This policy addresses how Christ Church Grammar School (the “School”) protects your privacy and complies with the requirements of the Privacy Act 1988 and the 13 Australian Privacy Principles, as well as the requirements of the Health Records and Information Privacy Act and the Health Privacy Principles.
This policy is currently being reviewed.
- Policy number: CCGS-HR-02
- Approval date: December 2017
- Revision due date: December 2020
- Unit responsible: Operations/Human Resources
1. Policy Declaration
The school is committed to providing a working environment that ensures each staff member’s right to privacy and protecting the privacy of personal information which the school collects, holds and administers.
This policy is underpinned by the school’s values of:
- Cherish individuality
- Show respect
- Think globally
- Inspire excellence
- Have faith
This policy applies to all Christ Church Grammar School Teaching and General Staff (and for the purpose of this policy, ‘staff’ includes all salaried staff, all persons who are either contractors or representatives of a corporate contractor, volunteers (including parents), trainees and students participating in work experience).
3. Matters out of Scope of this Policy
4. Meaning of Words
For the purposes of this policy:
• ‘Personal information’ is information which directly or indirectly identifies a person
• ‘Social media’ refers to the use of web-based and mobile technologies to turn communication into interactive dialogue. Social media can take on many different forms and includes, but is not limited to internet forums, weblogs, social blogs, microblogging, wikis, podcasts, photographs or pictures, video, rating and social bookmarking. Social media is distinct from industrial media, such as newspapers, television and film. Social media comprises relatively inexpensive and accessible tools that enable anyone (including private individuals) to publish or access information
• ‘Workplace’ includes all work and training activities the school is involved in, and refers to any of the school’s premises or workplaces during working hours, as well as – extends beyond the physical boundaries – extends beyond the set times of work – includes interaction (whether in person, by telephone or other electronic means or through social media) between staff – includes interaction with other schools, organisations and the public
• ‘SLT’ refers to Senior Leadership Team and includes all members of the Senior Leadership Team
• ‘LT’ refers to Leadership Team and includes all Year Level Coordinators
5. General Principles
The school will adhere to the procedures outlined below.
- Who the school collects information from
- Types of personal information collected and held by the school
- How this information is collected and held
- Purposes for which your personal information is collected, held, used and disclosed
- How the school treats sensitive information
- Marketing and Fundraising
- Management, Storage and Security of Personal Information
- Right to check what personal information the School holds about you
- When the school discloses personal information
- Personal Information of students
- How the school ensures the quality of your personal Information
- How to gain access to or request a change to your personal information the school holds
- Internal/External Avenues for Privacy Complaints/Advice
5.1 Who the school collects personal information from
The school collects personal information from students, prospective students, parents/guardians, prospective parents/guardians, job applicants, staff, volunteers, alumni, contractors, visitors and others that may come into contact with the school. Staff records are not covered by the Australian Privacy Principles or the Health Privacy Principles where they relate to a current or former employment relationship between the school and the staff member.
5.2 Types of personal information collected and held by the school
The kinds of personal information the school collects is largely dependent upon whose information is being collected and why it is being collected, however in general terms the school may collect:
- Personal Information including names, addresses and other contact details, dates of birth, next of kin details, financial information, photographic images, school reports and attendance records
- Sensitive Information (particularly in relation to student and parent/guardian records) including religious beliefs, government identifiers, nationality, country of birth, racial or ethnic origin, languages spoken at home, political, professional or trade association or trade union memberships, political opinions, philosophical beliefs, sexual orientation, family court orders and criminal records
- Health Information (particularly in relation to student and parent/guardian records) including medical records, disabilities, immunisation details, individual health care plans, counselling reports and notes, nutrition and dietary requirements
- Employment Information for job applicants, staff members, volunteers and contractors such as address, tax file numbers, telephone details,next of kin, referees, superannuation
5.3 How this information is collected and held
How the school collects personal information will largely be dependent upon whose information is being collected.
If it is reasonable and practical to do so, the school collects personal information directly from the individual.
Where possible, the school has attempted to standardise the collection of personal information by using specifically designed forms (eg Application for Enrolment form).
Given the nature of its operations, the school often also receives personal information by email, letters, notes, over the telephone, in face to face meetings and interviews, through financial transactions and through surveillance activities such as the use of CCTV security cameras or email monitoring.
The school may also collect personal information from other people (eg a personal reference) or independent sources (eg a telephone directory), however the school will only do so where it is not reasonable and practical to collect the information directly from the individual.
Sometimes the school may be provided with personal information without having sought it through normal means of collection. This is referred to as “unsolicited information”. Where the school collects unsolicited information, that information will only be held, used and/or disclosed if the school could otherwise do so had it been collected by normal means. If that unsolicited information could not have been collected by normal means then the school will destroy, permanently delete or de-identify the information as appropriate.
Personal information provided by other people: in some circumstances, the school may be provided with personal information about an individual from a third party, for example a report provided by a medical professional or a reference from another school.
