1. Introduction and Context

Anglican Schools Corporation (Corporation) is an organisation established by the Anglican Church Diocese of Sydney to provide a Christian education for the communities it serves.

The Corporation consists of the schools which are listed on the Corporation's website, www.tasc.nsw.edu.au. These schools are operations of the Corporation and are not separate legal entities. The Corporation has a shared administrative and advisory office, the Group Office.

When personal information is collected, held, used, disclosed or otherwise handled (together, Handled) by a school, the Group Office, or other parts of the Corporation, the information is Handled by the Corporation (as the legal entity).

2. Application of Policy

This Privacy Policy (Policy) applies to the Corporation, including all the schools within the Corporation. A reference to the Corporation includes each of the schools within the Corporation. A reference to a Principal is a reference to the Principal of the applicable school (however that position may be titled).

The Policy sets out how the Corporation Handles personal information.

The Corporation is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988 (Privacy Act), an Australian law which regulates the Handling of personal information about individuals.

In relation to health records, the Corporation is also bound by the NSW Health Privacy Principles contained in the Health Records and Information Privacy Act 2002 (NSW) (Health Records Act), a New South Wales law that governs the handling of health information.

The Corporation may, from time to time, review and update this Policy to take account of new laws and technology, changes to the Corporation’s operations and practices and to make sure it remains appropriate to the changing education and school environment. The Corporation's website, www.tasc.nsw.edu.au, shows the current version of the Policy, including any updates.

3. Purpose and Objectives

This Policy outlines how the Corporation will Handle personal information (including how individuals can seek to access or correct their personal information, or make a privacy complaint).

The objectives of this Policy are to:

• identify the type of personal information collected and how it will be collected;
• outline how the personal information will be used;
• identify to whom the personal information may be disclosed and stored with;
• outline how sensitive information will be treated;
• communicate how personal information will be managed and secured;
• communicate how to make access and correction requests, as well as how the Corporation approaches consent and rights of access of personal information of students; and
• outline a process for enquiries or complaints regarding privacy matters.

4. Policy

4.1 What kinds of personal information does the Corporation collect and how does the Corporation collect it?

The type of information the Corporation collects and holds includes (but is not limited to) personal information, including health and other sensitive information (see section 6 below for definitions), regarding:

• students, and parents, carers and/or legal guardians (Parents) before, during and after the course of a student's enrolment at a school, such as:
  
  • name, contact details (including next of kin), date of birth, gender, language background, previous school attended and religion;
  • parents' education, occupation and language background;
  • medical information (e.g. details of disability and/or allergies, absence notes, medical reports and names of doctors);
  • results of assignments, tests and examinations;
  • conduct and complaint records, or other behaviour notes, and school reports;
  • information about referrals to government welfare agencies;
  • counselling reports;
  • health fund details and Medicare number;
  • any court orders;
  • volunteering information;
  • photos, videos, other images or other identifying material associated with school activities; and
  • private emails (when using the school’s email address);
• job applicants, employees, volunteers and contractors, such as but not limited to:
  
  • name, contact details (including next of kin), date of birth, and religion;
  • information on job application;
  • professional development history;
  • salary and payment information, including superannuation details;
  • medical information (e.g. details of disability and/or allergies, and medical certificates);
  • complaint records and investigation reports;
  • leave details;
  • photos, videos, other images or other identifying material associated with Corporation activities;
  • workplace surveillance information;
  • work emails and private emails (when using work email address), work data and private data (when using work electronic devices), and internet browsing history; and
  • any other information relevant to the job applicant, employee, volunteer or contractor’s role;
• other people who come into contact with the Corporation, such as:
  
  • name and contact details and any other information necessary for the particular contact with the Corporation.

Personal information provided by individuals: The Corporation will generally collect the personal information held about an individual by way of forms completed by Parents or students, through face-to-face meetings and interviews, emails and telephone calls. On occasions, people other than Parents and students may provide personal information.

