This Policy applies to all board members, staff, students, parents/guardians, contractors, volunteers and visitors to the School.
The School is committed to protecting privacy in accordance with the Australian Privacy Principles (APP) contained in the Privacy Act and, as such, this Policy outlines how the School uses and manages personal information provided to, or collected by, the School.
This Policy is based on the following principles:
Personal information will be collected, stored, used and disclosed in accordance with the procedures outlined in Appendix A.
The Principal (or authorised delegate) is responsible for:
The CFO is responsible for:
The Risk and Compliance Advisor is responsible for investigating complaints/breaches when requested by the Principal (or authorised delegate).
This policy shall be reviewed every three years, or in the event of any information, incident, legislative changes or organisational practice that would demonstrate the need for a review.
Privacy complaint: a complaint by an individual about an act or practice of the School, in relation to the individual’s personal information, which is a breach of the School’s obligations under the Privacy Act 1988.
Personal information: any information that can identify a person or that can reasonably enable their identification. This information could include information such as their name, postal or email address, date of birth or financial details.
Sensitive information: information about a person’s religious and political beliefs, sexual preferences, racial or ethnic origin, membership of political associations, philosophical beliefs, criminal record or health information.
Privacy Act 1988
Child Protection Act 1999 (Qld)
Code of Conduct
These procedures set out how the School intends to comply with its obligations under the Privacy Act 1988.
The School collects and holds information about:
The School will generally collect personal information about an individual by way of forms filled out in person, online via email or the website, and telephone calls. In some circumstances, the School may be provided with personal information about an individual from a third party—for example, a medical report or school reference.
The School collects personal information from individuals and third parties to discharge its functions, including teaching and research, and student and staff administration.
Only personal information that is necessary for a lawful function or activity of the School is to be collected.
Personal information is to be collected in a way that is lawful, fair and not unreasonably intrusive to the privacy of the individual concerned. When collecting the information, the School will take reasonable steps to ensure that the information is accurate and complete.
Where it is reasonable and practicable to do so, personal information is to be collected directly from the individual concerned rather than from a third party. This ensures that the information is accurate, and the person to whom the information relates is aware of the collection.
When collecting information from the individual, the School will take reasonable steps to inform the person:
If a person decides not to provide requested information, it may not be possible for the School to provide the person with the services they require based upon their relationship to the School. In this circumstance, the person may be informed of the consequences of the information not being provided.
Personal information in the possession or under the control of the School will be held securely, and will be protected from unauthorised access, use, modification and disclosure by such security mechanisms as are appropriate in the circumstances.
In determining the most appropriate security mechanisms, regard will be given to the following considerations:
Access to personal information is to be restricted to those persons who have a legitimate need to know the information. Appropriate arrangements should be put in place at management level to ensure that access to computerised records is granted only to staff requiring such access in the course of their duties. Where a staff member leaves the School, or no longer requires access to particular records, their access to those records should be immediately terminated.
Staff members are to take reasonable precautions to ensure that personal information obtained during the course of their duties is not disclosed, either deliberately or inadvertently, to persons who do not have a legitimate need to know the information. Paper-based records should not be left where they may be accessed by unauthorised persons.
Records containing personal information should be filed securely in appropriately classified files.
The School uses personal information concerning staff, students and third parties in conducting its business activities. Only that personal information which is relevant to the proposed activity or function will be used. Before using the information, reasonable steps will be taken to ensure that the information is accurate and complete.
Subject to the Privacy Act, personal information about an individual collected for a particular purpose is not to be used for another purpose. The exceptions are where:
Where information is used for a purpose for which it was not collected, a notation is to be made on the relevant record of this use.
In relation to personal information of students and parents/guardians, the School’s primary purpose of collection is to enable the School to provide education for the student. This includes satisfying the needs of both parents/guardians and students throughout the application period and the whole period the student is enrolled at the School.
