's Privacy Policy

Preamble - Privacy Policy

Swan Christian Education Association Incorporated () recognises and acknowledges that the protection of individuals’ privacy is important and required under the relevant legislation.

This Privacy Policy explains how manages information it collects; in particular, how:
• collects information, throughout its usual course of business.
• protects the privacy of personal information and health information which collects and uses.
• uses such information and to whom such information may be disclosed.
• reports data breaches.
• Individuals can access their personal information, correct any personal information which holds, lodge complaints in relation to alleged breaches of privacy or make any related enquiry.

Scope
This Policy covers all sites (schools and the system office) owned and/or operated by . All members of staff, contractors and volunteers must comply with this policy in relation to any personal information they handle.
Personal information may be collected from any individual with whom may have contact, including current and prospective students and their parents/guardians, alumni, job applicants, volunteers, contractors, past employees and other individuals who engage with .
may also collect, use and disclose health information in relation to the provision of health services to students while in the care of .

Context
is bound by the Australian Privacy Principles (APP’s) contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 . This amendment makes changes to the Privacy Act 1988 (“the Act”). is also bound in WA by the Freedom of Information Act 1992 (WA). In relation to health records holds, is bound by the Health Privacy Principles under the Health Act 1911.
This policy should be read in conjunction with the Members’ Grievance Policy, Staff Complaints Management Policy, the Access Arrangements for Separated Parents/ Policy, and the Digital Privacy, Safety and Security Policy and Framework.
The Association may, from time to time, review and update this policy to take account of changes to the Association’s operations and practices and to make sure it remains appropriate to the changing legal and school environment.

Policy Statement
In carrying out its educational and welfare functions, Swan Christian Education Association collects personal information about students, parents/carers and staff. is committed to protecting the privacy of all information collected. All employees, Board members and volunteers are required by law to protect the personal information the school collects, including that of a sensitive nature. All members of the community have the right to understand how their personal information will be managed, stored, used and disposed of.
Types of information collects and holds

collects a range of personal information about an individual, including:
• name
• address
• contact number
• email address
• age
• date of birth (DOB)
• photographs or videos
• academic results
• other relevant personal details

In addition to this information, where provides health services during discharging its duty of care, may collect information about health services previously provided to an individual, an individual’s current health status and an individual’s expressed wishes in relation to the provision of health services.
may also collect information about individuals when accessing electronic resources or communications of the Association, such as websites or social media channels of the Association and its schools. Information collects from visits to its website is generally not personally identifiable. However, due to the nature of internet protocols, information collected may individually or by aggregate, be able to identify information such as the IP address of the computer accessing ’s website, the internet service provider used by an individual, the web-page directing an individual to ’s website and the individual’s activity on ’s website.
Procedures

How collects personal information
may collect personal information from an individual though a variety of sources, including but not limited to:
• a form that is completed and submitted to ;
• a telephone, email or in-person inquiry or discussion about and the services that provides;
• mail correspondence, emails and other electronic means – including by accessing ’s website and use of the “contact us” form;
• electronic service providers, such as third-party cookies (Google Analytics), email distribution services or event management software;
• publicly available sources of information;
• reference from another school about an individual student; and
• reports provided to by a medical professional in relation to health services previously provided or to be provided by to an individual.

will usually collect personal information directly from an individual or their parent/guardian, unless it is unreasonable or impracticable to do so. Additionally, will usually only collect personally identifiable information when asks for that personal information or it is volunteered by the individual. may from time to time receive unsolicited personal information about an individual. will promptly destroy or de-identify any personal information found to have been collected in error.
Additionally, may collect data from users of its electronic platforms using various technologies and third-party service providers.
may seek consent of parents/guardians to use their child’s name, image and likeness in materials produced or published by or third-parties, including newsletters, magazines, posters and other advertising materials. Where parents/guardians do not consent to their child’s name, image and likeness being used by in this manner, will refrain from using their child’s name, image and likeness. Parents/guardians may at any time withdraw their consent and will remove their child’s name, image and likeness from electronic materials produced or published as soon as is reasonably practicable, or in the case of printed material subsequent prints from the time of notification of consent being withdrawn.

