Privacy Policy


Updated—July 2023

1. Purpose

The Privacy Act 1988 (Privacy Act) regulates how the School collects, stores, provides access to, uses and discloses personal information. This Privacy Policy (the Policy) outlines the process for dealing with personal information in accordance with the Privacy Act.

2. Scope

This Policy applies to all board members, staff, students, parents/guardians, contractors, volunteers and visitors to the School.

3. Policy Statement

The School is committed to protecting privacy in accordance with the Australian Privacy Principles (APP) contained in the Privacy Act and, as such, this Policy outlines how the School uses and manages personal information provided to, or collected by, the School.

This Policy is based on the following principles:

  • the School supports responsible and transparent handling of personal information
  • the School respects an individual’s right to know how their personal information will be collected, used, disclosed, stored and disposed of
  • adequate privacy protection is a necessary condition of the School’s use of online communication and transactions.

Personal information will be collected, stored, used and disclosed in accordance with the procedures outlined in Appendix A.

4. Roles and Responsibilities

4.1 Principal (or authorised delegate)

The Principal (or authorised delegate) is responsible for:

  • ensuring implementation of this Policy and communication to staff, parents, students and the wider community
  • ensuring all privacy complaints and breaches are addressed in a timely manner
  • initiating and authorising investigations into privacy complaints and breaches, if necessary.

4.2 Chief Financial Officer (CFO)

The CFO is responsible for:

  • ensuring management of requests for information in line with the Privacy Act and this Policy
  • ensuring information is securely stored, and a register of complaints and concerns is maintained, kept confidential and only shared with relevant parties
  • investigating complaints/breaches when requested by the Principal (or authorised delegate).

4.3 Risk and Compliance Officer

The Risk and Compliance Advisor is responsible for investigating complaints/breaches when requested by the Principal (or authorised delegate).

5. Review and Monitoring

This policy shall be reviewed every three years, or in the event of any information, incident, legislative changes or organisational practice that would demonstrate the need for a review.

6. Definitions

Privacy complaint: a complaint by an individual about an act or practice of the School, in relation to the individual’s personal information, which is a breach of the School’s obligations under the Privacy Act 1988.

Personal information: any information that can identify a person or that can reasonably enable their identification. This information could include information such as their name, postal or email address, date of birth or financial details.

Sensitive information: information about a person’s religious and political beliefs, sexual preferences, racial or ethnic origin, membership of political associations, philosophical beliefs, criminal record or health information.

7. Related Documents

7.1 Relevant legislation

Privacy Act 1988

Child Protection Act 1999 (Qld)

7.2 Relevant school policies

Code of Conduct

These procedures set out how the School intends to comply with its obligations under the Privacy Act 1988.

1. Type of Information Collected

The School collects and holds information about:

  • students and parents and/or guardians before, during and after the course of a student’s enrolment at the School
  • job applicants, staff members, volunteers and contractors
  • other people who come into contact with the School.

The School will generally collect personal information about an individual by way of forms filled out in person, online via email or the website, and telephone calls. In some circumstances, the School may be provided with personal information about an individual from a third party—for example, a medical report or school reference.

2. Collection of Personal Information

The School collects personal information from individuals and third parties to discharge its functions, including teaching and research, and student and staff administration.

Only personal information that is necessary for a lawful function or activity of the School is to be collected.

Personal information is to be collected in a way that is lawful, fair and not unreasonably intrusive to the privacy of the individual concerned. When collecting the information, the School will take reasonable steps to ensure that the information is accurate and complete.

Where it is reasonable and practicable to do so, personal information is to be collected directly from the individual concerned rather than from a third party. This ensures that the information is accurate, and the person to whom the information relates is aware of the collection.

When collecting information from the individual, the School will take reasonable steps to inform the person:

  • why the information is being collected and how it is intended to be used
  • the School’s authority to collect the information
  • any third parties to whom the School routinely gives the kind of information requested.

If a person decides not to provide requested information, it may not be possible for the School to provide the person with the services they require based upon their relationship to the School. In this circumstance, the person may be informed of the consequences of the information not being provided.

3. Exception in relation to Employee Records

Under the Privacy Act, the Australian Privacy Principles (APP) do not apply to an employee record. As a result, this Privacy Policy does not apply to the School’s treatment of an employee record, where the treatment is directly related to a current or former employment relationship between the School and the employee.

