1. Introduction

The St Michael’s Grammar School Privacy Policy (‘Privacy Policy’) sets out the handling practices of your personal information by St Michael’s Grammar School (‘the School’).

This Policy may be reviewed and updated from time to time to ensure it remains appropriate to the changes in the School’s environment and in line with legislation.

All personal information collected, held and stored by the School will be managed in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). The APPs provide guidelines for how personal information can be obtained, securely managed and disclosed to external parties and the person to whom the information relates.

Exception in relation to employee records

The handling of employee records held by the School, which relate to a specific employee/former employee, will be exempt from the Privacy Act 1988 (Cth) and APPs, provided the handling is directly related to the current or former employment relationship between the School and the specific employee/former employee. Accordingly, the School may handle employee records otherwise than in accordance with this policy.

2. Who do we collect personal information from?

The School collects personal information about students and parents/guardians before, during and after the course of a student’s enrolment at the School, other members of the School Community, including staff members, contractors, and volunteers and other persons such as job applicants and visitors to the School where it is reasonably necessary for the School’s functions and activities.

3. Kinds of personal information collected and held?

The kinds of information the School collects and hold include, but is not limited to, personal information, including sensitive and health information.

4. How personal information is collected and held

Personal information you provide

The School will generally collect any personal information held about an individual from that individual by way of forms, emails and letters submitted by parents/guardians or students, in face to face meetings and interviews, via ‘My Family Pages’ the School’s secure portal within SchoL, or over the telephone.

Personal information provided by other people

The School may also collect personal information about an individual from other individuals if it is unreasonable or impracticable for the School to collect personal information only from the individual (e.g. a personal reference).

Security of personal information

At all times the School aims to ensure that the personal information provided is kept secure and in the strictest confidence. The School takes reasonable steps to protect the information it holds from misuse, interference, loss, and unauthorised access, modification or disclosure. These include locked storage of paper records, security certificates and extended validation procedures for electronic records.

The School will also take reasonable steps to destroy personal information or ensure it is de-identified if it is no longer needs the information for any purpose for which it may have been used or disclosed.

5. Purposes for which the School collects, holds, uses and discloses personal information

The School may only solicit and collect personal information that is reasonably necessary for one or more of its functions or activities (known as the ‘primary purpose’) or for a related secondary purpose that would be reasonably expected by you, or to which you have consented.

In regard to sensitive information (including health information) the individual must, in all circumstances, consent to the collection of the information (including for a primary purpose).

The School may use and/or disclose personal information for the purpose of providing quality educational services. This will include, but is not limited, to the following:

In using or disclosing personal information the School can only do so for:

The School may disclose personal information for the above outlined purposes, including sensitive information and health information held about a person to individuals or entities as required including but not limited to:

Where possible, the School seeks to be satisfied that these other organisations and people are also privacy compliant.

6. Accessing and seeking correction of personal information

The School takes reasonable steps to ensure the personal information it collects and discloses is accurate, up to date, complete, relevant and not misleading.

If you know that information held by the School has changed please contact the School.

For current students and their parents/guardians, important personal and confidential information can be accessed and corrected through the secure online portal ‘My Family Pages’. Otherwise you can contact the School to inform the School of any corrections that may be required.

The School, on written request by an individual, will provide access to that person any personal information held about them, except in limited circumstances where applicable grounds exist.

The School can refuse to give access to information where, but not limited to, the following:

Where such grounds or other applicable grounds exist, the School will notify the individual and provide the reasons for the decision and the mechanisms available to complain about the refusal.

The School may require an individual to verify their identity before providing the information.

7. Student information and parent access

The Privacy Act sets no minimum age at which an individual can make their own decisions with respect to their personal information. As such, the School takes the view that in most circumstances, notifications provided to parents/guardians will act as notifications to the students and consents received from parents/guardians’ will act as consents given by students.

However, in certain circumstances it will be appropriate to obtain consent for collection or use of information directly from the student or to deny parents/guardians’ access to information relating to their children in compliance with the School’s duty of care to the student.

8. Data breaches

The Privacy Act provides for the Notifiable Data Breaches Scheme, under which the School is required to notify the Australian Information Commissioner and impacted members of the School community “as soon as practicable” after becoming aware that an eligible data breach has occurred.

For a data breach to be eligible and therefore require notification, the following criteria must all be satisfied:

  1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that the School holds;
  2. this is likely to result in serious harm to one or more individuals; and
  3. the School has not been able to prevent the likely risk of serious harm with remedial action.

For serious harm to have incurred to an individual the data breach would normally involve serious physical, psychological, emotional, financial, or reputational harm.

If the School has taken remedial action after a breach has occurred that means it’s unlikely the incident will result in serious harm to affected individuals, the School will not be required to report the incident.

In cases where the School suspects a data breach has occurred, it will undertake an assessment into the circumstances within 30 days to ascertain whether or not it has actually occurred, and therefore whether it needs to notify.

There are significant penalties applying to both individuals and organisations for a failure to comply with the notification rules.

In accordance with the School’s Data Breach Response Plan any suspected and known breaches should be advised immediately to a panel consisting of the Head of the School, Director of Business, Director of Learning Technologies & ICT and the Risk and Compliance Manager via an email to the ndb@stmichaels.vic.edu.au Inbox.

9. Disclosing personal information to overseas recipients

The School may disclose personal information about a person to an overseas recipient, for example to facilitate a student exchange or when organising an overseas excursion.

The School will not send personal information about a person outside Australia without:

10. Enquiries or Privacy Complaints

Should you have any questions in relation to the St Michael’s Grammar School Privacy Policy or wish to make a complaint if you believe the School has breached an Australian Privacy Principle, please contact the Risk and Compliance Manager.

The School will investigate all complaints received in writing and provide a response within 30 days of receiving the complaint. If you are not satisfied with the outcome offered by the School, you may make a complaint to the Office of the Australian Information Officer.