How uses personal information it collects
generally only uses personal information for the primary purpose for which it is collected or a secondary purpose, when it is permitted by the Act or if authorised or required by law.
collects personal information for the purposes of:
• facilitating its ability to function as an educational institution;
• other administrative functions, including assessing job applicants and managing volunteers;
• fulfilling its duty of care to its students;
• complying with its legal obligations owed to the State and Commonwealth Governments in relation to the provision of education to students;
• addressing queries or resolving complaints;
• marketing and the education services provides;
• keep individuals connected to the Association up to date with relevant information and promotion of future services and events;
• keeping parents and guardians informed on matters relating to their child’s schooling at through correspondence, newsletters, magazines and reports;
• assessing applications for scholarships to attend and awarding and administering scholarships to current students at ;
• seeking and administering donations and bequests made to , and
• improving services.

may also disclose personal information it collects from individuals to third-parties, such as ’s professional advisers, courts, tribunals, regulatory authorities, other companies and individuals for:
• complying with its obligations owed to an individual under any contract between and the individual, or as required by law;
• enabling those third-parties to perform services on behalf of ; and,
• recovering debts where amounts owed to in consideration for services provides remain due and outstanding beyond the payment terms.

Third-parties engages from time to time may have access to personal information held by about individuals, but will not authorise them to use such information for any other purpose.

may disclose personal information (including sensitive information) held about an individual to another school, government departments (where must disclose such information to comply with its legal obligations), medical practitioners, service providers (including specialist visiting teachers and sports coaches), recipients of publications (such as newsletters and magazines), and parents and guardians.

may use health information collected about an individual to provide health services to that individual where required. may disclose health information to a medical professional or to a health service provider where that other health service provider is engaged in providing health services to that individual. will not use or disclose such health information for a purpose other than the primary purpose of collection unless:
• the individual consents to the use or disclosure;
• the secondary purpose is directly related to the primary purpose and the individual would reasonably expect to use or disclose the information for the secondary purpose;
• the use or disclosure is required, authorised or permitted, whether expressly or impliedly by or under law; or,
• as otherwise authorised, permitted or required under the State Records Act 2000 (WA).
Effect of non-provision of personal information; anonymity and pseudonymity
From time to time an individual may be able to deal with anonymously or by using a pseudonym. For example, without limitation, if an individual has a general inquiry about , may be able to respond to the inquiry on an anonymous or pseudonymous basis.
However, if an individual does not provide the personal information requests, or the information is provided anonymously or pseudonymously, then may be unable to fulfil its functions as an educational institution or discharge its duty of care to the parents/guardians or children affected.
Further, in some situations, may need to verify an individual’s identity as part of ’s response to a request to access and/or correct personal information or health information holds about an individual, or as part of ’s complaints handling procedure. If cannot verify an individual’s identity, or they continue to engage with in an anonymous or pseudonymous basis, then may be unable to complete the request or pursue its complaints-handling procedure.

Direct marketing

may directly market its services to individuals on the basis that they would reasonably expect to do so, where has already collected their personal information.
will also comply with other laws relevant to marketing, including the Spam Act 2003 (Cth), the Do Not Call Register Act 2006 (Cth) and the Competition and Consumer Act 2010 (Cth).
Marketing email communications which send will include an opt-out procedure.

Cross-border transfer or disclosure of information

may disclose an individual’s personal information to entities outside Australia from time to time. For example, may be required to disclose the personal information of students travelling to ’s outreach activities to Australian and overseas government authorities.
may transfer health information about an individual to an entity other than or the individual which is outside Australia only when reasonably believes that the recipient is subject to a law binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the requirements under the Freedom of Information Act 1992 (WA), if the individual consents to the transfer or otherwise as permitted under the Freedom of Information Act 1992 (WA).
makes use of services hosted overseas where they are subject to a binding scheme or law that has the effect of protecting the information in a way that, overall is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and there are mechanisms that allow the individual to take action to enforce that protection of the law or binding scheme. Where this isn’t possible, will seek appropriate consent.

Quality of information

Whilst it is the responsibility of the parent or guardian to provide updated or amended personal and health information, takes reasonable steps to ensure that, the personal information and the health information collects, uses, holds or discloses is accurate, complete, up-to-date and relevant to ’s functions or activities, having regard to the purpose for which the information is to be used or disclosed by .
Additionally, will take reasonable steps to destroy or de-identify personal information it holds about an individual, if no longer requires that personal information.

