Swan Christian Education Association Incorporated (SCEA) recognises and acknowledges that the protection of individuals’ privacy is important and required under the relevant legislation.
• SCEA collects information, throughout its usual course of business.
• SCEA protects the privacy of personal information and health information which SCEA collects and uses.
• SCEA uses such information and to whom such information may be disclosed.
• SCEA reports data breaches.
• Individuals can access their personal information, correct any personal information which SCEA holds, lodge complaints in relation to alleged breaches of privacy or make any related enquiry.
This Policy covers all sites (schools and the system office) owned and/or operated by SCEA. All members of SCEA staff, contractors and volunteers must comply with this policy in relation to any personal information they handle.
Personal information may be collected from any individual with whom SCEA may have contact, including current and prospective students and their parents/guardians, alumni, job applicants, volunteers, contractors, past employees and other individuals who engage with SCEA.
SCEA may also collect, use and disclose health information in relation to the provision of health services to students while in the care of SCEA.
SCEA is bound by the Australian Privacy Principles (APP’s) contained in the Privacy Amendment (Enhancing Privacy Protection) Act 2012 . This amendment makes changes to the Privacy Act 1988 (“the Act”). SCEA is also bound in WA by the Freedom of Information Act 1992 (WA). In relation to health records SCEA holds, SCEA is bound by the Health Privacy Principles under the Health Act 1911.
This policy should be read in conjunction with the SCEA Members’ Grievance Policy, SCEA Staff Complaints Management Policy, the SCEA Access Arrangements for Separated Parents/ Policy, and the SCEA Digital Privacy, Safety and Security Policy and Framework.
The Association may, from time to time, review and update this policy to take account of changes to the Association’s operations and practices and to make sure it remains appropriate to the changing legal and school environment.
In carrying out its educational and welfare functions, Swan Christian Education Association collects personal information about students, parents/carers and staff. SCEA is committed to protecting the privacy of all information collected. All employees, Board members and volunteers are required by law to protect the personal information the school collects, including that of a sensitive nature. All members of the SCEA community have the right to understand how their personal information will be managed, stored, used and disposed of.
Types of information SCEA collects and holds
SCEA collects a range of personal information about an individual, including:
• contact number
• email address
• date of birth (DOB)
• photographs or videos
• academic results
• other relevant personal details
In addition to this information, where SCEA provides health services during discharging its duty of care, SCEA may collect information about health services previously provided to an individual, an individual’s current health status and an individual’s expressed wishes in relation to the provision of health services.
SCEA may also collect information about individuals when accessing electronic resources or communications of the Association, such as websites or social media channels of the Association and its schools. Information SCEA collects from visits to its website is generally not personally identifiable. However, due to the nature of internet protocols, information collected may individually or by aggregate, be able to identify information such as the IP address of the computer accessing SCEA’s website, the internet service provider used by an individual, the web-page directing an individual to SCEA’s website and the individual’s activity on SCEA’s website.
How SCEA collects personal information
SCEA may collect personal information from an individual though a variety of sources, including but not limited to:
• a form that is completed and submitted to SCEA;
• a telephone, email or in-person inquiry or discussion about SCEA and the services that SCEA provides;
• mail correspondence, emails and other electronic means – including by accessing SCEA’s website and use of the “contact us” form;
• electronic service providers, such as third-party cookies (Google Analytics), email distribution services or event management software;
• publicly available sources of information;
• reference from another school about an individual student; and
• reports provided to SCEA by a medical professional in relation to health services previously provided or to be provided by SCEA to an individual.
SCEA will usually collect personal information directly from an individual or their parent/guardian, unless it is unreasonable or impracticable to do so. Additionally, SCEA will usually only collect personally identifiable information when SCEA asks for that personal information or it is volunteered by the individual. SCEA may from time to time receive unsolicited personal information about an individual. SCEA will promptly destroy or de-identify any personal information found to have been collected in error.
Additionally, SCEA may collect data from users of its electronic platforms using various technologies and third-party service providers.
SCEA may seek consent of parents/guardians to use their child’s name, image and likeness in materials produced or published by SCEA or third-parties, including newsletters, magazines, posters and other advertising materials. Where parents/guardians do not consent to their child’s name, image and likeness being used by SCEA in this manner, SCEA will refrain from using their child’s name, image and likeness. Parents/guardians may at any time withdraw their consent and SCEA will remove their child’s name, image and likeness from electronic materials produced or published as soon as is reasonably practicable, or in the case of printed material subsequent prints from the time of notification of consent being withdrawn.
How SCEA uses personal information it collects
SCEA generally only uses personal information for the primary purpose for which it is collected or a secondary purpose, when it is permitted by the Act or if authorised or required by law.
