COAST Christian School (COAST) is bound by the Australian Privacy Principles (APPs) contained in the Commonwealth Privacy Act 1988, other Commonwealth and State privacy legislation, and follows ‘Guidelines’ as issued by the Office of the Australian Information Commissioner.
COAST acknowledges its responsibility before God to care for and protect the children, families and others who trust COAST to carry out those responsibilities with love and respect. (Love) always protects, always trusts, always hopes, always perseveres. (1 Corinthians 13:7)
COAST respects the privacy of individuals and families and places a high priority on integrity in its handling of information provided to COAST. It seeks to protect the rights of all people who provide information to the School, in accordance with relevant legislation.
COAST honours the Commonwealth and State laws which circumscribe the collection, storage and dissemination of information provided to it.
Purpose of this document
This document sets out the policies and procedures of COAST in relation to how the School uses and manages the personal information provided to, or collected by, it for the well-being of students in its care and for the reasonable functions of the School.
A. The School’s handling of the personal information it collects and holds (including sensitive and health information) is governed by the Australian Privacy Principles and other requirements of legislation and regulators.
B. The School is committed to protecting the rights to privacy of all stakeholders in its handling of personal information. Exception: where other legislative requirements take precedence e.g. child protection investigation processes.
C. The School is committed to providing an excellent standard of student welfare and education. The information it collects is primarily for the purpose of running, and managing the responsibilities of the School.
D. The School is committed to rapid and effective response in the event of a data breach; and in accordance with the requirements of the Notifiable Data Breach scheme.
E. COAST is committed to continual improvement of its practices in the protection of the personal information it holds.
COLLECTION OF INFORMATION
1 Collection of Personal Information
The School collects and holds information including (but not limited to) personal information, including health and other sensitive information, about:
Students and parents/ guardians before, during and after the course of a student’s enrolment at the School
Job applicants, staff members and their families, volunteers and contractors
Other people who come into contact with the School
(a) Collection from the individual Where possible, the School collects information from the individual concerned. Generally, the School will refer any requests for consent, and notices in relation to the personal information of a student, to the student’s parents. The School will treat consent given by the parents as consent given on behalf of the student; and notice given to the parents will act as notice given to students.
(b) Personal information provided by an individual: Generally collected by way of written forms, face-to-face meetings, interviews, emails and telephone calls.
(c) Personal information provided by other people: In some circumstances the School may be provided with personal information about an individual from a third party, e.g. a report from a health care professional, or a reference from another school.
2 Need to Advise
Before information is collected, or as soon as practicable afterwards, COAST will make the individual to whom the information relates aware of the following:
The fact that information is being collected
The purpose for which the information is being collected
The intended recipients of the information
Whether the supply of information by the individual is required by law, or is voluntary; and any consequences for the individual if the information is not provided, or part not provided
The existence of any right of access to, and correction of, the information
This information is outlined in the ‘Standard Collection Notice’, available on the School’s public website.
USE AND DISCLOSURE OF PERSONAL INFORMATION
1 Use of the Personal Information Provided to the School
The School will use personal information provided to it for the primary purpose of collection; and for related secondary purposes which may be reasonably expected, or to which you have consented.
(a) Students and Parents/ Guardians The School’s primary purpose of collection of personal information is to enable the School to provide schooling for the student. This includes satisfying both the needs of parents/ guardians, the needs of the student and the needs of the School throughout the whole period the student is enrolled at the School. The purposes for which the School uses this personal information include:
o To keep parents informed about matters relating to the child’s schooling, through correspondence, reports, newsletters and magazines
o Day-to-day administration
o The student’s educational, social and medical well-being
o Seeking donations and marketing for the School
o To satisfy the School’s legal obligations and allow the School to discharge its duty of care
o Complying with Federal and State reporting requirements
o Investigating incidents or defending any legal claims against the School, its services or staff
o Celebrating the efforts and achievements of students
Where the School requests personal information about a pupil or parent/ guardian, which is not provided, COAST may not be able to enrol or continue the enrolment of the student or permit the student to take part in a specific activity.
