This Policy may be reviewed and updated from time to time to ensure it remains appropriate to the changes in the School’s environment and in line with legislation.
All personal information collected, held and stored by the School will be managed in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The APPs provide guidelines for how personal information can be obtained, securely managed and disclosed to external parties and the person to whom the information relates.
Exception in relation to employee records
The handling of employee records held by the School, which relate to a specific employee/former employee, will be exempt from the Privacy Act 1988 (Cth) and APPs, provided the handling is directly related to the current or former employment relationship between the School and the specific employee/former employee. Accordingly, the School may handle employee records otherwise than in accordance with this policy.
2. Who do we collect personal information from?
The School collects personal information about students and parents/guardians before, during and after the course of a student’s enrolment at the School, other members of the School Community, including staff members, contractors, and volunteers and other persons such as job applicants and visitors to the School where it is reasonably necessary for the School’s functions and activities.
3. Kinds of personal information collected and held?
The kinds of information the School collects and hold include, but is not limited to, personal information, including sensitive and health information.
- Personal information includes names, address and contact details, date of birth, emergency contacts, photographic images, attendance records and financial information.
- Sensitive information includes nationality, citizenship/visa status, religion, languages spoken at home, government identifiers, court orders, employment details and school report
- Health information includes medical conditions and records, and special needs or learning requirements.
4. How personal information is collected and held
Personal information you provide
The School will generally collect any personal information held about an individual from that individual by way of forms, emails and letters submitted by parents/guardians or students, in face to face meetings and interviews, via ‘My Family Pages’ the School’s secure portal within SchoL, or over the telephone.
Personal information provided by other people
The School may also collect personal information about an individual from other individuals if it is unreasonable or impracticable for the School to collect personal information only from the individual (e.g. a personal reference).
Security of personal information
At all times the School aims to ensure that the personal information provided is kept secure and in the strictest confidence. The School takes reasonable steps to protect the information it holds from misuse, interference, loss, and unauthorised access, modification or disclosure. These include locked storage of paper records, security certificates and extended validation procedures for electronic records.
The School will also take reasonable steps to destroy personal information or ensure it is de-identified if it is no longer needs the information for any purpose for which it may have been used or disclosed.
5. Purposes for which the School collects, holds, uses and discloses personal information
The School may only solicit and collect personal information that is reasonably necessary for one or more of its functions or activities (known as the ‘primary purpose’) or for a related secondary purpose that would be reasonably expected by you, or to which you have consented.
In regard to sensitive information (including health information) the individual must, in all circumstances, consent to the collection of the information (including for a primary purpose).
The School may use and/or disclose personal information for the purpose of providing quality educational services. This will include, but is not limited, to the following:
- in order to deliver and manage a students’ education at the School and satisfy the needs of parents, guardians and students;
- to satisfy the School’s legal obligations, particularly to enable it to effectively discharge duty of care and to comply with other laws relating to the operation of schools;
- to organise parent activities or assist the School societies in contacting you and in organising parent, student and School activities;
- in School reports and other School correspondence such as newsletters and magazines; and/or
- in other School-related activities reasonable for the continued performance of the School’s functions and activities, including the employment of staff, the engagement of volunteers, marketing and fundraising.
In using or disclosing personal information the School can only do so for:
- the primary purpose for which it was collected; or
- a secondary purpose where:
- the person has consented; or
- it is reasonably expected by the person that the School would use or disclose the information and the information related to the primary purpose of the collection (if the information is sensitive information including health information, it must be directly related to the primary purpose); or
- a use or disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
- a permitted general situation exists including lessening or preventing a serious threat to life, health or safety; or
- a permitted health situation exists; or
- it is reasonably necessary in the School’s belief for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
The School may disclose personal information for the above outlined purposes, including sensitive information and health information held about a person to individuals or entities as required including but not limited to:
- parents/guardians and/or School community members;
- Class Representatives and School Associations (such as the Parent Community Association (PCA) and Old Michaelians;
- third parties such as other schools, government departments, medical practitioners, publishers and people providing services to the School, such as specialist visiting teachers, sports coaches, the Outdoor Education Group (OEG), volunteers and legal advisors, insurers and auditors in the course of the commercial operations of the School; and/or
- anyone to whom a person has provided consent for the disclosure of information.