SCEA collects personal information for the purposes of:
• facilitating its ability to function as an educational institution;
• other administrative functions, including assessing job applicants and managing volunteers;
• fulfilling its duty of care to its students;
• complying with its legal obligations owed to the State and Commonwealth Governments in relation to the provision of education to students;
• addressing queries or resolving complaints;
• marketing SCEA and the education services SCEA provides;
• keep individuals connected to the Association up to date with relevant information and promotion of future services and events;
• keeping parents and guardians informed on matters relating to their child’s schooling at SCEA through correspondence, newsletters, magazines and reports;
• assessing applications for scholarships to attend SCEA and awarding and administering scholarships to current students at SCEA;
• seeking and administering donations and bequests made to SCEA, and
• improving services.
SCEA may also disclose personal information it collects from individuals to third-parties, such as SCEA’s professional advisers, courts, tribunals, regulatory authorities, other companies and individuals for:
• complying with its obligations owed to an individual under any contract between SCEA and the individual, or as required by law;
• enabling those third-parties to perform services on behalf of SCEA; and,
• recovering debts where amounts owed to SCEA in consideration for services SCEA provides remain due and outstanding beyond the payment terms.
Third-parties SCEA engages from time to time may have access to personal information held by SCEA about individuals, but SCEA will not authorise them to use such information for any other purpose.
SCEA may disclose personal information (including sensitive information) held about an individual to another school, government departments (where SCEA must disclose such information to comply with its legal obligations), medical practitioners, service providers (including specialist visiting teachers and sports coaches), recipients of SCEA publications (such as newsletters and magazines), and parents and guardians.
SCEA may use health information collected about an individual to provide health services to that individual where required. SCEA may disclose health information to a medical professional or to a health service provider where that other health service provider is engaged in providing health services to that individual. SCEA will not use or disclose such health information for a purpose other than the primary purpose of collection unless:
• the individual consents to the use or disclosure;
• the secondary purpose is directly related to the primary purpose and the individual would reasonably expect SCEA to use or disclose the information for the secondary purpose;
• the use or disclosure is required, authorised or permitted, whether expressly or impliedly by or under law; or,
• as otherwise authorised, permitted or required under the State Records Act 2000 (WA).
Effect of non-provision of personal information; anonymity and pseudonymity
From time to time an individual may be able to deal with SCEA anonymously or by using a pseudonym. For example, without limitation, if an individual has a general inquiry about SCEA, SCEA may be able to respond to the inquiry on an anonymous or pseudonymous basis.
However, if an individual does not provide the personal information SCEA requests, or the information is provided anonymously or pseudonymously, then SCEA may be unable to fulfil its functions as an educational institution or discharge its duty of care to the parents/guardians or children affected.
Further, in some situations, SCEA may need to verify an individual’s identity as part of SCEA’s response to a request to access and/or correct personal information or health information SCEA holds about an individual, or as part of SCEA’s complaints handling procedure. If SCEA cannot verify an individual’s identity, or they continue to engage with SCEA in an anonymous or pseudonymous basis, then SCEA may be unable to complete the request or pursue its complaints-handling procedure.
SCEA may directly market its services to individuals on the basis that they would reasonably expect SCEA to do so, where SCEA has already collected their personal information.
SCEA will also comply with other laws relevant to marketing, including the Spam Act 2003 (Cth), the Do Not Call Register Act 2006 (Cth) and the Competition and Consumer Act 2010 (Cth).
Marketing email communications which SCEA send will include an opt-out procedure.
Cross-border transfer or disclosure of information
SCEA may disclose an individual’s personal information to entities outside Australia from time to time. For example, SCEA may be required to disclose the personal information of students travelling to SCEA’s outreach activities to Australian and overseas government authorities.
SCEA may transfer health information about an individual to an entity other than SCEA or the individual which is outside Australia only when SCEA reasonably believes that the recipient is subject to a law binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the requirements under the Freedom of Information Act 1992 (WA), if the individual consents to the transfer or otherwise as permitted under the Freedom of Information Act 1992 (WA).
SCEA makes use of services hosted overseas where they are subject to a binding scheme or law that has the effect of protecting the information in a way that, overall is at least substantially similar to the way in which the Australian Privacy Principles protect the information; and there are mechanisms that allow the individual to take action to enforce that protection of the law or binding scheme. Where this isn’t possible, SCEA will seek appropriate consent.
Quality of information
Whilst it is the responsibility of the parent or guardian to provide updated or amended personal and health information, SCEA takes reasonable steps to ensure that, the personal information and the health information SCEA collects, uses, holds or discloses is accurate, complete, up-to-date and relevant to SCEA’s functions or activities, having regard to the purpose for which the information is to be used or disclosed by SCEA.