(b) Job applicants, staff members and contractors The School requests personal information for:
o Assessing suitability for employment, to engage an employee or contractor
o Administration of the individual’s contract or employment
o Insurance purposes, such as public liability or Work Cover
o Satisfying the School’s legal obligations, e.g. in relation to child protection legislation
o Investigating incidents, or defending legal claims about the School, its services or staff
o Seeking donations, and marketing of the School
(c) Volunteers The School obtains personal information about volunteers who assist the School
in its functions, or conduct associated activities, to enable the School and the volunteers to work together.
(d) Marketing and Fund-raising The School treats marketing, and seeking donations for the future growth and development of the School, as an important part of ensuring that the School continues to be a quality learning environment in which both students and staff thrive. Parents, staff, contractors and other members of the wider School community may from time to time receive fundraising information. School publications, like newsletters and magazines, which include personal information, may be used for marketing purposes.
(e) ‘Do Not Publish’ The School creates opportunities for parents to choose for their child’s or family’s information to NOT be published. E.g. photos/ videos; COAST Directory; use of student’s work Parents may inform the School during the enrolment process, at annual update of information, or at any time by advising the School in writing of withdrawal of consent.
(f) Unsolicited personal information If we receive unsolicited personal information, we will destroy it unless we are permitted to hold the information and it is needed to carry out our functions or fulfil our duty of care to students or staff.
(g) Exception in relation to related school The Privacy Act allows each school, being legally related to each of the other schools being members of Christian Schools Australia, to share personal (but not sensitive) information with other schools who are members of CSA. Other CSA schools may then only use this personal information for the purpose for which it was originally collected by the Christian school. This allows schools to transfer information between them, for example, when a pupil transfers from a Christian school to another school who is a member of CSA.
2 Disclosure of Personal Information
(a) COAST may disclose personal information, including sensitive information, held about an individual to:
Distance Education providers e.g. TAFE, where students are enrolled as part of their study
Assessment and educational authorities e.g. NESA; NAPLAN
Service providers to the School, e.g. music tutors; finance services
Recipients of COAST publications, such as newsletters and magazines; COAST Directory
Parents of the student enrolled; unless a Court Order limiting access by one parent is received by the School
Anyone personally authorised by the parents/ guardians of the student
Anyone to whom the School is required to disclose information to by law
(b) The School will not send personal information about an individual outside Australia without:
In the instance of an individual’s personal information, obtaining the consent of the individual (unless this consent is already implied) e.g. for the purpose of arranging an overseas trip for students
In the instance of collected storage of information, ensuring that the recipient agency/ service provider complies with the Australian Privacy Principles, or other applicable privacy legislation e.g. data stored in the ‘cloud’
3 Handling of Sensitive Information
Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless agreed otherwise, or the use or disclosure of the sensitive information is allowed by law.
MANAGEMENT OF PERSONAL INFORMATION
The School takes all reasonable steps to make sure that the personal information it collects and stores is accurate, up-to-date, complete, relevant and not misleading. E.g. annual student information update forms.
1 Access and Correction of Personal Information
An individual has the right under the Privacy Act to obtain access to any personal information which the School holds about them; and to advise the School of any perceived inaccuracy and to seek correction to their information.
Students will generally be able to access and update their personal information through their parents, but older students may seek access and correction themselves.
There are some exceptions to these rights set out in the applicable legislation.
The School endeavours to ensure that the personal information it holds is accurate, complete and up-to-date.
Personal information may be accessed or updated by contacting the School in writing. The School will require you to verify your identity and specify what information you require.
If the information sought is extensive, the School may require a fee to cover the cost of verifying your application and locating, retrieving, reviewing and copying any material requested.
The School will not store personal information longer than necessary.
2 Denial of Access to Personal Information
If the School cannot provide access to the information required, the School may be able to provide a format of information that protects the privacy of other individuals.
A written notice explaining the reasons for a refusal will be provided.
Access to personal information will be denied in all cases such as where:
It would pose a serious or imminent threat to the life or health of an individual
Release may result in a breach of the School’s duty of care to the student
It would have an unreasonable impact on the privacy of other individuals
It is likely to prejudice the prevention, detection, investigation, prosecution or punishment of an unlawful activity, the activities of a law enforcement agency, or legal proceedings
The request is frivolous or vexatious
The information relates to existing or anticipated legal proceedings between the parties, and the information would not be accessible through legal procedures
Providing access would be unlawful
Denying access is required or authorized by or under law
3 Consent and Rights of Access to the Personal Information of Students
The School respects every parent’s right to make decisions concerning their child’s education.
