What kinds of personal information does the College collect and how do we collect it?
The type of information Catholic Ladies’ College collects and hold includes (but is not limited to) personal information, including health and other sensitive information, about:
Students and parents and/or guardians (Parents) before, during and after the course of a student’s enrolment at the College; including:
- name, contact details (including next of kin), date of birth, previous school and religion;
- medical information e.g. details of disability and/or allergies;
- conduct and complaint records, or other behavior notes, and school reports;
- information about referrals to government welfare agencies;
- counselling reports;
- health fund details and Medicare number;
- any court orders;
- volunteering information (including working with children checks); and
- photos and videos at school events.
Job applicants, staff members, volunteers and contractors, including:
- name, contact details (including next of kin), date of birth and religion;
- information on job application;
- professional development history;
- salary and payment information, including superannuation details;
- medical information (eg details of disability and/or allergies and medical certificates);
- complaint records and investigation reports;
- leave details;
- photos and videos at school events;
- work emails and private emails (when using work email address) and internet browsing history;
Other people who come into contact with the College, including name and contact details and any other information necessary for the particular contact with the College.
Personal information you provide
The College will generally collect personal information held about an individual by way of forms filled out by Parents or students, face-to-face meetings and interviews, emails and telephone calls and on our visitor system, vPass. On occasions people other than Parents and students provide personal information.
Personal information provided by other people
In some circumstances the College may be provided with personal information about an individual from a third party, for example a report provided by a medical professional or a reference from another school.
Exception in relation to employee records
The College needs to be able to identify individuals with whom it interacts and to collect identifiable information about them to facilitate the delivery of schooling to its students and its educational and support services, conduct the job application process and fulfil other obligations and processes. However, in some limited circumstances some activities and interactions with the College may be done anonymously where practicable, which may include making an inquiry, complaint or providing feedback.
How will the College use the personal information you provide?
The College will use personal information it collects from you for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of the collection and reasonably expected, or to which you have consented.
Students and Parents
In relation to personal information of students and Parents, the College’s primary purpose of collection is to enable the College to provide schooling to students enrolled at the College (including educational and support services for the student), exercise its duty of care and perform necessary associated administrative activities which will enable students to take part in all the activities of the College. This includes satisfying the needs of parents, the needs of the student and the needs of the Catholic Education Office and College throughout the whole period the student is enrolled at the College. The purposes for which the Catholic Education Office and the College uses personal information of students and Parents include:
- to keep Parents informed about matters related to their child’s schooling, through correspondence, newsletters and magazines;
- day-to-day administration of the School;
- looking after students’ educational, social and medical wellbeing;
- seeking donations and marketing for the School; and
- to satisfy the School’s legal obligations and allow the School to discharge its duty of care.
In some cases where the College requests personal information about a student or Parent, if the information requested is not provided, the College may not be able to enrol or continue the enrolment of the student or permit the student to take part in a particular activity.
Job applicants, staff members and contractors
In relation to personal information of job applicants, staff members and contractors, the College’s primary purpose of collection is to assess and (if successful) to engage the applicant, staff member or contractor, as the case may be. The purposes for which the College uses personal information of job applicants, staff members and contractors include:
- in administering the individual’s employment or contract, as the case may be;
- for insurance purposes;
- seeking donations and marketing for the School; and
- to satisfy the College’s legal obligations, for example, in relation to child protection legislation.
The College also obtains personal information about volunteers who assist the College in its functions or conduct associated activities, such as [alumni associations], to enable the College and the volunteers to work together.
The College may disclose personal information to the school parish to facilitate religious and sacramental programs and other activities such as fundraising.
Marketing and fundraising The College treats marketing and seeking donations for the future growth and development of the College as an important part of ensuring that the College continues to provide a quality learning environment in which both students and staff thrive. Personal information held by the College may be disclosed to organisations that assist in the College’s fundraising, for example, the Parents’ Association or Alumni organisation [or, on occasions, external fundraising organisations].
Parents, staff, contractors and other members of the wider College community may from time to time receive fundraising information. College publications, like newsletters and magazines, which include personal information, may be used for marketing purposes.
Who might the College disclose personal information to and store your information with?
The College may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:
- school service providers which provide educational, support and health services to the School,
- including the Catholic Education Commission of Victoria Ltd (CECV), Catholic Education Offices,
- specialist visiting teachers, volunteers, counsellors, sports coaches and providers of learning and
- assessment tools;
- third party service providers that provide online educational and assessment support services or
- applications to schools and school systems including the Integrated Catholic Online Network
- (ICON) and Google’s G Suite, including Gmail;
- other third parties which the school uses to support or enhance the educational or pastoral care
- services for its students;
- another school, including to its teachers to facilitate the transfer of a student
- government departments;
- medical practitioners;
- recipients of College publications, such as newsletters and magazines;
- student’s parents or guardians and their emergency contacts;
- Assessment and educational authorities including the Australian Curriculum, Assessment and Reporting Authority;
- anyone you authorise the School to disclose information to; and
- including child protection laws
Sending and storing information overseas
The College may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange. However, the College will not send personal information about an individual outside Australia without:
- obtaining the consent of the individual (in some cases this consent will be implied); or
- otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.
Where personal and sensitive information is retained by a cloud service provider on behalf of CECV to facilitate HR and staff administrative support, this information will be stored on servers located within Australia. This includes the ICON system.
How does the College treat sensitive information?
In referring to ‘sensitive information’, the College means: information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices or criminal record, that is also personal information; health information and biometric information about an individual.
Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or the use or disclosure of the sensitive information is allowed by law.
Management and security of personal information
The College’s staff are required to respect the confidentiality of students’ and Parents’ personal information and the privacy of individuals. The College has in place steps to protect the personal information the College holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records.
Data Breach Response Plan
As soon as a possible breach has been identified or suspected the first respondent is to:
- note time/place/parties involved/the data type and, if possible, means or cause of the breach contact the Principal.
- Principal will inform the Data Breach Response Team (DBRT) (comprising of the Principal, Human Resources Manager, Business Manager, Administration Team Leader, the relevant Deputy
- Principal (as determined by the Principal) and other invited relevant persons (as determined by the Principal).
The Data Breach Response Team will conduct a risk assessment and will determine, within 30 days, if the breach:
- has occurred.
- the affected individuals.
- the cause and extent.
- the nature of breach and if it is notifiable or not. (Refer to Appendix)
- if the breach is an ‘eligible data breach’ in terms of notifying the Office of the Australian Information Commissioner (AIOC)
- if the breach is notifiable then the DBRT will follow to the Notifiable Data Breach requirements and submit a statement in the required format to the Office of the Australian Information Commissioner (AIOC)
- if the breach is an ‘eligible data breach the DBRT will also contact all affected individuals directly or indirectly by publishing information about the eligible data breach on a publicly accessible forum
- notify each of the individuals who are at risk from the eligible data breach by such steps as is reasonable in the circumstances.