Accessing and correcting information

Individuals are entitled at any time, upon request, to access the personal information held about them. will respond within a reasonable period after receiving the request. will give access to the information in the manner it is requested, unless it is impracticable for to do so. is entitled to charge a reasonable administrative fee for giving access to the information.
may from time to time refuse an individual access to the information holds about that individual, in accordance with the relevant legislation. Where refuses access, will explain the reasons for refusal in writing and, if individuals wish to lodge a formal complaint about the refusal it should be made in accordance with the ’s grievance policies.
reserves the right to verify an individual’s identity before granting access to the personal information holds about them.
Parents/guardians generally have a right to access information held concerning their child, but, in some cases information disclosed to health and psychological professionals may be withheld from parents/guardians, when requested by a child assessed as mature enough to make this choice.
The disclosure of information held to separated/divorced parents/guardians will be governed by Family Court Orders, if they exist.
If at any times individuals believe that personal information holds is incorrect, incomplete or inaccurate, they may request that amend such personal information. If refuses the correction request, then will provide written reasons and information about ’s complaints-handling process, should they not be satisfied with those reasons.
Where corrects personal information held about an individual, will take reasonable steps to notify third-parties of the correction.

Mandatory Notification of Data Breaches

On 22 February 2018, changes to the Act took effect and a new Notifiable Data Breach (NDB) Scheme is in force. The NDB Scheme requires to notify the Office of the Australian Information Commissioner (OAIC) and the affected individual(s), in the event of a notifiable data breach.
A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For , data breaches are not limited to hackings or cyber-attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person. For example, leaving a school laptop on public transport.
Not all data breaches will be NDBs. Pursuant to section 26WE of the Act, an eligible data breach, which would require notification, occurs in circumstances where:
• there is an unauthorised access or unauthorised disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
• information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any individuals to whom that information relates.
In short, for there to be an eligible data breach, the breach would have the likelihood of resulting in serious harm to any of the affected individuals. Serious harm could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the school’s position would identify as a possible outcome of the data breach.

Examples of data breaches which may meet the definition of an eligible data breach, include when:
• a device containing a member of the school community’s personal information is lost or stolen (e.g. a school laptop);
• a database containing personal information is hacked;
• personal information about students or staff is mistakenly provided to the wrong person;
• records containing student information is stolen from unsecured recycling bins; or
• disclosing personal information about students/staff for purposes other than what it was collected for and without the consent of the affected students/staff.

Once a employee forms the view, based on reasonable grounds, that there has been an eligible data breach, it must:
• prepare a statement in accordance with the Act; and
• provide this statement to the CEO of ; and
• will give a copy of the statement to the OAIC as soon as practicable after becoming aware of the eligible data breach.

The statement must set out:
• the identity and contact details of the school;
• a description of the eligible data breach that the school has reasonable grounds to believe has happened;
• the kind/s of information concerned; and
• the recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.

must notify the contents of that statement to the affected individuals (students, parents, staff etc.) as soon as practicable. What constitutes reasonable steps for notification will depend on the circumstances of every case. Practicable means of communication are more likely to be by phone, letter, email or in person, as they are the normal means of communication between the school and its students or staff.
If it is not practicable to notify the individuals directly, may publish its statement on its website and take reasonable steps to make the statement public.
Public notification (for example on a website or social media) may be required if an eligible data breach involves highly sensitive and personal information affecting both past and present students, such that it would be impracticable to contact each of the individuals directly and the information disclosed would likely result in serious harm to all the individuals affected. Some exceptions to notifying the OAIC and individuals exist, including where taking ‘remedial action’ to avoid harm being suffered is possible. This exception may apply where, in the event of an eligible data breach, acts by requesting an unauthorised recipient of personal information to delete or destroy the information, such that there would unlikely be serious harm due to the breach.
Lodging a complaint

If individuals wish to complain about an alleged breach of the privacy of their personal information, the complaint should be made in accordance with the Members’ Grievance Policy, or Complaints Management Policy (for staff), as applicable.

If individuals are dissatisfied with the outcome of their complaint, they may escalate their complaint to the office of the Australian Information Commissioner.

Swan Christian Education Association Incorporated () recognises and acknowledges that the protection of individuals’ privacy is important and required under the relevant legislation.

The Privacy Policy explains how manages information it collects; in particular, how:

  • collects information, throughout its usual course of business.
  • protects the privacy of personal information and health information which collects and uses.
  • uses such information and to whom such information may be disclosed.
  • reports data breaches.
  • Individuals can access their personal information, correct any personal information which holds, lodge complaints in relation to alleged breaches of privacy or make any related enquiry.
  • Click below to read the Privacy Policy
Scroll to Top
Scroll to Top