St Francis Xavier College is governed by Catholic Education, Canberra & Goulburn. The following is the Catholic Education Privacy Statement, which applies to all system schools in the Archdiocese.
Privacy Act 1988 (Cth)
Information Privacy Act 2014 (ACT)
Records and Information Privacy Act 2002 (NSW)
Health Records (Privacy and Access) Act (ACT)
This policy describes:
Who do we collect personal information from?
We collect personal information from students, parents, prospective parents, job applicants, staff, volunteers and others including contractors and visitors and others that come into contact with us.
Employee records are not covered by the Australian Privacy Principles or the Health Privacy Principles where they relate to current or former employment relations between the school and the employee.
What types of personal information do we collect?
The kinds of personal information we collect is largely dependent upon whose information we are collecting and why we are collecting it, however in general terms the school may collect:
How do we collect personal information?
How we collect personal information will largely be dependent upon the information we are collecting.
Where possible we have attempted to standardise the collection of personal information. However, given the nature of our operations, we often also receive personal information by email, websites, letters, notes, over the telephone, in face to face meetings, through financial transactions and through surveillance activities such as the use of CCTV security cameras or email monitoring.
We may also collect personal information from other people (e.g. a personal reference) or independent sources. We will only do so where it is not reasonable and practical to collect the information from you directly.
Sometimes we may be provided with your personal information without having sought it out “unsolicited information”. Where we collect unsolicited information we will only hold, use and/or disclose that information if we could otherwise do so had we collected it by normal means. If that unsolicited information could not have been collected by normal means then we will destroy or, permanently delete the information.
How we use personal information
We only use personal information that is reasonably necessary for one or more of our functions or activities (the primary purpose) or for a related secondary purpose that would be reasonably expected by you, or to which you have consented.
The purposes for which we use personal information includes but is not limited to:
In some cases where a school or the CEO requests personal information about a student or parent, if the information requested is not obtained, the school or the CEO may not be able to enrol or continue the enrolment of the student or permit the student to take part in a particular activity.
We only collect sensitive information reasonably necessary for one or more of these functions or activities, if we have the consent of the individuals to whom the sensitive information relates.
If we do not have the relevant consent and a permitted health situation or permitted general situation does not exist, then we may still collect sensitive information provided it relates solely to individuals who have regular contact with the school in connection with our activities.
We will only use or disclose sensitive information for a secondary purpose if you would reasonably expect us to use or disclose the information and the secondary purpose is directly related to the primary purpose.
We do not use information for direct marketing purposes.
We do not use government related identifiers unless required.
Sharing of information between related system schools
The Privacy Act allows a system school, being legally related to each of the other schools conducted by the CEO, to share personal (but not sensitive) information with other schools in the CEO System. This allows schools to transfer information between schools as long as the information is being used for the original purpose.
Storage and security of personal information
We store personal information in a variety of formats including on databases, in hard copy files and on personal devices including laptop computers, mobile phones, cameras and other recording devices. The security of your personal information is of importance to us and we take all reasonable steps to protect the personal information we hold about you from misuse, loss, unauthorised access, modification or disclosure.
When we disclose personal information
We only use personal information for the purposes for which it was given to us, or for purposes which are related (or directly related in the case of sensitive information) to one or more of our functions or activities.
We may disclose your personal information to government agencies, other parents, other schools, recipients of school publications, visiting teachers, counsellors and coaches, our service providers, agents, contractors, business partners and other recipients from time to time, only if one or more of the following apply:
Personal information of students
The Privacy Act does not differentiate between adults and children and does not specify an age after which individuals can make their own decisions with respect to their personal information.
The CEO respects every parent’s right to make decisions concerning their child’s education. A school will refer any requests for consent and notices in relation to the personal information of a student to the student’s parents or guardians. A school will treat consent given by parents as consent given on behalf of the student, and notice to parents will act as notice given to the student. There will be occasions when access is denied, including where the release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the school’s duty of care to the student.
A school may, at its discretion, on the request of a student grant that student access to information held by the school about them, or allow a student to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the student and/or the student’s personal circumstances warrants such action.
Disclosure of personal information to overseas recipients
We may disclose personal information to overseas recipients in certain circumstances, such as when we are organising an overseas excursion. We will however take all reasonable steps not to disclose an individual’s personal information to overseas recipients unless:
How to gain access to your personal information we hold
You may request access to the personal information we hold about you, or request that we change the personal information, by contacting us.
