鶹ƽ

Information Privacy Policy

Information Privacy Policy

Policy Name

Information Privacy Policy

Reviewed/Endorsed by:

Executive/Board

Reviewed: Next Review:

July 2022, November 2023

2024

Statement of Context

鶹ƽ (the School) is committed to protecting the privacy of individuals. The School supports and endorses the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act) and will only collect, use, disclose, and store personal information in accordance with these principles. The School will also comply with the requirements of the Health Records Act 2001 (Vic) (Health Records Act).

The School is required under the Privacy Act to have a clearly expressed and up‐to‐ date privacy policy about how the School manages personal information. This policy outlines how the School will comply with its obligations under the Privacy Act and the Health Records Act. The School will ensure that this policy is made available on the School's website.

Related policies, documents and legislation

Australian Privacy Principles under the Privacy Act 1988 (Cth)

Health Records Act 2001

ISV Privacy Manual

YVG Complaints and Grievances Policy 

YVG Child Protection Policy

Definitions

Media means photography, video or audio footage

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • a) whether the information or opinion is true or not; and
  • b) whether the information or opinion is recorded in a material form or not.

Sensitive information is a special category of personal information. Sensitive information means:

  • information or an opinion about an individual’s (i) racial or ethnic origin, (ii) political opinions, (iii) membership of a political association, (iv) religious beliefs or affiliations, (v) philosophical beliefs, (vi) membership of a professional or trade association, (vii) membership of a trade union, (viii) sexual orientation or practices, (ix) criminal record, that is also personal information;
  • health information about an individual,
  • genetic information about an individual that is not otherwise health information;
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
  • e) biometric templates.


What type of personal information does the School collect?

The type of information that the School collects and holds will depend on the nature of a person’s involvement with the School.

Depending on the reason for collecting the personal information, the personal information collected by the School may include (but is not limited to) name, residential address, email address, fax number, phone number, current employment information, Medicare and private health insurance details, superannuation fund details, personal relationships with others, next of kin details, images (including digital images for internal identification purposes), date of birth, bank account details, academic results, qualifications and Media footage of students.

The School may also collect sensitive information from a person including health information, working with children checks and police record checks.

A person is not required to provide the personal information and/or sensitive information requested by the School, however if a person chooses not to provide information as requested, it may not be practicable for the School to service the person’s needs. For instance, it will not be possible for the School to enrol a person, provide education to a person, or employ a person, if they want to remain anonymous or use a pseudonym.

In circumstances where the School receives unsolicited personal information (meaning, personal information received where the School has taken no active steps to collect the information), the School will usually destroy or de‐identify the information as soon as practicable if it is lawful and reasonable to do so unless the unsolicited personal information is reasonably necessary for, or directly related to, the School’s functions or activities.

How does the School collect personal information?

Administration staff, health centre staff, and contracted third parties (e.g. camp staff) will usually be responsible for collecting personal information from a person.

The School will wherever practicable collect personal information directly from the individual including from hard copy forms, scanned copies of documents and certificates, on‐line applications and uploading of documents, face‐to‐face meetings, email correspondence, social media and other online portals, telephone calls, donations, fee payments, and hard copy mail.

The School may collect personal information from individuals such as staff members, current parents and/or guardians and students, future parents and/or guardians and students, visitors, contractors, volunteers and suppliers.

On occasion, the School may collect personal information from a third party. For example, personal information may be provided to the School by a medical professional.

The School will generally obtain consent from the owner of personal information to collect their personal information. Consent will usually be provided in writing however sometimes it may be provided orally or may be implied through a person’s conduct.

Where consent is required in relation to Media footage obtained of students, parents/guardians consent with be required in some circumstances, students’ consent will also be required.

The School will endeavour to only ask a person for personal information that is reasonably necessary for the activities that the person is seeking to be involved in.

In relation to the collection and disclosure of sensitive information, the School is bound by the APPs, which provide for the circumstances in which disclosure is permitted, or required by law. The School also has a specific consent process which includes a sign off system and permission forms.