4. Security of Personal Information

Personal information in the possession or under the control of the School will be held securely, and will be protected from unauthorised access, use, modification and disclosure by such security mechanisms as are appropriate in the circumstances.

In determining the most appropriate security mechanisms, regard will be given to the following considerations:

  • the sensitivity of the information
  • the vulnerability of the information to misuse
  • the form of the information (e.g. hardcopy, electronic, photographic images)
  • the possible consequences for the person to whom the information relates if there is misuse of the information
  • the availability of processes and mechanisms within the School for the protection of the information.

Access to personal information is to be restricted to those persons who have a legitimate need to know the information. Appropriate arrangements should be put in place at management level to ensure that access to computerised records is granted only to staff requiring such access in the course of their duties. Where a staff member leaves the School, or no longer requires access to particular records, their access to those records should be immediately terminated.

Staff members are to take reasonable precautions to ensure that personal information obtained during the course of their duties is not disclosed, either deliberately or inadvertently, to persons who do not have a legitimate need to know the information. Paper-based records should not be left where they may be accessed by unauthorised persons.

Records containing personal information should be filed securely in appropriately classified files.

5. Use of Personal Information

The School uses personal information concerning staff, students and third parties in conducting its business activities. Only that personal information which is relevant to the proposed activity or function will be used. Before using the information, reasonable steps will be taken to ensure that the information is accurate and complete.

Subject to the Privacy Act, personal information about an individual collected for a particular purpose is not to be used for another purpose. The exceptions are where:

  • the individual consents to the information being used for the other purpose
  • the proposed use is necessary to prevent or lessen a serious threat to life, health, safety or welfare of the individual or the public generally
  • the proposed use is authorised or required by law
  • the proposed use is necessary for the enforcement of the law
  • the purpose for which the information is to be used is directly related to the original purpose for which the information was collected
  • the proposed use is necessary for research in the public interest (the information is to be deidentified before publication) and it is not practicable to seek the consent of the individual concerned.

Where information is used for a purpose for which it was not collected, a notation is to be made on the relevant record of this use.

5.1 Students, Parents and Guardians

In relation to personal information of students and parents/guardians, the School’s primary purpose of collection is to enable the School to provide education for the student. This includes satisfying the needs of both parents/guardians and students throughout the application period and the whole period the student is enrolled at the School.

The purposes for which the School uses personal information of students and parents/guardians include:

  • correspondence with parents/guardians to keep parents/guardians informed about matters related to their child’s schooling (including student’s progress reports)
  • publication of School newsletters, magazines and articles on the website
  • day-to-day administration
  • supporting students’ educational, social and medical wellbeing (including disclosing students’ personal information and health information to medical practitioners in an emergency)
  • to request any previous school the student attended provide confirmation that all fees associated with schooling have been paid in full
  • the collection of debts owed to the School
  • seeking donations and other fundraising activities for the School.

The School may publish the contact details of parents/guardians in a class list and School directory if consent is provided. If parents do not consent to their contact details being published in a class list and/or School directory, they must notify the School.

5.2 Job applicants, staff members and contractors

In relation to personal information of job applicants, staff members and contractors, the School’s primary purpose of collection is to assess and (if successful) to employ the applicant, staff member or contractor, as the case may be.

The purposes for which the School uses personal information of job applicants, staff members and contractors include:

  • in administering the individual’s employment or contract, as the case may be
  • for insurance purposes
  • seeking funds and marketing the School
  • to satisfy the School’s legal requirements.

5.3 Volunteers

The School also obtains personal information about volunteers who assist the School in its functions or associated activities, such as alumnae associations and parent/guardian support groups to enable the School and the volunteers to work together.

5.4 Marketing and Fundraising

The School treats marketing and seeking donations for the future growth and development of the School as an important part of ensuring the School continues to be a quality learning environment.

Personal information held by the School may be disclosed to an organisation that assists in the School’s fundraising and marketing, for example, the School’s alumnae organisation.

Parents, staff, contractors and other members of the wider School community may receive fundraising information and school publications, like newsletters and magazines.

If they do not wish to receive any such information, they should advise the School via: phone on 07 3332 1300 or by email to communications@bggs.qld.edu.au.

