Privacy

Policy

Home / Document / Privacy policy Print Download

1.   Purpose and Scope

This Privacy Policy provides direction on the collection, use, management and disclosure of personal information provided to, or collected by Christ Church Grammar School (the School) in the course of discharging its mission.  This document must be read in conjunction with the School’s Records Management Policy.

Christ Church Grammar School is bound by and complies strictly with the requirements of the  Commonwealth Privacy Act 1988 and the Australian Privacy Principles (APPs).  In relation to health records, the school is also bound by the Health Services (Conciliation and Review) Act 1995 and the Freedom of Information Act 1992.

This policy applies to the entire school community in collecting, holding, accessing and using personal and sensitive information from and about, but not limited to

  • Current and prospective students
  • Current and prospective parents/guardians
  • Current and prospective staff
  • Current and prospective Council members
  • Past students
  • Current and prospective donors
  • Current and prospective suppliers and contractors
  • Volunteers
  • Users of the School’s facilities and services
  • Attendees at events or activities.

2.   Definitions  

Eligible Data Breach

An eligible data breach under the Privacy Act 1988 is either:

  • Unauthorised access or disclosure of personal information where a reasonable person would conclude that the disclosure or access is likely to result in serious harm to those individuals affected, or
  • Where information is lost in circumstances where unauthorised access or disclosure is likely to occur and assuming that if unauthorised access or disclosure were to occur, a reasonable person would conclude that the disclosure or access is likely to result in serious harm to the affected individuals.

Health Information

Health information is a subset of sensitive information.  It is any information or opinion about the health or disability of an individual, the individual’s expressed wishes about the future provision of health services and a health service provided, currently or in the future, to an individual that is also personal information.  Health information also includes personal information collected while providing a health service.

Personal Information

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable whether the information is true or not, and whether the information is recorded in a material form or not.  It includes all personal information regardless of its source.

Sensitive Information

Sensitive information is a type of personal information that is given extra protection and must be treated with additional care.  It includes any information or opinion about an individual’s racial or ethnic origin, political opinion, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record.  It also includes health information and biometric information.

3.   Policy Principles 

3.1   Personal information collected and methods of collection 

The types of information the school collects and holds includes, but is not limited to personal information, including health and other sensitive information about:

  • Students and parents and/or guardians before, during and after the course of a student’s enrolment at the school.
  • Job applicants, staff members, volunteers and contractors and
  • Other people who may come into contact with the school

The School will collect personal information where that information is reasonably necessary for the performance of one or more functions and/or activities of the school.

The School will collect personal information by lawful, fair and transparent means and wherever possible, directly from the individual.

The School will generally collect personal information held about an individual by way of forms filled out by parents, guardians or students, face-to-face/online meetings and interviews, emails and telephone calls. On occasions people other than parents, guardians and students provide personal information.

In some circumstances the School may be provided with personal information about an individual from a third party, for example a report provided by a medical professional or a reference from another school.  This personal information will be treated in the same manner as if it were collected by the school.

If the School receives personal information about a third party from an individual, that individual must ensure that:

  • The information is correct and has been collected and disclosed in accordance with the Act
  • The individual is entitled to disclose that information to the school; and
  • Without taking any further steps, the school may collect, use and disclose that information in accordance with this policy.

3.2   Use of personal information 

The School will use personal information it collects only for the primary purpose of collection and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected by the provider, or to which the provider has consented.

In the case of students, consent will be obtained from the parent/guardian, or from the student if over 16 years and deemed to have capacity to consent.

Christ Church Grammar School’s primary purpose for collection of personal information relating to students and parents/guardians is to enable it to provide schooling and educational services to the student and includes:

  • Pre-enrolment matters
  • Keeping parents informed about matters related to their child’s schooling, through correspondence, newsletters, magazines and other publications
  • Day-to-day administration
  • Looking after students’ wellbeing
  • Drawing upon the expertise of particular members of the School community to assist with operations and functions
  • Seeking donations for the school
  • Promotion and marketing of the school and
  • To satisfy the school’s legal obligations and allow the school to discharge its duty of care

In some cases, where the requested personal information about a student or parent is not provided, the School may be unable to enrol or continue the enrolment of the student or permit the student to take part in a particular activity.

The school’s primary purpose for collection of personal information of job applicants, staff members, contractors and volunteers is to assess their suitability for engagement, for administering contracts, insurance purposes and to satisfy legal obligations, for example, in relation to child protection matters.

Personal information held by the school may be disclosed to an organisation that partners with the School  in its marketing and fundraising endeavours.  All such arrangements are subject to strict contractual obligations and confidentiality agreements.

3.3   Consent and rights of access to the personal information of students 

The School respects every parent’s right to make decisions concerning their child’s education. Generally, the School will refer any requests for consent and notices in relation to the personal information of a student to the parents. The School will treat consent given by parents as consent given on behalf of the student, and notices to parents will act as notice given to the student.

Parents may seek access to personal information held by the School about them or their child by contacting the Principal. However, there will be occasions when access is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the School’s duty of care to the student.