Generally, the School will refer any requests for consent and notices in relation to the personal information of a student to the student’s parents/ guardians. The School will treat consent given by parents/ guardians as consent given on behalf of the student, and notice to parents/ guardians will act as notice given to the student.
COAST may, at its discretion, on the request of a student, grant that student access to information held by the School about them; or allow a student to give or withhold consent to the use of their personal information, independently of their parents/ guardians. This would normally be done only when the maturity of the student and/or the student’s personal circumstances so warranted.
4 Employment Records
Employee records and acts done by the School as the employer of staff, if directly related to a current or former employment relationship, are exempt from the application of the Privacy Act 1988.
Examples of this type of information include the terms and conditions of employment, personal contact details, performance and conduct and salary details.
Accordingly, the School may access and use personal information about employees when appropriate.
5 Storing personal information
We will store personal information securely so that it can only be readily accessed by a staff member with a legitimate reason for using it, and it is protected from interference, misuse, loss or unauthorized access.
(a) Personal information about students, parents or staff that we keep in databases will be protected from general access by effective security arrangements such as passwords so that only those with a legitimate reason can gain access to the information relevant to them. Workstations and software applications such as email will log off after a predetermined period of inactivity to prevent unauthorized access when they are unattended.
(b) Personal information on paper will be kept in locked storage and be protected by any other security measures appropriate to maintaining the required level of confidentiality and privacy. Documents with personal information must not be left visible and unattended in work areas.
6 When personal information is no longer needed
When personal information is no longer needed for the purpose for which it was collected, we will destroy it (or de-identify it).
SECURITY OF PERSONAL INFORMATION
The School has in place steps to protect the personal information the School holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records, and restricting access to relevant people in areas where personal information is stored. (APP 11)
The School’s staff are required to respect the confidentiality of students’ and parents’ personal information, and the privacy of individuals.
1 Breach of Privacy
A breach of privacy may result from mishandling information according to the Australian Privacy Principles.
A data breach concerns the security of personal information: and involves the actual unauthorised access to, or disclosure of, personal information; or the loss of personal information where the loss is likely to result in unauthorised access or disclosure.
Causes may be malicious acts of third parties; human error; systems failure; or failure to follow information handling or data security measures resulting in accidental loss, access or disclosure.
(a) If a data breach is suspected, or confirmed, the School shall take remedial action as soon as is practicable to contain and limit the data loss or access; and to minimise the chance of serious harm to any individual affected by the breach.
(b) The School shall assess all suspected, or confirmed, data breaches to determine whether it is an Eligible Data Breach. (see 10.2)
(c) Exception: If the remedial action contains or limits the data loss and potential harm to individuals, the data breach is not a ‘Notifiable Data Breach’.
(d) The School shall investigate the circumstances, and take steps to address any issues and increase data security.
2 Notifiable Data Breaches
The Notifiable Data Breach (NDB) scheme (from 22 February 2018) gives increased confidence to individuals in the event of a breach of privacy, to be informed of that data breach and to have an opportunity to protect their interests.
(a) The School shall act as soon as is practicable to prevent further loss of, or access to, the data.
(b) In event of a NDB, the School shall notify all affected individuals, directly or indirectly, of the NDB as soon as is practicable.
(c) In event of a NDB, the School shall prepare a statement of prescribed information regarding the eligible data breach for the Office of the Australian Information Commissioner (OAIC).
(d) The School shall make the affected individuals aware of the contents of the statement to the OAIC.
(e) The School shall take action to address the cause/s of any data breach against further loss of information.
Any concerns about the way the School has handled the personal information it holds should be made in writing and directed to the Principal.
The School will investigate the complaint and will notify you of the decision in relation to your complaint as soon as practicable after it has been made.
If the School is unable to resolve the complaint to your satisfaction, the matter may be referred to the Information Commissioner.
For further information about the way COAST manages the personal information it holds, please contact the School.
The Office Manager COAST Christian School PO Box 6064 Kincumber NSW 2251 02 4368 3377