Privacy Policy

Star of the Sea College is a Catholic Independent Girls’ school, founded by the Presentation Sisters in 1883. Since 2014, Star of the Sea College has been a member of Kildare Ministries.

At Star of the Sea College, we hold the care, safety and wellbeing of our students as a central and fundamental responsibility of our College. Our commitment is drawn from, and inherent in, the teaching and mission of Jesus Christ, with love, justice and the sanctity of each human person at the heart of the Gospel. (CECV Commitment Statement to Child Safety, 2022)

The person of each individual human being, in his or her material and spiritual needs, is at the heart of Christ’s teaching: that is why the promotion of the human person is the goal of the Catholic School. (Congregation for Catholic Education 1997, n.9)

Purpose

This Privacy Policy sets out how the College managers personal information to or collected by it.

The College is bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth). In relation to health records, the College is also bound by the Health Records Act 2001 (Vic) and the Health Privacy Principles in that Act.

The College may, from time to time, review and update this Privacy Policy to take account of new laws and technology, changes to the College’s operations and practices and to make sure it remains appropriate to the changing school environment.

What kinds of personal information does the College collect and how does the College collect it?

The College collects and holds personal information, including health information and other sensitive information about:

  • students and parents and/or guardians (‘parents;) before, during and after the course of a student’s enrolment at the College including:
  • name, contact details (including next of kin), date of birth, gender, language background,
  • previous school and religion
  • parents’ education, occupation and language background
  • medical information (e.g. details of disability and/or allergies, and details of any assistance the student receives in relation to those disabilities, medical reports, names of doctors)
  • conduct and complaint records, or other behaviour notes, school attendance and school reports
  • information about referrals to government welfare agencies
  • counselling reports
  • health fund details and Medicare number
  • any court orders, including information of a parent/guardian who is/or has been the subject of court orders (i.e.. apprehended violence order) and any other information under Victorian Child protection laws
  • volunteering information (including Working With Children Checks)
  • photo and videos at school events
  • job applicants, staff members, volunteers and contractors including:
  • name, contact details (including next of kin), date of birth and religion
  • information on job application
  • professional development history
  • salary and payment information, including superannuation details
  • medical information (e.g. details of disability and/or allergies and medical certificates)
  • complaint records and investigation reports
  • leave details
  • photos and videos at school events
  • workplace surveillance information
  • work emails and private emails (when using work email address) and internet browsing history
  • other people who come into contact with the College, including name and contact details and any other information necessary for the particular contact with the College.

Personal information you provide: The College will generally collect personal information about an individual by way of forms filled out by parents or students, face‐to‐face meetings and interviews, emails and telephone calls. On occasions, people other than parents and students (such as job applicants and contractors) provide personal information to the College.

Personal information provided by other people: In some circumstances, the College may be provided with personal information about an individual from a third party: for example, a report provided by a medical professional or a reference from another school. The type of information the College may collect from another school may include:

  • academic records and/or achievement levels
  • information that may be relevant to assisting the new school meet the needs of the student including any adjustments

If the personal information of other people has been disclosed by you to the College, you are encouraged to:

  • inform them as to the reason why
  • inform them that they can access the information if they wish
  • inform them that the College does not usually disclose the information to third parties

Exception in relation to employee records: Under the Privacy Act, the Australian Privacy Principles do not apply to an employee record. As a result, this Privacy Policy does not apply to the College’s treatment of an employee record where the treatment is directly related to a current or former employment relationship between the College and employee. The College handles staff health records in accordance with the Health Privacy Principles in the Health Records Act 2001 (Vic).

Anonymity: The College needs to be able to identify individuals with whom it interacts and to collect identifiable information about them to facilitate the delivery of schooling to its students and its educational and support services, conduct the job application process and fulfill other obligations and processes. However, in some limited circumstances some activities and interactions with the College may be done anonymously where practicable, which may include making an inquiry, complaint or providing feedback.

How will the College use the personal information you provide?

The College will use personal information it collects from you for the primary purpose of collection and for such other secondary purposes that are related to the primary purpose of collection and reasonable expected by you, or to which you have consented.

Students and parents/guardians: In relation to personal information of students and parents, the College’s primary purpose of collection is to enable the College to provide schooling for the student (including educational and support services for the student), exercise its duty of care and perform necessary associated administrative activities which will enable students to take part in all the
activities of the College. This includes satisfying the needs of parents, the needs of the student and the needs of the College throughout the whole period the student is enrolled at the College.

