Privacy Policy

CATHOLIC SCHOOLS BROKEN BAY

Privacy  Policy, October 2023

Rationale

The purpose of this policy is to establish a framework for Catholic Schools Broken Bay (CSBB) to comply with the requirements of all relevant Commonwealth and State privacy legislation in an open and transparent way.
The policy informs:

• CSBB staff of their obligations concerning personal information
• members of the wider school community about how CSBB manages their personal information and how they may request access to this information, including making a complaint about how CSBB has managed their information.

CSBB is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988. In relation to health records, CSBB is also bound by the Health Privacy Principles contained in the Health Records and Information Privacy Act 2002 NSW (Health Records Act).

Guiding Principles and Objectives

CSBB respects and deeply values the personal information that our community are willing to entrust to us. This policy explains how we collect, hold, store, use, disclose and manage that personal information.

To help CSBB ensure best privacy management practices, we have adopted the following guiding principles:

• Clarity and transparency – our personal information handling practices are visible and accessible.
• Individual controls – we seek to provide stakeholders with choice and control around what happens to their personal information.
• Collection limitation – we legally and reasonably collect only the personal information we require. We collect information with stakeholder knowledge.
• Purposeful data use and disclosure – we only use or disclose personal information for the purpose we collected it unless the law permits or requires something else. This is made known through the CSBB Standard Collection Notice.
• Secure protections – we protect personal information using a range of physical, technical, and administrative safeguards.
• Right to access and correction – we support the right to access, and make corrections to, the personal information we hold.

Policy Statement

Definitions

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information is true or not.

Biometric Information is personal information that is derived using different techniques or technologies that identifies a person based on their biometric characteristics (such as facial image or fingerprint).

Sensitive information is personal information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, trade union or other professional or trade association membership, sexual orientation or practices or criminal record, and includes health information and biometric information about an individual.

Health information is personal information about the health or disability of an individual.

What kinds of personal information does CSBB collect and how does CSBB collect it?

The type of information CSBB collects and holds includes (but is not limited to) personal information, including health and other sensitive information, about students and parents and/or guardians before, during and after the course of a student’s enrolment at CSBB.

 

Personal information

• names, addresses and other contact details,
• dates of birth
• gender
• next of kin details
• financial information
• photographs, images, videos,
• references
• regulatory accreditation
• media references
• directorships
• driver’s licence information
• school reports
• academic, attendance and behavioural records.

 

Health Information

• medical records and reports
• health fund information
• disabilities
• allergies
• immunisation details
• individual healthcare plans
• counselling reports and notes,
• nutrition and dietary requirements.

Other sensitive information

• religious beliefs
• government identifiers
• nationality, citizenship, country of birth,
• racial or ethnic origin,
• languages spoken at home,
• professional memberships
• family court orders
• criminal records.

Personal information provided by the individual:

A school will generally collect personal information held about an individual by way of forms filled out by parents or students, face-to-face meetings and interviews, emails and telephone calls and via the Compass portal. Note forms can be paper-based or online. In the case of online forms, responses should be held securely by CSBB.

Other methods of collection are through financial transactions and the use of CCTV security cameras. A school also collects personal information when a secondary student uses their issued Compass card for example to record attendance.

If an enrolment application is made to two (or more) CSBB schools, the personal information provided during the application process may be shared between the schools. This personal information may include health information and is used for the purpose of considering, supporting and administering the enrolment of the student within CSBB.

Personal information provided by other people:

In some circumstances a school may be provided with personal information about an individual from a third party, for example, a report provided by a medical professional or a reference from another school.

Exception in relation to employee records:

Under the Privacy Act and the Health Records and Information Privacy Act 2002 (NSW), the Australian Privacy Principles and Health Privacy Principles do not apply to an employee record. As a result, this Privacy Policy does not apply to the treatment by CSBB of an employee record, where the treatment is directly related to a current or former employment relationship between CSBB and employee.

How will CSBB use the personal information it collects?

CSBB will use personal information it collects for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected, or to which consent has been given.

Students and Parents:

In relation to personal information of students and parents, a school’s primary purpose of collection is to enable the school to provide schooling for students enrolled at the school, exercise its duty of care, and perform necessary associated administrative activities, which will enable students to take part in all the activities of the school. This includes satisfying the needs of parents, the needs of the student and the needs of CSBB throughout the whole period the student is enrolled at the school.