If an enrolment application is made to more than one school of the Corporation, the personal information provided during the application stage may be shared between the schools. This personal information may include health information and is used for the purpose of considering and administering the enrolment of the student within the Corporation.

Personal information provided by other people: In some circumstances, the Corporation may be provided with personal information about an individual from a third party, for example a report provided by a medical professional or a reference from another school. If a student transfers to a new school, the new school may collect personal information about the student from the student's previous school to facilitate the transfer of the student.

Exception in relation to employee records: Under the Privacy Act and the Health Records Act, the Australian Privacy Principles and Health Privacy Principles do not apply to the Handling of an employee record by an employer. As a result, this Policy does not apply to the Corporation’s treatment of an employee record, where the treatment is directly related to a current or former employment relationship between the Corporation and employee.

4.2   How will the Corporation use the personal information provided to it (including sharing amongst schools within the Corporation)?

The Corporation will use personal information it collects from an individual for the primary purpose of collection, and for such other secondary purposes that are related (or directly related in respect of sensitive information) to the primary purpose of collection and are reasonably expected, to which the individual has consented, or as otherwise required or permitted by law. This includes sharing personal information (including sensitive information) between schools within the Corporation, with the Group Office, and/or other parts of the Corporation for these purposes.

Students and Parents: In relation to the personal information of students and Parents, the Corporation’s primary purpose of collection is to enable the Corporation to provide schooling to students enrolled at one of its schools, exercise its duty of care, and perform necessary associated administrative activities, which will enable students to take part in all the activities of a Corporation school. This includes responding to the needs of Parents, the needs of the student and the needs of the Corporation, throughout the whole period the student is enrolled at a Corporation school.

The purposes for which the Corporation may use personal information of students and Parents include:

• to assess enrolment applications. Where concurrent applications for enrolment are made to multiple schools within the Corporation, each of those schools will have access to the information (this was explained further in section 4.1 of this Policy);
• to keep Parents informed about matters related to their student's schooling, through correspondence, newsletters and magazines, and the like;
• day-to-day administration;
• providing for students' educational, social, spiritual and medical wellbeing;
• to facilitate the transfer of a student between the Corporation’s schools;
• seeking donations and marketing for the Corporation; and
• to satisfy the Corporation’s legal obligations and allow the Corporation to discharge its duty of care.

In some cases where the Corporation requests personal information about a student or Parent, if the information requested is not obtained, the Corporation may not be able to enrol or continue the enrolment of the student or permit the student to take part in a particular activity.

Job applicants, employees and contractors: In relation to personal information of job applicants and contractors, the Corporation’s primary purpose for collection is to assess and (if successful) to engage the applicant or contractor, as the case may be. Subsequently, further personal information may be required from successful job applicants for them to be employed as employees or contractors.

The purposes for which the Corporation uses personal information of job applicants, employees and contractors include:

• administering the individual's employment or contract, as the case may be;
• for insurance purposes;
• seeking funds and marketing for the Corporation; and
• satisfying the Corporation’s legal obligations, for example, in relation to child protection legislation.

Volunteers: The Corporation obtains personal information about volunteers who assist the Corporation in its functions or conduct associated activities, for example, alumni associations, to enable the Corporation and the volunteers to work together.

Marketing and fundraising: The Corporation treats marketing and the seeking of donations for the future growth and development of the Corporation as an important part of ensuring that the Corporation continues to offer a quality learning environment in which both students and employees thrive. Personal information held by the Corporation may be disclosed to organisations that assists in the Corporation’s fundraising, for example, an alumni organisation or, on occasions, external fundraising organisations.

Parents, employees, contractors and other members of the wider Corporation community may from time to time receive fundraising information. School publications, like newsletters and magazines, and the like, which include personal information, may be used for marketing purposes.