The School may also collect information based on how individuals use the School website. The School may use ‘’cookies’’ and other data collection methods to collect information on website activity such as the number of visitors, the number of pages viewed and the internet advertisements which bring visitors to our website. This information is collected to analyse and improve our website, marketing campaigns and to record statistics on web traffic. The School does not use this information to personally identify individuals.

From time to time, the School public website may contain links to other third-party websites outside of 鶹ƽ. 鶹ƽ is not responsible for the information stored, accessed, used or disclosed on such websites and cannot comment on their privacy policies.

How will the School use personal information?

The School may collect, hold, use or disclose a person’s personal information for the following general purposes:

  • a) to identify a person;
  • b) for the purpose for which the personal information was originally collected;
  • c) for a purpose for which a person has consented;
  • d) for any other purpose authorised or required by an Australian law; and
  • e) for any other purpose authorised or required by a court or tribunal.

More specifically, the School may collect, hold, use or disclose a person’s personal information for the following purposes.

Students and Parents/Guardians

In relation to the personal information of students and parents and/or guardians, the School’s primary purpose of collecting the personal information is to enable the School to provide education to the student and fulfil its duty of care owed to the student.

The purpose for which the School uses personal information of students and parents and/or guardians include:

  • a) providing schooling to students;
  • b) correspondence with parents and/or guardians to keep parents and/or guardians informed about matters related to their child’s performance at school;
  • c) publication of newsletters and articles on our website;
  • d) day to day administration;
  • e) looking after a student’s educational, social and medical wellbeing;
  • f) fulfilling its duty of care obligations;
  • g) the collection of debts owed to the School; and
  • h) seeking donations and other fundraising activities for the School.

The School may publish the contact details of parents and/or guardians in a class list and publish images of students and parents and/or guardians in publications, on social media, or in public advertisements. This content will not be provided or published where consent has not been provided. Parents/guardians and/or students can withdraw consent at any time.

Staff members, contractors and Volunteers

In relation to the personal information of prospective and current staff members, contractors and volunteers, the School uses the personal information for purposes including:

a) to enable the School to carry out its recruitment functions;

b) correspond with the person, provide training and professional development;

c) fulfil the terms of any contractual relationship; and

d) ensure that the person can perform their duties to facilitate the education of the students.

    The School may publish the images of staff, contractors and volunteers in publications, on social media, or in public advertisements.

    If a person has any concerns about their personal information being used by the School in any of these ways, the person must notify the School.

    Disclosure of personal information overseas

    The School may disclose personal information to a recipient overseas (for example where the School has outsourced a business activity to an overseas provider) in accordance with the Privacy Act. In such circumstances, the School will take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.

    Otherwise, the School may disclose personal information to a recipient overseas in accordance with the Privacy Act where:

    a) the person has consented to the disclosure;

    b) the School reasonably believes that the overseas recipient is subject to a law or binding scheme that protects the information in a way that is substantially similar to the way the information is protected under the Privacy Act and the APPs; or

    c) the disclosure is required or authorised by an Australian law or a court order.

    Direct marketing

    From time to time, and in support of the School’s future development and growth, the School will send information to parents, prospective parents on waitlists and other people who have consented to receive School communications.

    The School will use a person’s personal information to send marketing information including:

    • the School magazine and newsletters; and
    • information regarding philanthropic and fundraising activities.

    Personal information held by the School may be disclosed to an organisation that assists the School with its marketing.

    If a person does not want to receive any such information, the person can contact the School by email.

    Once the School receives a request to “opt out” from receiving marketing information, the School will cease sending such information.

    How does the School store personal information?

    The School takes all reasonable steps to protect personal information under its control from misuse, interference and loss and from unauthorised access, modification or disclosure.

    The School protects personal information in a number of ways including:

    • a) securely storing paper records;
    • b) firewalls;
    • c) password restricted access to computerised records;
    • d) routine security risk assessments; and
    • e) internal policies in relation to access to personal information.

    In order to be able to respond in the unlikely event of a data breach, the School also has procedures in place for complying with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. This scheme was introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017, and required compliance since February 2018. As required by the scheme, the School is able to undertake a reasonable and expeditious assessment of any suspected data breach as per the Notifiable data breach section in this policy and the .

    How long will the School keep personal information?