The purposes for which the School uses personal information of students and parents/guardians include:
The School may publish the contact details of parents/guardians in a class list and School directory if consent is provided. If parents do not consent to their contact details being published in a class list and/or School directory, they must notify the School.
In relation to personal information of job applicants, staff members and contractors, the School’s primary purpose of collection is to assess and (if successful) to employ the applicant, staff member or contractor, as the case may be.
The purposes for which the School uses personal information of job applicants, staff members and contractors include:
The School also obtains personal information about volunteers who assist the School in its functions or associated activities, such as alumnae associations and parent/guardian support groups to enable the School and the volunteers to work together.
The School treats marketing and seeking donations for the future growth and development of the School as an important part of ensuring the School continues to be a quality learning environment.
Personal information held by the School may be disclosed to an organisation that assists in the School’s fundraising and marketing, for example, the School’s alumnae organisation.
Parents, staff, contractors and other members of the wider School community may receive fundraising information and school publications, like newsletters and magazines.
If they do not wish to receive any such information, they should advise the School via: phone on 07 3332 1300 or by email to email@example.com.
Upon receiving communication that they do not wish to receive this information, the School will stop sending such information. They will however continue to receive official School communication.
If it is lawful and practicable to do so, the School may offer the opportunity of dealing with us anonymously or by using a pseudonym. For example, when making a general inquiry about the School.
However, it is not possible for the School to enrol or continue the enrolment of a student or provide education for the student if the student or her parents/guardians wish to interact anonymously or using a pseudonym.
The School may disclose personal information, possibly including sensitive information, held about an individual for educational, legal, administrative, marketing and support purposes. This may include to:
The School may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange. However, the School will not send personal information about an individual outside Australia without:
It is important that personal information the School collects is accurate and complete. During the course of our relationship with members of the School community, they will be asked to keep the School informed of any changes to personal information. They can contact the School at any time to update personal information held by the School.
The School will destroy or de-identify any personal information that is no longer required by the School for any purpose for which we may use or disclose it, unless we are required by Australian law or a court order to retain it.
Under the Privacy Act, an individual has the right to obtain access to any personal information that the School holds about them and to advise the School of any perceived inaccuracy. There are some exceptions to this right set out in the Act. Students will generally have access to their personal information through their parents, but older students (over 18 years of age) may seek access themselves.
All requests to access any information the School holds must be made to the Principal in writing.
The School may be required to verify the persons’ identity and specify what information they require. The School may charge a fee to cover the cost of verifying the application, locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the School will advise the likely cost in advance.
The School will seek to handle all requests for access to personal information as quickly as possible.
If an individual believes that their privacy has been breached, a complaint may be made in writing to the School in the following ways:
To enable such a complaint to be properly investigated, it should identify the person whose privacy appears to have been breached. An investigation will be conducted in consultation with the relevant Head of Faculty/Department and the School will respond in writing.
If the complaint is not resolved to the individual’s satisfaction, and more than 45 business days have passed since the complaint was made to the School, the individual may lodge a complaint with the Office of the Information Commissioner. If the person lodging the complaint has any queries about how to do so, they can contact the Office of the Australian Information Commissioner by telephoning 1300 363 992.
All staff are responsible for reporting any breaches of this Policy to the Head of their Faculty or Department, or to a member of the Executive Management team, as soon as practicable after the breach has been identified. Following notification, management will:
The Chief Financial Officer must be informed of breaches of this policy or procedure and any actions arising out of any investigations.
A breach of this Policy or procedure may, depending on the circumstances, constitute a breach of the School’s Code of Conduct.
In adherence with the Privacy Act, under the Notifiable Data Breach scheme, it is mandatory for the School to report all eligible data breaches to the Office of the Australian Information Commissioner (OAIC).
An eligible data breach will occur if:
If the School has reasonable grounds to believe that a data breach has occurred in these circumstances, it must notify the OAIC and the affected individuals of the breach.
The School’s Data Breach Response Plan outlines the steps that must be followed if a data breach occurs or is suspected to have occurred.