The purposes for which the College uses personal information of students and parents include:

  • keeping parents informed about matters related to their daughter’s schooling through correspondence, newsletters and magazines;
  • day‐to‐day administration of the College;
  • looking after student’s educational, social and medical wellbeing;
  • seeking donations and marketing for the College;
  • seeking feedback from students and parents on school performance and improvement,
  • including through school improvement surveys
  • satisfying the College’s legal obligations and allowing the College to discharge its duty of care.
  • to satisfy the College service providers’ legal obligations, including the Catholic Education Commission of Victoria Ltd (CECV) and the various Catholic Education Offices

In some cases where the College requests personal information about a student or parent, if the information requested is not provided, the College may not be able to enrol or process the enrolment of the student or permit the student to take part in a particular activity.

Job applicants and contractors: In relation to personal information of job applicants and contractors, the College’s primary purpose of collection is to assess and (if successful) to engage the applicant, or contractor, as the case may be.

The purposes for which the College uses personal information of job applicants and contractors include:

  • administering the individual’s employment or contract. The personal information the College collects during the recruitment process will be stored securely for 12 months unless the unsuccessful job applicant or contractor advices the College to destroy it at an earlier time. After 12 months, the College will take reasonable steps to destroy or de‐ identify the individual’s personal information
  • for insurance purposes
  • seeking donations and marketing for the College
  • satisfying the College’s legal obligations, for example, in relation to child protection legislation

Volunteers: The College also obtains personal information about volunteers who assist the College in its functions or conduct associated activities, such as Past Students’ Association, to enable the College and the volunteers to work together, to confirm their suitability and to arrange visits. Contractors or volunteers who are not registered teachers are required to have a current and valid Working with Children Check.

Marketing and Fundraising: The College treats marketing and seeking donations for the future growth and development of the College as an important part of ensuring that the College continues to provide a quality learning environment in which both students and staff thrive. Personal information held by the College may be disclosed to organisations that assist in the College’s fundraising, for example, the College’s Past Students’ Association or, on occasions, external fundraising organisations.

Parents, staff, contractors and other members of the wider College community may from time to time receive fundraising information. College publications, like newsletters and magazines, which include personal information and sometimes people’s images, may be used for marketing purposes.

Who might the College disclose personal information to and store the information with?

The College may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:

● College service providers which provide educational, support and health services to the College (either at the College or off campus) including the Catholic Education Commission of Victoria Ltd (CECV), MACS, specialist visiting teachers, volunteers, counsellors, sports coaches and providers of learning and assessment tools
● CECV and MACS to discharge its responsibilities under the Australian Education Regulation 2013 (Regulation) and the Australian Education Act 2013 (Cth) relating to students with a disability
● other third parties which the College uses to support or enhance the educational or pastoral care services for its students or to facilitate communication with parents
● another school including to its teachers for the purposes of processing an enrolment or upon transfer of a student to that school
● Federal and State government departments and agencies
● health service providers
● recipients of College publications, including newsletters and magazines
● students’ parents or guardians and their emergency contacts
● assessment and educational authorities including the Australian Curriculum, Assessment and
● Reporting Authority
● anyone the individual authorises the College to disclose information to
● anyone to whom the College is required or authorised to disclose the information to by law, including child protection laws.

Nationally Consistent Collection of Data on School Students with Disability

The College is required by the Regulation and the Australian Education Act 2013 (Cth) to collect and disclose certain information under the Nationally Consistent Collection of Data (NCCD) on students with a disability. The College provides the required information at an individual student level to the Catholic Education Offices and the CECV, as an approved authority. Approved authorities must comply with reporting, record keeping and data quality assurance obligations under the NCCD. Student information provided to the federal government for the purpose of the NCCD does not explicitly identify any student.

Sending and storing information overseas: The College may disclose personal information about an individual to overseas recipients, for instance, to facilitate a College exchange. However, the College will not send personal information about an individual outside Australia without:

● obtaining the consent of the individual; or
● otherwise complying with the Australian Privacy Principles or other applicable privacy legislation

The College may from time to time use the services of third-party online service providers (including for the delivery of services and third-party online applications, or Apps relating to email, instant messaging and education and assessment, such as Google’s G Suite, including Gmail) which may be accessible by you. Some personal information including sensitive information, may be collected and
processed or stored by these providers in connection with these services. These online service providers may be located in or outside Australia.

The College’s personnel and the College’s service providers, and the CECV and its service providers, may have the ability to access, monitor, use or disclose emails, communications (e.g. instant messaging), documents and associated administrative data for the purposes of administering the system and services ensuring their proper use.

The College makes reasonable efforts to be satisfied about the security of any personal information that may be collected, processed and stored outside Australia, in connection with any cloud and third-party services and will endeavour to ensure the cloud is located in countries with substantially similar protections as the APPs.

Where personal and sensitive information is retained by a cloud service provider on behalf of CECV or the College to facilitate Human Resources and staff administrative support, this information may be stored on servers located in or outside Australia.

How does the College treat sensitive information?