The purposes for which CSBB uses personal information of students and parents include:

• keeping parents informed about matters related to their child’s schooling, through correspondence, newsletters and magazines
• day-to-day administration, including seeking the payment of fees for schools within CSBB when a student transfers between such schools
• looking after students’ educational, social, spiritual and medical wellbeing
• seeking donations and marketing for the school
• satisfying legal obligations of CSBB and enabling the school to discharge its duty of care.

In some cases where a school requests personal information about a student or parent, if the information requested is not obtained, the school may not be able to enrol or continue the enrolment of the student or permit the student to take part in a particular activity.

Job applicants and contractors:

In relation to personal information of job applicants and contractors, CSBB’s primary purpose of collection is to assess and (if successful) to engage the applicant or contractor, as the case may be. The purposes for which CSBB uses personal information of job applicants and contractors include:

• administering the individual’s employment or contract, as the case may be
• contact in an emergency
• insurance
• seeking funds and marketing for the school
• satisfying CSBB’s legal obligations, for example, in relation to child protection legislation.

Volunteers:

CSBB also obtains personal information about volunteers who assist schools in their functions or who conduct associated activities, such as ex-student associations or parent advisory bodies, to enable schools and the volunteers to work together, and in the interests of safety.

Marketing and fundraising:
Parents, staff, contractors and other members of the wider CSBB community may from time to time, receive fundraising information. School publications, like newsletters and magazines, which include personal information, may be used for marketing purposes. Personal information held by CSBB may be disclosed to an organisation that assists in the school’s fundraising, for example, the school’s ex- student association.

To whom might CSBB disclose personal information?

CSBB may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:

• other schools and teachers at those schools including a new school to which a student transfers to facilitate the transfer of the student, and schools within CSBB where concurrent applications for enrolment are made to those schools
• government departments (including for policy and funding purposes)
• Catholic Schools NSW (CSNSW)
• the school’s local parish and Diocese of Broken Bay
• medical practitioners
• people providing educational, support and health services to students, including specialist visiting teachers, counsellors, sports coaches and volunteers
• providers of learning and assessment tools
• providers of specialist advisory services and assistance to the school, including in the area of human resources, child protection and students with additional needs
• assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test Administration Authorities (who will disclose it to the entity that manages the online platform for
NAPLAN)
• agencies and organisations to whom CSBB is required to disclose personal information for education, research and consent purposes
• people providing administrative, technology and financial services
• recipients of school publications, such as newsletters and magazines
• students’ parents or guardians
• anyone an individual authorises CSBB to disclose information to
• anyone to whom we are required to disclose the information by law, including child protection laws.

Sending and storing information overseas:

A school may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange or other overseas excursion. However, a school will not send personal information about an individual outside Australia without:

• obtaining the consent of the individual (in some cases this consent will be implied); or
• otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

CSBB uses centralised information management and storage systems (Systems). Some of these Systems are provided by the Catholic Education Network (CEnet) and others by third party service providers. CEnet is owned by the Catholic Dioceses. Personal information is stored with and accessible by CEnet and the third-party providers for the purpose of providing services to the school in connection with the Systems and for CEnet, administering the education of students.

CSBB may use online or ‘cloud’ service providers to store personal information and to provide online services to the school that use personal information, such as services relating to email, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users and access their services. This personal information may be stored in the ‘cloud’ which means that it may reside on a cloud service provider’s server which may be situated outside Australia.

How does CSBB treat sensitive information?

Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless the individual agrees otherwise, or the use or disclosure of the sensitive information is allowed by law.

Management and security of personal information

CSBB staff are required to respect the confidentiality of students’ and parents’ personal information and the privacy of individuals. Any staff member who is uncertain about their obligations under this policy should seek clarification from their principal or workstream lead. A failure by a staff member to comply with the important obligations set out in this policy may result in disciplinary action.

CSBB is required to have in place steps to protect the personal information the organisation holds from misuse, interference and loss, unauthorised access, modification, or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records.

Access and correction of personal information

Under the Commonwealth Privacy Act and the Health Records Act, an individual has the right to seek and obtain access to any personal information which CSBB holds about them and to advise CSBB of any update or perceived inaccuracy.
There are some exceptions to this right set out in the Act. Students will generally be able to access and update their personal information through their parents, but older students may seek access and correction themselves.

To make a request to access or update any personal information CSBB holds about an individual or their child, parents should contact the school’s principal in writing.