5.4 Purposes for which personal information is collected, held, used and disclosed
The school only uses personal information that is reasonably necessary for one or more of the school’s functions or activities (the primary purpose) or for a related secondary purpose that would be reasonably expected by you, or to which you have consented.
The school’s primary uses of personal information include, but are not limited to:
- Providing education, pastoral care, extra-curricular and health services to students
- Satisfying legal obligations including duty of care and child protection obligations
- Keeping parents/guardians informed about matters relating to their child’s schooling including reports, newsletters and magazines
- Keeping parents/guardians informed as to school community matters through correspondence, newsletters and magazines
- Marketing, promotional and fundraising activities. The school treats marketing and seeking donations for the future growth and development of the school as an important part of ensuring that the school continues to be a quality-learning environment in which both students and staff thrive. Parents, staff, contractors and other members of the wider school community may from time to time receive fundraising information. School publications, like newsletters and magazines, which include personal information, may be used for marketing purposes.
- Looking after students' educational, social, emotional and medical wellbeing
- Supporting the activities of school associations including the use of website photos/videos, parent portal photos, year books/magazines
- Supporting the activities of the Christ Church Grammar School Foundation
- Supporting community-based causes and activities, charities and other causes in connection with the school’s functions or activities
- Helping to improve day to day operations including training of staff; systems development; developing new programs and services; undertaking planning, research and statistical analysis
- Day to day operations of the school and school administration, including for insurance purposes
- Employment of staff and
- Engagement of volunteers who assist the school in its functions or conduct associated activities
- To satisfy the school's legal obligations and allow it to discharge its duty of care.
The school only collects sensitive information reasonably necessary for one or more of these functions or activities, if the school has the consent of the individuals to whom the sensitive information relates, or if the collection is necessary to lessen or prevent a serious threat to life, health or safety, or another permitted general situation (such as locating a missing person) or permitted health situation (such as the collection of health information to provide a health service) exists.
5.5 How the school treats sensitive information
In referring to “sensitive information”, this means information relating to a person's racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, sexual preferences or criminal record, and health information about an individual.
Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or the use or disclosure of the sensitive information is allowed by law.
5.6 Marketing and Fundraising
The school treats marketing and seeking donations for the future growth and development of the school as an important part of ensuring that the school continues to provide a quality learning environment in which both students and staff thrive.
Personal information held by the school may be disclosed to organisations that assist in the school's fundraising, for example, the Christ Church Grammar School Foundation or external fundraising organisations.
School publications, including newsletters, which may contain personal information, are from time to time used for marketing purposes or used with requests for assistance with fundraising, to parents/guardians, prospective and past parents/guardians, alumni, staff, contractors and other members of the wider school community.
5.7 Management, Storage and Security of Personal Information
Staff are required to respect the confidentiality of students and parents' personal information and the privacy of individuals. This includes staff not using personal devices to photograph children.
The school has in place steps to protect the personal information the school holds from misuse, loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and pass worded access rights to computerised records.
The school stores personal information in a variety of formats including on databases, in hard copy files and on personal devices including laptop computers, mobile phones, cameras and other recording devices.
The security of your personal information is important to the school and the school takes all reasonable steps to protect the personal information it holds about you from misuse, loss, unauthorised access, modification or disclosure.
These steps include:
- Restricting access to information on the school databases on a need to know basis with different levels of security being allocated to staff based on their roles and responsibilities and security profile
- Ensuring staff are aware that they are not to reveal or share personal passwords
- Ensuring where sensitive and health information is stored in hard copy files that these files are stored in lockable cabinets in lockable rooms. Access to these records is restricted to staff on a ‘need to know basis’
- Implementing physical security measures around the school buildings and grounds to prevent break-ins
- Implementing Information and Communications Technology security systems, policies and procedures, designed to protect personal information storage on the school’s computer networks
- Implementing human resources policies and procedures, such as email and internet usage, confidentiality and document security policies, designed to ensure that staff follow correct protocols when handling personal information
- Undertaking due diligence with respect to third party service providers who may have access to personal information
Personal information the school holds that is no longer needed is destroyed in a secure manner, deleted or de-identified as appropriate
The school’s website may contain links to other websites. The school does not share your personal information with those websites and it is not responsible for their privacy practices.
5.8 Right to check what personal information the school holds about a staff member or a student
Under the Commonwealth Privacy Act, an individual has the right to obtain access to any personal information that the school holds about them and to advise the school of any perceived inaccuracy. There are some exceptions to this right set out in the Act. Students will generally have access to their personal information through their parents.
To make a request to access any information the school holds about you or your child, please contact the Principal in writing.
Generally, the school will refer any requests for consent and notices in relation to the personal information of a student to the student's parents. The school will treat consent given by parents as consent given on behalf of the student, and notice to parents will act as notice given to the student.