4.3   Who might the Corporation disclose personal information to and store information with?

The Corporation may disclose personal information, including sensitive information held about an individual for educational, administrative and support purposes. This may include to:

• other schools and teachers at those schools, including another school to which a student transfers to facilitate the transfer of the student;
• government departments (including for policy and funding purposes);
• medical practitioners;
• people providing educational, support and health services to a school within the Corporation, including specialist visiting teachers, coaches, volunteers, and counsellors;
• providers of specialist advisory services and assistance to the Corporation, including in the area of Human Resources, child protection and students with additional needs;
• providers of learning and assessment tools;
• assessment and educational authorities, including the NSW Education Standards Authority (NESA), Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test Administration Authorities (who will disclose it to the entity that manages the online platform for NAPLAN);
• agencies and organisations to whom the Corporation is required to disclose personal information for education, funding and research purposes;
• people and organisations providing administrative, technology and financial services to the Corporation;
• related entities of the Corporation and the Anglican Church Diocese of Sydney;
• recipients of Corporation publications, such as newsletters and magazines, and the like;
• students’ Parents;
• anyone who an individual authorises the Corporation to disclose information to; and
• anyone to whom the Corporation is required or authorised to disclose the information to by law, including child protection laws.

Sending and storing information overseas: The Corporation may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange. However, a school will not send personal information about an individual outside Australia without:

• obtaining the consent of the individual; or
• otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

Storage and access as part of centralised information systems: The Corporation uses information management and storage systems (Systems). These Systems are either owned by the Corporation or provided by third party service providers. Personal information is stored with and accessible by the Corporation and the third-party service providers for the purpose of providing services to the Corporation in connection with the Systems and for administering the education of students.

Online or 'cloud' service providers: The Corporation may use online or 'cloud' service providers to store personal information and to provide services to the Corporation that involve the use of personal information, such as services relating to email, file storage, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may be stored on the 'cloud' service provider’s servers which may be situated outside Australia.

The ‘cloud’ service providers may provide applications, and store and process limited personal information for this purpose. The Corporation and its service providers may have the ability to access, monitor, use or disclose emails, communications (e.g. instant messaging), documents and associated administrative data for the purposes of administering the ‘cloud’ services and ensuring their proper use.

4.4   How does the Corporation treat sensitive information?

In referring to 'sensitive information', the Corporation means: information or an opinion relating to an individual's racial or ethnic origin, political opinions, membership of a political association, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices, or criminal record, that is also personal information; health information, genetic information and biometric information about an individual.

Sensitive information will be used and disclosed only for the purpose for which it was collected or for a directly related secondary purpose that is reasonably expected, unless the individual agrees otherwise, or the use or disclosure of the sensitive information is allowed by law. Please see sections 4.2 and 4.3 for more information about how the Corporation Handles sensitive information.

4.5   Management and security of personal information

All Corporation employees, volunteers and contractors are required to respect the confidentiality of students' and Parents' personal information and the privacy of individuals.

The Corporation has in place steps to protect the personal information the Corporation holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods, including locked storage of paper records and password access rights to computerised records.

4.6   Access and correction of personal information

Under the Privacy Act and the Health Records Act, an individual has the right to seek and obtain access to any personal information which the Corporation holds about them and to advise the Corporation of any perceived inaccuracy.

Students will generally be able to access, correct and update their personal information through their Parents, but older students may seek access and correction themselves.

There are some exceptions to these rights set out in the applicable legislation.

To make a request to access, correct or update any personal information the Corporation holds about an individual, the Corporation CEO, the relevant Principal, or their delegate, should be contacted by telephone or in writing as per the contact details found in the ‘Contact us’ section at the end of this Policy.

The Corporation may require the individual making the enquiry to verify their identity and specify what information is required. The Corporation may charge a fee to cover the cost of verifying an application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the Corporation will advise the likely cost in advance. If the Corporation cannot provide the individual making the enquiry with access to the information requested, it will provide the individual making the enquiry with a written notice explaining the reasons for refusal (unless, given the grounds for refusal, it would be unreasonable to provide reasons).