How we ensure the quality of personal information
We take all reasonable steps to ensure the personal information we hold, use and disclose is accurate, complete and up to date. These steps include ensuring that the personal information is accurate, complete and up to date at the time of collection and when using or disclosing the personal information. On an ongoing basis we maintain and update personal information when we are advised by individuals or when we become aware through other means that their personal information has changed.
Correction of personal information
To make a request to access or update any personal information the CEO or a System school holds about you or your child, contact the school’s Principal in writing.
If you wish to make a complaint about a breach by us of the Australian Privacy Principles or the Health Privacy Principles you may do so by providing your written complaint by email, or letter or by personal delivery to any one of our contact details as noted below. You may also make a complaint verbally.
We will respond to your complaint within a reasonable time (usually no longer than 30 days) and we may seek further information from you in order to provide a full and complete response.
Your complaint may also be taken to the Office of the Australian Information Commissioner.
Data breaches and privacy breaches
What is a Notifiable Data Breach?
The Privacy Act refers to an “eligible data breach”, while the OAIC uses the term NDB on its website.
Under the Act a data breach must be notified where:
Further information on identifying an eligible data breach can be found on the Office of the Australian Information Commissioners website:
Serious harm could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the school’s position would identify as a possible outcome of the data breach.
What to do when there is a data or privacy breach
Where an eligible data breach is suspected or believed to have occurred a school must log a critical incident form containing a statement of prescribed information regarding an eligible data breach that is believed to have occurred.
The Principal or CE Privacy Officer will in line with OAIC’s process for identifying an eligible data breach (https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/identifying-eligible- data-breaches#preventing-serious-harm-with-remedial-action)
We will take all reasonable steps to ensure that the assessment is completed within 30 days after becoming aware of the breach.
This is summarized in the following diagram from the OAIC
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Is a subset of sensitive information? It is any information or opinion about the health or disability of an individual, the individual’s expressed wishes about the future provision of health services and a health service provided, currently or in the future, to an individual that is also personal information. Health information also includes personal information collected in the course of providing a health service.
The Privacy Act regulates personal information contained in a ‘record’. A ‘record’ includes a ‘document’, whether in paper form or held in an electronic or other device. The definition in the Amending Act is Privacy inclusive and therefore now covers a wide variety of material which might constitute a record. A ‘document’ is defined to include anything on which there is writing, anything from which sounds, images or writings can be reproduced, drawings or photographs.
APP 1 — Open and transparent management of personal information:
APP 3 — Collection of solicited personal information:
This principle outlines when schools and the Catholic Education Office can accumulate personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
APP 4 — Dealing with unsolicited personal information
This principle outlines how schools and the Catholic Education Office must deal with unsolicited personal information.
APP 5 — Notification of the collection of personal information
This principle outlines when and in what circumstances schools and the Catholic Education Office collects personal information, and when they must notify an individual of certain matters.
APP 6 — Use or disclosure of personal information
This principle outlines the circumstances in which schools and the Catholic Education Office may use or disclose personal information that it holds.
APP 7 — Direct marketing
This principle stipulates that an organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8 — Cross-border disclosure of personal information
This principle outlines the steps schools and the Catholic Education Office must take to protect personal information before it is disclosed overseas.
APP 10 — Quality of personal information
This Principle requires schools and the Catholic Education Office to take reasonable steps to ensure the personal information it collects is accurate, up to date and complete and relevant, having regard to the purpose of the use or disclosure.
APP 11 — Security of personal information
This principle requires schools and the Catholic Education Office to take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, Privacy modification or disclosure. An entity also has obligations to destroy or de-identify personal information in certain circumstances.
APP 12 — Access to personal information
This principle outlines the obligations of schools and the Catholic Education Office when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
APP 13 — Correction of personal information
This principle outlines the obligations of schools and the Catholic Education Office in relation to correcting the personal information it holds about individuals.
You can contact us about this Policy or about your personal information through contacting the CEO. The CEO’s contact details are:
Catholic Education Office PO Box 3317
Manuka ACT 2603
Phone: (02)6234 5455
If you are not satisfied with the CECG’s decision you may make a complaint to the Office of the Australian Information Commissioner (OAIC) whose contact details are:
GPO Box 5218, Sydney, NSW 2001
Telephone: 1300 363 992