Policy Name |
Information Privacy Policy |
Reviewed/Endorsed by: |
Executive/Board |
Reviewed: Next Review: |
July 2022, November 2023 2024 |
51黑料 (the School) is committed to protecting the privacy of individuals. The School supports and endorses the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (Privacy Act) and will only collect, use, disclose, and store personal information in accordance with these principles. The School will also comply with the requirements of the Health Records Act 2001 (Vic) (Health Records Act).
The School is required under the Privacy Act to have a clearly expressed and up鈥恡o鈥 date privacy policy about how the School manages personal information. This policy outlines how the School will comply with its obligations under the Privacy Act and the Health Records Act. The School will ensure that this policy is made available on the School's website.
Australian Privacy Principles under the Privacy Act 1988 (Cth)
Health Records Act 2001
ISV Privacy Manual
YVG Complaints and Grievances Policy
YVG Child Protection Policy
Media means photography, video or audio footage
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Sensitive information is a special category of personal information. Sensitive information means:
The type of information that the School collects and holds will depend on the nature of a person鈥檚 involvement with the School.
Depending on the reason for collecting the personal information, the personal information collected by the School may include (but is not limited to) name, residential address, email address, fax number, phone number, current employment information, Medicare and private health insurance details, superannuation fund details, personal relationships with others, next of kin details, images (including digital images for internal identification purposes), date of birth, bank account details, academic results, qualifications and Media footage of students.
The School may also collect sensitive information from a person including health information, working with children checks and police record checks.
A person is not required to provide the personal information and/or sensitive information requested by the School, however if a person chooses not to provide information as requested, it may not be practicable for the School to service the person鈥檚 needs. For instance, it will not be possible for the School to enrol a person, provide education to a person, or employ a person, if they want to remain anonymous or use a pseudonym.
In circumstances where the School receives unsolicited personal information (meaning, personal information received where the School has taken no active steps to collect the information), the School will usually destroy or de鈥恑dentify the information as soon as practicable if it is lawful and reasonable to do so unless the unsolicited personal information is reasonably necessary for, or directly related to, the School鈥檚 functions or activities.
Administration staff, health centre staff, and contracted third parties (e.g. camp staff) will usually be responsible for collecting personal information from a person.
The School will wherever practicable collect personal information directly from the individual including from hard copy forms, scanned copies of documents and certificates, on鈥恖ine applications and uploading of documents, face鈥恡o鈥恌ace meetings, email correspondence, social media and other online portals, telephone calls, donations, fee payments, and hard copy mail.
The School may collect personal information from individuals such as staff members, current parents and/or guardians and students, future parents and/or guardians and students, visitors, contractors, volunteers and suppliers.
On occasion, the School may collect personal information from a third party. For example, personal information may be provided to the School by a medical professional.
The School will generally obtain consent from the owner of personal information to collect their personal information. Consent will usually be provided in writing however sometimes it may be provided orally or may be implied through a person鈥檚 conduct.
Where consent is required in relation to Media footage obtained of students, parents/guardians consent with be required in some circumstances, students鈥 consent will also be required.
The School will endeavour to only ask a person for personal information that is reasonably necessary for the activities that the person is seeking to be involved in.
In relation to the collection and disclosure of sensitive information, the School is bound by the APPs, which provide for the circumstances in which disclosure is permitted, or required by law. The School also has a specific consent process which includes a sign off system and permission forms.
The School may also collect information based on how individuals use the School website. The School may use 鈥樷檆ookies鈥欌 and other data collection methods to collect information on website activity such as the number of visitors, the number of pages viewed and the internet advertisements which bring visitors to our website. This information is collected to analyse and improve our website, marketing campaigns and to record statistics on web traffic. The School does not use this information to personally identify individuals.
From time to time, the School public website may contain links to other third-party websites outside of 51黑料. 51黑料 is not responsible for the information stored, accessed, used or disclosed on such websites and cannot comment on their privacy policies.
The School may collect, hold, use or disclose a person鈥檚 personal information for the following general purposes:
More specifically, the School may collect, hold, use or disclose a person鈥檚 personal information for the following purposes.
In relation to the personal information of students and parents and/or guardians, the School鈥檚 primary purpose of collecting the personal information is to enable the School to provide education to the student and fulfil its duty of care owed to the student.
The purpose for which the School uses personal information of students and parents and/or guardians include:
The School may publish the contact details of parents and/or guardians in a class list and publish images of students and parents and/or guardians in publications, on social media, or in public advertisements. This content will not be provided or published where consent has not been provided. Parents/guardians and/or students can withdraw consent at any time.
In relation to the personal information of prospective and current staff members, contractors and volunteers, the School uses the personal information for purposes including:
a) to enable the School to carry out its recruitment functions;
b) correspond with the person, provide training and professional development;
c) fulfil the terms of any contractual relationship; and
d) ensure that the person can perform their duties to facilitate the education of the students.
The School may publish the images of staff, contractors and volunteers in publications, on social media, or in public advertisements.
If a person has any concerns about their personal information being used by the School in any of these ways, the person must notify the School.
The School may disclose personal information to a recipient overseas (for example where the School has outsourced a business activity to an overseas provider) in accordance with the Privacy Act. In such circumstances, the School will take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information.