Additionally, SCEA will take reasonable steps to destroy or de-identify personal information it holds about an individual, if SCEA no longer requires that personal information.
Accessing and correcting information
Individuals are entitled at any time, upon request, to access the personal information held about them. SCEA will respond within a reasonable period after receiving the request. SCEA will give access to the information in the manner it is requested, unless it is impracticable for SCEA to do so. SCEA is entitled to charge a reasonable administrative fee for giving access to the information.
SCEA may from time to time refuse an individual access to the information SCEA holds about that individual, in accordance with the relevant legislation. Where SCEA refuses access, SCEA will explain the reasons for refusal in writing and, if individuals wish to lodge a formal complaint about the refusal it should be made in accordance with the SCEA’s grievance policies.
SCEA reserves the right to verify an individual’s identity before granting access to the personal information SCEA holds about them.
Parents/guardians generally have a right to access information held concerning their child, but, in some cases information disclosed to health and psychological professionals may be withheld from parents/guardians, when requested by a child assessed as mature enough to make this choice.
The disclosure of information held to separated/divorced parents/guardians will be governed by Family Court Orders, if they exist.
If at any times individuals believe that personal information SCEA holds is incorrect, incomplete or inaccurate, they may request that SCEA amend such personal information. If SCEA refuses the correction request, then SCEA will provide written reasons and information about SCEA’s complaints-handling process, should they not be satisfied with those reasons.
Where SCEA corrects personal information held about an individual, SCEA will take reasonable steps to notify third-parties of the correction.
Mandatory Notification of Data Breaches
On 22 February 2018, changes to the Act took effect and a new Notifiable Data Breach (NDB) Scheme is in force. The NDB Scheme requires SCEA to notify the Office of the Australian Information Commissioner (OAIC) and the affected individual(s), in the event of a notifiable data breach.
A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For SCEA, data breaches are not limited to hackings or cyber-attacks on school systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person. For example, leaving a school laptop on public transport.
Not all data breaches will be NDBs. Pursuant to section 26WE of the Act, an eligible data breach, which would require notification, occurs in circumstances where:
• there is an unauthorised access or unauthorised disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
• information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any individuals to whom that information relates.
In short, for there to be an eligible data breach, the breach would have the likelihood of resulting in serious harm to any of the affected individuals. Serious harm could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the school’s position would identify as a possible outcome of the data breach.
Examples of data breaches which may meet the definition of an eligible data breach, include when:
• a device containing a member of the school community’s personal information is lost or stolen (e.g. a school laptop);
• a database containing personal information is hacked;
• personal information about students or staff is mistakenly provided to the wrong person;
• records containing student information is stolen from unsecured recycling bins; or
• disclosing personal information about students/staff for purposes other than what it was collected for and without the consent of the affected students/staff.
Once a SCEA employee forms the view, based on reasonable grounds, that there has been an eligible data breach, it must:
• prepare a statement in accordance with the Act; and
• provide this statement to the CEO of SCEA; and
• SCEA will give a copy of the statement to the OAIC as soon as practicable after becoming aware of the eligible data breach.
The statement must set out:
• the identity and contact details of the school;
• a description of the eligible data breach that the school has reasonable grounds to believe has happened;
• the kind/s of information concerned; and
• the recommendations about the steps that individuals should take in response to the eligible data breach that the entity has reasonable grounds to believe has happened.
SCEA must notify the contents of that statement to the affected individuals (students, parents, staff etc.) as soon as practicable. What constitutes reasonable steps for notification will depend on the circumstances of every case. Practicable means of communication are more likely to be by phone, letter, email or in person, as they are the normal means of communication between the school and its students or staff.
If it is not practicable to notify the individuals directly, SCEA may publish its statement on its website and take reasonable steps to make the statement public.
Public notification (for example on a website or social media) may be required if an eligible data breach involves highly sensitive and personal information affecting both past and present students, such that it would be impracticable to contact each of the individuals directly and the information disclosed would likely result in serious harm to all the individuals affected. Some exceptions to notifying the OAIC and individuals exist, including where taking ‘remedial action’ to avoid harm being suffered is possible. This exception may apply where, in the event of an eligible data breach, SCEA acts by requesting an unauthorised recipient of personal information to delete or destroy the information, such that there would unlikely be serious harm due to the breach.
Lodging a complaint
If individuals wish to complain about an alleged breach of the privacy of their personal information, the complaint should be made in accordance with the Members’ Grievance Policy, or SCEA Complaints Management Policy (for staff), as applicable.
If individuals are dissatisfied with the outcome of their complaint, they may escalate their complaint to the office of the Australian Information Commissioner.