    Under our destruction and de‐identification processes, if a person’s personal information is no longer required, the personal information will be de‐identified or destroyed.

    How a person can update their personal information?

    The School is committed to holding accurate and up‐to‐date personal information. To ensure the quality and accuracy of the personal information held by the School, parents and/or guardians are asked to confirm their personal details and the personal details of their child on an annual basis and prior to school camps and excursions. 

    A person may contact the School at any time to update their personal information held by the School. 

    The School will destroy or de‐identify any personal information which is no longer required by the School for any purpose for which the School may use or disclose it, unless the School is required by law or under an Australian law or a court order to retain it.

    How a person can access personal information?

    If a person wishes to access personal information held about themselves or about a student for which they are a parent or guardian in order to seek correction of such information they may do so by contacting the Corporate Services Manager. 

    In accordance with the Privacy Act, the School may refuse access to personal information in a number of circumstances including where giving access to the information would pose a serious threat to the life, health or safety of a person, giving access would have an unreasonable impact on the privacy of a person, the information relates to existing or anticipated legal proceedings and would not be available under the discovery process, or denying access is required or authorised by an Australian law or court order.

    The School will seek to handle all requests for access to personal information as quickly as possible.

    Nationally Consistent Collection of Data (NCCD) on School Students with Disability

    The School is required by the Federal Australian Education Regulation 2013 (the Regulation) to provide certain information under the NCCD on students with a disability. Under the NCCD, the following information is required for each student with a disability: 

    • level of education (i.e. primary or secondary); 
    • category of disability (i.e. physical, cognitive, sensory or social/emotional);
    • level of adjustment (i.e. support provided within quality differentiated teaching practice, supplementary, substantial or extensive adjustment).

    Student information provided for the purpose of the NCCD does not explicitly identify any student. However, the School may disclose students’ names to enable financial modelling about funding for particular students, including ongoing evaluation of the adequacy of the funding for individual students under the NCCD.

    Sending information overseas

    The School may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange or for overseas tours. However, the School will not send personal information about an individual outside Australia without:
    • obtaining the consent of the individual (in some cases this consent will be implied)
    • otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

    The School may also store personal information in the 'cloud' which means that information is held on the servers or third party cloud service providers engaged by the School. Some personal information may be collected and processed or stored by these providers. These servers may be situated in or outside Australia.

    The School makes reasonable efforts to be satisfied about the security of any personal information collected, processed and stored in or outside Australia.

    Notifiable data breach

    A reportable major or serious data breach is one that is likely to result in serious harm to any of the affected individuals. Serious harm can include physical, psychological, emotional, financial, or reputational harm. Under the Notifiable Data Breach Scheme, such breaches must be reported to the Office of the Australian Information Commissioner (OAIC).

    The OAIC does not need to be notified about data breach that does not have the potential to cause serious harm.

    If the School suspects or believes that an eligible data breach has occurred, the School will conduct a risk assessment of the relevant factors, as promptly as practicable, to determine if an eligible breach occurred, and take all reasonable steps to complete this assessment within 30 days of becoming aware of the breach. Examples of data breaches causing serious harm include:

    • Loss or theft of a School laptop or other electronic device containing the personal information of students or staff;
    • Hacking of a database containing personal information;
    • Loss of hard copy private confidential information;
    • Mistaken provision of personal information to the wrong person.

    When there is a suspected data breach reported, the School will enact the Data Breach Response Plan.

    When a data breach has been identified as eligible, the School will:

    • Prepare and submit a statement to the OAIC in the as soon as practicable after becoming aware of the eligible data breach;
    • Take reasonable steps, in the circumstances, to contact all affected individuals directly, or
    • If direct contact is not practicable, contact affected individuals indirectly by publishing information on the school’s website or other publicly available forum;
    • Review internal processes to identify any weaknesses to address to avoid the breach to happen again.

    Complaints

    Complaints about a breach of the APPs must be made in writing and according to the School’s Complaints and Grievances Policy, available at .The School will investigate any complaint and will notify the complainant, in writing, of any decision in relation to the complaint as soon as practicable.

    If a complainant is not satisfied with the response they can refer the complaint to the Office of the Australian Information Commissioner.

    Please wait...