Parents may also log on to the student management system ‘parent portal’ and access, correct and update some of their or their student's personal information.

Consent and rights of access to the personal information of students: The Corporation respects a Parent's right to make decisions concerning their student's education.

Generally, the relevant Principal or their delegate will refer any requests for consent and notices in relation to the personal information of a student to the student's Parents. The Corporation will treat consent given by Parents as consent given on behalf of the student and notice to Parents will act as notice given to the student. Parents may withdraw consent given on behalf of the student for a particular use of their personal information by contacting the relevant Principal or their delegate in writing as per the contact details found in the ‘Contact us’ section at the end of this Policy.

Parents may seek access to personal information held by the Corporation about them or their student by contacting the Corporation CEO, the relevant Principal, or their delegate, by telephone or in writing as per the contact details found in the ‘Contact us’ section at the end of this Policy. However, access may be refused in certain circumstances such as where access would have an unreasonable impact on the privacy of others, where access may result in a breach of the Corporation’s duty of care to the student, where students have provided information in confidence or where the Corporation is otherwise required or authorised by law to refuse access. Any refusal will be notified in writing with reasons (unless, given the grounds for refusal, it would be unreasonable to provide reasons).

The relevant Principal may, at his or her discretion, on the request of a student, grant that student access to information held by the school about them or allow a student to give or withhold consent to the use of their personal information, independently of their Parents. This would normally be done only when the maturity of the student and/or the student's personal circumstances warrant it.

4.7   Enquiries and complaints

If an individual would like further information about the way the Corporation manages the personal information it holds, or wishes to complain that they believe that the Corporation has breached the Australian Privacy Principles, they should contact the Corporation’s CEO, the relevant Principal, or their delegate, by writing or telephone as per the contact details found in the ‘Contact us’ section at the end of this Policy. The Corporation will investigate any complaint and will notify the individual of a decision in relation to the complaint as soon as is practicable after it has been made.

If an individual is not satisfied with the Corporation’s response to the individual’s complaint, they may complain to the Office of the Australian Information Commissioner (OAIC) via the OAIC website, www.oaic.gov.au.

4.8   Contact us

If an individual has an enquiry regarding this Policy, wishes to make a complaint, or wishes to request access or correct their personal information, the individual should contact the Corporation's CEO, the relevant Principal, or their delegate, using the following details.

• Corporation's CEO or their delegate:
  
  • email: ceo@tasc.nsw.edu.au
  • mail: PO Box 465 Hurstville BC NSW 1481
  • phone number: 8567 4000
• Principal or their delegate:
  
  • Please see the relevant school's website.

5. Legislative Requirements

Privacy Act1988www.privacy.gov.au

Health Records and Information Privacy Act 2002 NSWwww.austlii.edu.au/au/legis/nsw/consol_act/hraipa2002370/

Education Act 1990http://www.austlii.edu.au/au/legis/nsw/consol_act/ea1990104/

6. Definitions

What is ‘personal information’?

Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable whether the information is true or not, and whether the information or opinion is recorded in a material form or not. It includes all personal information regardless of its source.

What is ‘sensitive information’?

Sensitive information is a type of personal information that is given extra protection and must be treated with additional care. It includes any information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record. It also includes health information and biometric information about an individual.

What is ‘health information’?

Health information is a subset of sensitive information. It includes any information or opinion about the health or disability of an individual, the individual’s expressed wishes about the future provision of health services and a health service provided, currently or in the future, to an individual that is also personal information. Health information also includes personal information collected in the course of providing a health service.

7. Related Documents and Website References

• Application for Enrolment Form
• Conditions of Enrolment
• Standard Collection Notice
• Student General and Medical Information Form
• Data Standards Manual: Student Background Characteristics
• Interstate Student Data Transfer Note – Education Council