Otherwise, the School may disclose personal information to a recipient overseas in accordance with the Privacy Act where:
a) the person has consented to the disclosure;
b) the School reasonably believes that the overseas recipient is subject to a law or binding scheme that protects the information in a way that is substantially similar to the way the information is protected under the Privacy Act and the APPs; or
c) the disclosure is required or authorised by an Australian law or a court order.
From time to time, and in support of the School鈥檚 future development and growth, the School will send information to parents, prospective parents on waitlists and other people who have consented to receive School communications.
The School will use a person鈥檚 personal information to send marketing information including:
Personal information held by the School may be disclosed to an organisation that assists the School with its marketing.
If a person does not want to receive any such information, the person can contact the School by email.
Once the School receives a request to 鈥渙pt out鈥 from receiving marketing information, the School will cease sending such information.
The School takes all reasonable steps to protect personal information under its control from misuse, interference and loss and from unauthorised access, modification or disclosure.
The School protects personal information in a number of ways including:
In order to be able to respond in the unlikely event of a data breach, the School also has procedures in place for complying with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act. This scheme was introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017, and required compliance since February 2018. As required by the scheme, the School is able to undertake a reasonable and expeditious assessment of any suspected data breach as per the Notifiable data breach section in this policy and the .
Under our destruction and de鈥恑dentification processes, if a person鈥檚 personal information is no longer required, the personal information will be de鈥恑dentified or destroyed.
The School is committed to holding accurate and up鈥恡o鈥恉ate personal information. To ensure the quality and accuracy of the personal information held by the School, parents and/or guardians are asked to confirm their personal details and the personal details of their child on an annual basis and prior to school camps and excursions.
A person may contact the School at any time to update their personal information held by the School.
The School will destroy or de鈥恑dentify any personal information which is no longer required by the School for any purpose for which the School may use or disclose it, unless the School is required by law or under an Australian law or a court order to retain it.
If a person wishes to access personal information held about themselves or about a student for which they are a parent or guardian in order to seek correction of such information they may do so by contacting the Corporate Services Manager.
In accordance with the Privacy Act, the School may refuse access to personal information in a number of circumstances including where giving access to the information would pose a serious threat to the life, health or safety of a person, giving access would have an unreasonable impact on the privacy of a person, the information relates to existing or anticipated legal proceedings and would not be available under the discovery process, or denying access is required or authorised by an Australian law or court order.
The School will seek to handle all requests for access to personal information as quickly as possible.
The School is required by the Federal Australian Education Regulation 2013 (the Regulation) to provide certain information under the NCCD on students with a disability. Under the NCCD, the following information is required for each student with a disability:
鈥 level of education (i.e. primary or secondary);
鈥 category of disability (i.e. physical, cognitive, sensory or social/emotional);
鈥 level of adjustment (i.e. support provided within quality differentiated teaching practice, supplementary, substantial or extensive adjustment).
Student information provided for the purpose of the NCCD does not explicitly identify any student. However, the School may disclose students鈥 names to enable financial modelling about funding for particular students, including ongoing evaluation of the adequacy of the funding for individual students under the NCCD.
The School may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange or for overseas tours. However, the School will not send personal information about an individual outside Australia without:
鈥 obtaining the consent of the individual (in some cases this consent will be implied)
鈥 otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.
The School may also store personal information in the 'cloud' which means that information is held on the servers or third party cloud service providers engaged by the School. Some personal information may be collected and processed or stored by these providers. These servers may be situated in or outside Australia.
The School makes reasonable efforts to be satisfied about the security of any personal information collected, processed and stored in or outside Australia.
A reportable major or serious data breach is one that is likely to result in serious harm to any of the affected individuals. Serious harm can include physical, psychological, emotional, financial, or reputational harm. Under the Notifiable Data Breach Scheme, such breaches must be reported to the Office of the Australian Information Commissioner (OAIC).
The OAIC does not need to be notified about data breach that does not have the potential to cause serious harm.
If the School suspects or believes that an eligible data breach has occurred, the School will conduct a risk assessment of the relevant factors, as promptly as practicable, to determine if an eligible breach occurred, and take all reasonable steps to complete this assessment within 30 days of becoming aware of the breach. Examples of data breaches causing serious harm include:
鈥 Loss or theft of a School laptop or other electronic device containing the personal information of students or staff;
鈥 Hacking of a database containing personal information;
鈥 Loss of hard copy private confidential information;
鈥 Mistaken provision of personal information to the wrong person.
When there is a suspected data breach reported, the School will enact the Data Breach Response Plan.
When a data breach has been identified as eligible, the School will:
鈥 Prepare and submit a statement to the OAIC in the as soon as practicable after becoming aware of the eligible data breach;
鈥 Take reasonable steps, in the circumstances, to contact all affected individuals directly, or
鈥 If direct contact is not practicable, contact affected individuals indirectly by publishing information on the school鈥檚 website or other publicly available forum;
鈥 Review internal processes to identify any weaknesses to address to avoid the breach to happen again.
Complaints about a breach of the APPs must be made in writing and according to the School鈥檚 Complaints and Grievances Policy, available at .The School will investigate any complaint and will notify the complainant, in writing, of any decision in relation to the complaint as soon as practicable.
If a complainant is not satisfied with the response they can refer the complaint to the Office of the Australian Information Commissioner.
Please wait...