Upon receiving communication that they do not wish to receive this information, the School will stop sending such information. They will however continue to receive official School communication.

6. Anonymity and consequences of not providing personal information

If it is lawful and practicable to do so, the School may offer the opportunity of dealing with us anonymously or by using a pseudonym. For example, when making a general inquiry about the School.

However, it is not possible for the School to enrol or continue the enrolment of a student or provide education for the student if the student or her parents/guardians wish to interact anonymously or using a pseudonym.

7. Disclosure of personal information

The School may disclose personal information, possibly including sensitive information, held about an individual for educational, legal, administrative, marketing and support purposes. This may include to:

  • another school
  • government departments
  • medical practitioners
  • assessment and educational authorities
  • people providing services to the School, including specialist visiting teachers and sports coaches
  • recipients of school publications, like newsletters and magazines
  • parents or guardians
  • anyone to whom the School is authorised to disclose information
  • anyone to whom the School is required or authorised to disclose the information to by law, including child protection laws.

8. Disclosure of information overseas

The School may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange. However, the School will not send personal information about an individual outside Australia without:

  • obtaining the consent of the individual (in some cases this consent will be implied)
  • otherwise complying with the Australian Privacy Principles (APP) or other applicable privacy legislation.

9. Updating personal information

It is important that personal information the School collects is accurate and complete. During the course of our relationship with members of the School community, they will be asked to keep the School informed of any changes to personal information. They can contact the School at any time to update personal information held by the School.

The School will destroy or de-identify any personal information that is no longer required by the School for any purpose for which we may use or disclose it, unless we are required by Australian law or a court order to retain it.

10. Checking of personal information

Under the Privacy Act, an individual has the right to obtain access to any personal information that the School holds about them and to advise the School of any perceived inaccuracy. There are some exceptions to this right set out in the Act. Students will generally have access to their personal information through their parents, but older students (over 18 years of age) may seek access themselves.

All requests to access any information the School holds must be made to the Principal in writing.

The School may be required to verify the persons’ identity and specify what information they require. The School may charge a fee to cover the cost of verifying the application, locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the School will advise the likely cost in advance.

The School will seek to handle all requests for access to personal information as quickly as possible.

11. Privacy complaints

If an individual believes that their privacy has been breached, a complaint may be made in writing to the School in the following ways:

To enable such a complaint to be properly investigated, it should identify the person whose privacy appears to have been breached. An investigation will be conducted in consultation with the relevant Head of Faculty/Department and the School will respond in writing.

If the complaint is not resolved to the individual’s satisfaction, and more than 45 business days have passed since the complaint was made to the School, the individual may lodge a complaint with the Office of the Information Commissioner. If the person lodging the complaint has any queries about how to do so, they can contact the Office of the Australian Information Commissioner by telephoning 1300 363 992.

12. Changes to this Privacy Policy

The School may, from time to time, review and update this Privacy Policy to reflect new laws and technology, changes to the School’s operations and practices, and to make sure it remains appropriate to the changing environment of the School.

If the School changes its Privacy Policy, it will place an updated version on the website: www.bggs.qld.edu.au.

13. Privacy Breaches

All staff are responsible for reporting any breaches of this Policy to the Head of their Faculty or Department, or to a member of the Executive Management team, as soon as practicable after the breach has been identified. Following notification, management will:

  • for minor breaches of the Policy: liaise with the relevant Head of Faculty or Department on the necessary actions required to prevent a similar breach from occurring
  • for major breaches of the Policy: instigate an investigation into the breach.

The Chief Financial Officer must be informed of breaches of this policy or procedure and any actions arising out of any investigations.

A breach of this Policy or procedure may, depending on the circumstances, constitute a breach of the School’s Code of Conduct.

14. Notifiable Data Breach

In adherence with the Privacy Act, under the Notifiable Data Breach scheme, it is mandatory for the School to report all eligible data breaches to the Office of the Australian Information Commissioner (OAIC).

An eligible data breach will occur if:

  • there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the School
  • a reasonable person would conclude that the access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates.

If the School has reasonable grounds to believe that a data breach has occurred in these circumstances, it must notify the OAIC and the affected individuals of the breach.

The School’s Data Breach Response Plan outlines the steps that must be followed if a data breach occurs or is suspected to have occurred.