Parents may seek access to personal information held by the school about them or their child by contacting the Principal. However, there will be occasions when access is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the school's duty of care to the student, or according to other exemptions stated in the Privacy or Health Acts.
The school may, at its discretion, allow a student to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the student and/or the student's personal circumstances so warranted.
5.9 When the school discloses personal information
The school only uses personal information for the purposes for which it was given, or for purposes which are related (or directly related in the case of sensitive information) to one or more of the school’s functions or activities.
The school may disclose personal information to government agencies/departments, other parents/guardians, other schools, recipients of school publications such as newsletters, visiting teachers, counsellors, medical practitioners, coaches, service providers, agents, contractors, business partners, legal representatives and/or financial collection agency in the event of payment default or legal proceedings, parents and anyone to whom you authorise the school to disclose information and other recipients from time to time, only if one or more of the following apply:
- You have consented
- You would reasonably expect the school to use or disclose your personal information in this way
- The school is authorised or required to do so by law
- Disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety
- Where another permitted general situation or permitted health situation exception applies or
- Disclosure is reasonably necessary for a law enforcement related activity
5.10 Personal Information of Students
The Privacy Act does not differentiate between adults and children and does not specify an age after which individuals can make their own decisions with respect to their personal information.
Christ Church Grammar School takes a common-sense approach to dealing with a student’s personal information and generally will refer any requests for personal information to a student’s parents/guardians. The school will treat notices provided to parents/guardians as notices provided to students and consents provided by parents/guardians as consents provided by a student.
However, the school is cognisant of the fact that children do have rights under the Privacy Act, and that in certain circumstances (especially when dealing with sensitive information), it will be appropriate to seek and obtain consents directly from students. There may also be occasions where a student may give or withhold consent with respect to the use of their personal information independently from their parents/guardians.
There may also be occasions where parents/guardians are denied access to information with respect to their children, because to provide such information would have an unreasonable impact on the privacy of others, or result in a breach of the school’s duty of care to the student.
5.11 How the school ensures the quality of your personal Information
The school takes all reasonable steps to ensure the personal information held, used and disclosed is accurate, complete and up to date. These steps include ensuring that the personal information is accurate, complete and up to date at the time of collection and when using or disclosing personal information.
On an ongoing basis the school maintains and updates personal information when advised by individuals or when it becomes aware through other means that their personal information has changed.
Please contact the school if any of the details you have provided change. You should also contact the school if you believe that the information held about you is not accurate, incomplete or up to date.
5.12 How to gain access to or request a change to your personal information the school holds
The school endeavours to ensure that the personal information it holds is accurate, complete and up-to-date. The National Privacy Principles require the school not to store personal information longer than necessary.
You may request access to the personal information the school holds about you, or request that the school changes the personal information, by contacting the school’s Reception in writing or by email firstname.lastname@example.org
If the school does not agree to provide you with access, or to amend your personal information as requested, you will be notified accordingly. Where appropriate the school will provide you with the reason/s for this decision.
If a request to change your personal information is rejected by the school, you may make a statement about the requested change and the school will attach this to your record.
5.13 Internal/External Avenues for Privacy Complaints/Advice
If you wish to make a complaint about a breach by the school of the Australian Privacy Principles or the Health Privacy Principles you may do so by providing your written complaint by email, letter or personal delivery to any one of the contact details noted below. You may also make a complaint verbally.
Our Reception staff will respond to your complaint within a reasonable time (usually no longer than 30 days) and may seek further information from you in order to provide a full and complete response.
Your complaint may also be taken to the Office of the Australian Information Commissioner.
6. How to contact the school’s Reception
You can contact the school’s Reception staff about this Policy or about your personal information by:
- Email: Reception – email@example.com
- Telephone: + 61 3 9866 3540
- In writing: Reception, Christ Church Grammar School, 677 Punt Road, South Yarra, VIC 3141
7. Changes to the Privacy and Information Handling Practices
8. Non-Compliance with this Policy
Wilful breaches of this policy and any associated procedures will be met with disciplinary action and may result in dismissal. Any breach may also result in instigation of formal legal proceedings where there is a corresponding breach of law.
9. Related Policies, Documents and Legislation
• Christ Church Grammar School Code of Conduct Policy
• Christ Church Grammar School Counselling and Disciplinary Action for Unacceptable Behaviour / Performance and Serious Misconduct Policy
• Christ Church Grammar School Recruitment Policy
• Christ Church Grammar School Occupational Health and Safety Policy
• Christ Church Grammar School Whistleblower Policy
9.2 Documents N/A
Privacy Act 1988 and Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth).
Health Records Act 2001 (Vic)
Accident Compensation Amendment Act 2010
Health and Safety Act 2004 (VIC)
10. Administrative Procedures
10.1 Access to published policy
This policy will be available via the schools intranet and internet.
10.2 Promulgation of published policy
Relevant staff members will be provided communications explaining the function and role of this policy.
10.3 Review of this policy
This policy will have a review cycle of 3 years.