CSBB may require a person seeking personal information to verify their identity and specify what information is required. The school may charge a fee to cover the cost of verifying the application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the school will advise the likely cost in advance. However, there will be occasions when access is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the school’s duty of care to the student. If the school is not able to provide access to that information, the school will provide the applicant with written notice explaining the reasons for refusal (unless given the grounds for refusal, it would be unreasonable to provide reasons).

Use of Biometric Information

Biometric technology is used by CSBB to support the effective management of student images.

A third-party vendor has been engaged to manage photo permissions, consent and protect student images. CSBB has confirmed that the provider follows the guidance of the Office of the Australian Information Commissioner (OAIC) and the Australian eSafety Commission. For more information, see Appendix 1.

Enquiries and complaints

For further information about the way CSBB manages the personal information it holds, or to make a complaint that CSBB has breached the Australian Privacy Principles, individuals should contact the school’s principal (if the complaint relates to a school) or the Privacy Officer at CSBB (if the complaint relates to the CSBB central office).

Privacy Officer contacts details:
Email: csbb.governance@dbb.catholic.edu.au
Address:                  Privacy Officer
Catholic Schools Broken Bay
Caroline Chisolm Centre, 2/423 Pennant Hills Road Pennant Hills NSW 2120

CSBB will investigate any complaint and will notify the complainant of a decision in relation to their complaint as soon as is practicable. CSBB Complaints Handling Policy provides guidelines for the handling of complaints relating to the operation of CSBB, including complaints about management of personal information provided to or collected by CSBB.

Individuals may also make a complaint to the Office of the Australian Information Commissioner.

Audience

This policy applies to CSBB staff.

This policy also applies to contractors, job applicants, parents/legal guardians/carers, students, and other members of the CSBB school community.

Applicability

The CSBB Governance, Legal and Risk workstream is responsible for the development and review of the Privacy Policy.

Key Responsibilities

Director of Schools is responsible for overseeing the development and implementation of processes to ensure compliance with the Privacy Policy.

School Principals and Workstream Leads are responsible for the development, implementation, culture building and publishing of the Privacy Policy in their areas of responsibility in accordance with this policy and any regulatory requirements.

All CSBB Staff are expected to be committed to understanding and complying with CSBB Privacy Policy.

Related Resources

• Privacy Act 1988 (Cth)
• Australian Curriculum, Reporting and Assessment Act 2008 (Cth)
• Children and Young Persons (Care and Protection) Act 1998
• Education Act 1990 (NSW)
• Education Amendment (School Attendance) Act 2009
• Health Records and Information Privacy Act 2002 (NSW)
• Ombudsman Act 1974
• Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)
• Workplace Surveillance Act 2005 (NSW)
• Schools Assistance (Learning together Through Choice and Opportunity) Act 2004 (Cth)
• NSW Minors (Property and Contracts) Act 1970
• Privacy Compliance Manual April 2023 (NCEC)
• Non-Government Schools Record Retention Schedule
• Pixevety Privacy Policy
• Pixevety Biometrics Information Privacy Policy

Related Processes/Procedures

Not applicable

Related Policies

• Student Acceptable Use Policy – Digital Network and Online Services
• Staff Acceptable Use Policy – Digital Network and Online Services
• CSBB Complaints Management and Resolution Policy

Review

The Privacy Policy and related Procedures/Processes will generally be reviewed every five (5) years unless there is a legislative or regulatory requirement to do so earlier. Notwithstanding the above, the Privacy Policy is subject to change at any time.

Revision/Modification History

Version	Current Title	Summary of Changes	Approval Date	Commencement Date
8	Privacy Policy	New policy format and CSBB branding Addition of: Guiding Principles and Objectives Related policies and resources Privacy Officer contact details Biometric data use information	October 2023	October 2023
7	Privacy Policy		February 2020	February 2020
1	Privacy Policy		November 2001	November 2001

 

Approval Date/Revision Schedule

Approved by: Danny Casey – Director of Schools Date Approved: October 2023
Date of next review: October 2028

Appendix 1

The Australian, privacy-by-design vendor is OAIC Australian Privacy Principle (APP) registered, has attained the Australian & New Zealand Safer Technology 4 Schools badge, and is a member of the Biometrics Institute. The primary objective of the partnership is to assist school staff to protect students’ identities when using, sharing, and publishing their photos.
The third-party vendor offers an active opt-in media consent module allowing parents/legal guardians the option to change their consent, controlling how the school/Diocese can use images of students. The consent module features automated facial recognition technology that uses biometric information to identify individuals within an image. With this identification, consent can be applied automatically enabling staff to easily search and filter on media consent before use.