The School may, on the request of a student, grant that student access to information held by the School about them, or allow a student to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the student and/or the student’s personal circumstances so warranted.

3.4   Disclosure of personal information

The School may disclose personal information, including sensitive information, held about an individual to:

  • Anyone to whom the provider authorises the school to disclose information
  • Anyone to whom the school is required to disclose the information by law

The School may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange. However, the School will not send personal information about an individual outside Australia without:

  • obtaining the consent of the parent/guardian or the individual (if 16 years or over and subject to the individual being deemed to have the capacity to consent); or
  • otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

3.5   Treatment of Sensitive information

Sensitive information will only be used and disclosed for the purpose for which it was provided, or directly related secondary purpose, unless the provider’s express agreement has been obtained to do otherwise, or the use or disclosure of the sensitive information is allowed by law.

3.5.1    Health information

A wide range of health information may be collected including medical records, immunisation details, individual education action plans, psychological reports, and dietary requirements, as well as relevant information about disabilities.  Christ Church Grammar School collects health information about its students, staff and on occasions parents

  • With the consent of the student or parent unless it is necessary to lessen or prevent a serious threat to the life, health, or safety of an individual
  • Where it is required to enable the school to exercise its duty of care or is otherwise required or authorised by law (e.g. mandatory reporting)
  • Where the School itself records health related incidents at school
  • Where a student suffers an injury or illness, a school nurse, school psychologist assesses, makes a diagnosis of illness or disability, treats a student and creates and maintains records of the student’s progress

Health information will only be used or disclosed:

  • For the purposes for which it was collected or a directly related secondary purpose
  • To exercise the school’s duty of care or as otherwise required or authorised by law or
  • To lessen or prevent a serious threat to the life, health, or safety of an individual and where it is impractical to obtain consent

Health information is securely stored and only staff who have a need to know the information are provided access.  Health information of a student is not disclosed to third parties, such as another parent or an organisation or school which may have temporary care of the student unless the School considers it is necessary to disclose it to ensure the health or safety of the student.

The school will seek expert advice in any instance where it becomes aware of health information about a student which the student does not wish to be disclosed to a parent or both parents, unless failure to disclose this information would constitute a breach of the school’s duty of care responsibility or mandatory reporting obligations.

3.6  Management and security of personal information

The school will take reasonable steps to:

  • Destroy or de-identify personal information which is no longer needed for the school’s business or required to be retained under law, regulation or any code applicable to the school
  • Ensure that the personal information it collects, uses or discloses (having regard to the purpose of the disclosure) is accurate, up to date and complete
  • Ensure that the systems, tools and methods of capturing transmitting and holding information are protected from misuse, interference, loss and from unauthorised access, modification or disclosure.  However the school cannot be held responsible for the theft of data by a third party, or the loss of data through technical or technological malfunction, tampering by a third party or any event that is beyond the reasonable control of the school

3.7   Handling of data breaches

Christ Church Grammar School will take appropriate, prompt and necessary action if there are reasonable grounds to believe that a data breach has or is suspected to have occurred. Depending on the type of data breach, this may include a review of internal security protocols, taking remedial internal action, notifying affected individuals and the Office of the Australian Information Commissioner (OAIC).

3.8   Access to and correction of personal information

Under the Commonwealth Privacy Act (and the Health Records Act), an individual has the right to obtain access to any personal information that the School holds about them and to advise the School of any perceived inaccuracy.  Students will be able to access and update their personal information through their parents, but students aged 16 years or over may seek access and correction themselves.

To make a request to access or update any personal information the School holds about a student or his parents, it will be necessary to submit a request in writing to the Principal.

The School may charge a fee to cover the cost of verifying the identity of the applicant and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive the School will advise the likely cost in advance.

3.9   Enquiries and Complaints

Enquiries from a student or his parents about the way in which the school manages the personal information it holds, or complaints that the School has breached the Australian Privacy Principles, may be addressed to the Principal or the Privacy Officer.  The School will investigate all complaints and notify the complainant of the outcome of the investigation and any related decision as soon as practicable and in accordance with the provisions of the Disputes and Complaints Policy.

3.10   Breaches of Policy

Failure to comply with this policy may be considered a breach of the Code of Ethics and Code of Conduct and may result in disciplinary action.

4.   Related Legislation and Policies 

Commonwealth Privacy Act (1988)

Australian Privacy Principles within the Commonwealth Privacy Act

Health Services (Conciliation and Review) Act 1995

Freedom of Information Act 1992

Code of Ethics

Code of Conduct

Disputes and Complaints Policy

ICT Policy

Records Management Policy

 

Date originally approved

7 June 2023

 Approving Authority

Council
Date this version approved

7 June 2023

 Date to be reviewed

7 June 2026
Policy Custodian

Director of Communication and Engagement

 Policy Category

Information and Records Management
Document title: Privacy policy CRICOS: 00433G
Custodian of document: Director of Communication and Engagement Date last updated: February 29, 2024