Where possible, the School seeks to be satisfied that these other organisations and people are also privacy compliant.
6. Accessing and seeking correction of personal information
The School takes reasonable steps to ensure the personal information it collects and discloses is accurate, up to date, complete, relevant and not misleading.
If you know that information held by the School has changed please contact the School.
For current students and their parents/guardians, important personal and confidential information can be accessed and corrected through the secure online portal ‘My Family Pages’. Otherwise you can contact the School to inform the School of any corrections that may be required.
The School, on written request by an individual, will provide access to that person any personal information held about them, except in limited circumstances where applicable grounds exist.
The School can refuse to give access to information where, but not limited to, the following:
- where giving access would pose a serious threat to the life, health or safety of any individual or to public health or safety; or
- where giving access would have an unreasonable impact on the privacy of other individuals; or
- where denying access is required or authorised by or under Australian law or a court/tribunal order; or
- a request for access is frivolous or vexatious.
Where such grounds or other applicable grounds exist, the School will notify the individual and provide the reasons for the decision and the mechanisms available to complain about the refusal.
The School may require an individual to verify their identity before providing the information.
7. Student information and parent access
The Privacy Act sets no minimum age at which an individual can make their own decisions with respect to their personal information. As such, the School takes the view that in most circumstances, notifications provided to parents/guardians will act as notifications to the students and consents received from parents/guardians’ will act as consents given by students.
However, in certain circumstances it will be appropriate to obtain consent for collection or use of information directly from the student or to deny parents/guardians’ access to information relating to their children in compliance with the School’s duty of care to the student.
8. Data breaches
The Privacy Act provides for the Notifiable Data Breaches Scheme, under which the School is required to notify the Australian Information Commissioner and impacted members of the School community “as soon as practicable” after becoming aware that an eligible data breach has occurred.
For a data breach to be eligible and therefore require notification, the following criteria must all be satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that the School holds;
- this is likely to result in serious harm to one or more individuals; and
- the School has not been able to prevent the likely risk of serious harm with remedial action.
For serious harm to have incurred to an individual the data breach would normally involve serious physical, psychological, emotional, financial, or reputational harm.
If the School has taken remedial action after a breach has occurred that means it’s unlikely the incident will result in serious harm to affected individuals, the School will not be required to report the incident.
In cases where the School suspects a data breach has occurred, it will undertake an assessment into the circumstances within 30 days to ascertain whether or not it has actually occurred, and therefore whether it needs to notify.
There are significant penalties applying to both individuals and organisations for a failure to comply with the notification rules.
In accordance with the School’s Data Breach Response Plan any suspected and known breaches should be advised immediately to a panel consisting of the Head of the School, Director of Business, Director of Learning Technologies & ICT and the Risk and Compliance Manager via an email to the email@example.com Inbox.
9. Disclosing personal information to overseas recipients
The School may disclose personal information about a person to an overseas recipient, for example to facilitate a student exchange or when organising an overseas excursion.
The School will not send personal information about a person outside Australia without:
- Taking such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs;
- Obtaining the express consent of the person for the disclosure to be made without the School being required to take steps to ensure the recipient does not breach the APPs; or
- The School being satisfied the overseas recipient is subject to a substantially similar law or binding scheme in relation to the information and there are mechanisms that the individual can access to take action to enforce that law or scheme; or
- The School being of the reasonable belief the disclosure will lessen or prevent a serious threat to life, health or safety of any individual and it is unreasonable or impractical to obtain the individual’s consent.
10. Enquiries or Privacy Complaints
The School will investigate all complaints received in writing and provide a response within 30 days of receiving the complaint. If you are not satisfied with the outcome offered by the School, you may make a complaint to the Office of the Australian Information Officer.