or disclosure of the sensitive information is allowed by law.
The School’s staff are required to respect the confidentiality of students’ and parents’ personal information and the privacy of individuals.
The School has in place steps to protect the personal information the School holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records.
In the event of a serious data breach (Notifiable Data Breach (NDB)), the School must follow the required steps. This includes completion of a risk assessment, preparation of a statement of prescribed information (see ‘OAIC Notifiable Data Breach statement – Form’), submit the statement to OAIC and contact affected individuals within 30 days.
Under the Commonwealth Privacy Act and the Health Records Act, an individual has the right to seek and obtain access to any personal information which the School holds about them and to advise the School of any perceived inaccuracy. Students will generally be able to access and update their personal information through their parents, but older students may seek access and correction themselves.
There are some exceptions to these rights set out in the applicable legislation.
To make a request to access or update any personal information the School holds about you or your child, please contact the School Privacy Officer in writing. The School may require you to verify your identity and specify what information you require. The School may charge a fee to cover the cost of verifying your application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the School will advise the likely cost in advance. If we cannot provide you with access to that information, we will provide you with written notice explaining the reasons for refusal (unless, in light of the grounds for refusing, it would be unreasonable to provide reasons).
The School respects every parent’s right to make decisions concerning their child’s education.
Generally, the School will refer any requests for consent and notices in relation to the personal information of a student to the student’s parents. The School will treat consent given by parents as consent given on behalf of the student, and notice to parents will act as notice given to the student.
As mentioned above, parents may seek access to personal information held by the School about them or their child by contacting the School Privacy Officer by telephone or in writing. However, there will be occasions when access is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the School’s duty of care to the student.
The School may, at its discretion, on the request of a student grant that student access to information held by the School about them, or allow a student to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the student and/or the student’s personal circumstances are so warranted.
If you would like further information about the way the School manages the personal information it holds, or wish to complain that you believe that the School has breached the Australian Privacy Principles, please contact the Privacy Officer (firstname.lastname@example.org). The School will investigate any complaint and will notify you of the making of a decision in relation to your complaint as soon as is practicable after it has been made.
Prepared by / sourced from:
National Catholic Education Commission and
National Council of Independent Schools’ Association
Approved by: Senior Executive
Date Approved: May 2023
Monitored by: Compliance Officer
Reviewed by: Compliance and Privacy Officer
Date for next review: May 2025