In referring to ‘sensitive information’, the College means: information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices or criminal record, that is also personal information; health information and biometric information about an individual.

Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or the use or disclosure of the sensitive information is allowed by law.

Management and security of personal information

The College’s staff are required to respect the confidentiality of students’ and parents’ personal information and the privacy of individuals.

The College has in place steps to protect the personal information the College holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records. This includes responding to any incidents which may affect the security of the personal information it holds. If the College assesses that anyone whose information is affected by such a breach is likely to suffer serious harm as a result, the individual and the Office of the Australian Information Commissioner will be notified of the breach.

It is recommended that parents and the school community adopt secure practices to protect themselves. All passwords used should be strong and regularly updated and log in details are kept secure. Do not share personal information with anyone without first verifying their identity and organisation. If you believe personal information has been compromised, please let the College know immediately.

Eligible data breach under the Notifiable Data Breaches scheme (Scheme)

The College is required to mandatorily report eligible data breaches to particular individuals and to the Office of the Australian Information Commissioner (OAIC). An eligible data breach will occur if:

  • there is unauthorised access to, unauthorised disclosure of, or loss of personal information held by the school; and
  • a reasonable person would conclude that access, disclosure or loss would be likely to result in serious harm to any of the individuals to whom the information relates; and
  • the College has not been able to prevent the likely risk of serious harm with remedial action.

The College has a Data Breach Response Plan (Plan) which is intended to enable it to contain, assess and respond to data breaches in a timely manner and to develop processes to assist the College to respond to a data breach. The Plan also assists the Collect to meet its obligations under the Scheme, to ensure that affected individuals are notified about serious data breaches as well as the OAIC. The
scheme is administered by the OAIC.

Examples of serious harm as a result of a data breach are malicious action such as theft of laptops containing personal information or ‘hacking’ of databases that contain personal information but may also arise from internal errors or failures to follow information handling policies. Each of these examples may give rise to an obligation on the College to comply with the requirements of this Scheme.

In deciding whether a reasonable person would conclude that a data breach would be likely to result in serious harm to an individual, the following factors may need to be considered: ‐

  • the kind of information
  • the sensitivity of the information
  • the extent to which the information is protected by security measures, e.g. encryption
  • the kind of persons who have obtained, or could obtain the information
  • the nature of the harm an individual could suffer (consider whether an individual might suffer physical, psychological, emotional or financial harm or harm to reputation)

If the College is aware that there are reasonable grounds to suspect that a data breach may have occurred, it is required to carry out a reasonable and expeditious assessment to ascertain whether a breach did in factor occur and this must happen within 30 days.

Access and correction of personal information

Under the Privacy Act and the Health Records Act, an individual has the right to seek and obtain access to any personal information and health records respectively which the College holds about them and to advise the College of any perceived inaccuracies. Students will generally be able to access and update their personal information through their parents, but older students can seek access and
correction themselves.

There are some exceptions to these rights set out in the applicable legislation.

Personal and medical information about students is managed by parents through the third‐party provider, Operoo. Parents make changes to this information themselves.

To make a request to access or to update any personal information the College holds about you or your daughter, please contact the Principal in writing. The College may require verification of identity. The College may charge a fee to cover the cost of verifying the application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the College will
advise the likely cost in advance. If the College cannot provide access to that information written notice explaining the reasons for refusal will be provided.

There will be occasions when access is denied and the reason for refusal is not provided, if doing so may breach the privacy of another person. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others or where the release may result in a breach of the College’s duty of care to the student.

Consent and rights of access to the personal information of students

The College respects every parent’s right to make decisions concerning their daughter’s education. Generally, the College will refer any requests for consent and notices in relation to the personal information of a student to the student’s parents. The College will treat consent given by parents as consent given on behalf of the student and notice to parents will act as notice given to the student.

Parents may seek access to personal information held by the College about them or their child by contacting the Principal in writing. The College may, at its discretion, on the request of a student grant that student access to information held by the College about them or allow a student to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the student and/or the student’s personal circumstances warrant it.

Enquiries and complaints

For further information about the way the College manages the personal information or complaints about privacy obligations, please contact the College Principal by writing or telephone (03) 9595 9595.

The College will investigate any complaint and will notify the relevant people in relation to the complaint as soon as is practicable after it has been made. A further complaint may be made to the OAIC if the process is deemed unsatisfactory. Contact details are:
GPO Box 5218, Sydney, NSW 2001
Telephone: 1300 363 992
www.oaic.gov.au

Responsible OfficerThe Risk & Compliance Manager
Approved ByPrincipal
Approved & Commenced22 February 2018
Last Reviewed July 2023
Review ByNovember 2024
Relevant LegislationAustralian Education Act 2013 (Cth)
Australian Education Regulation 2013 (Cth)
Children, Youth and Families Act 2005 (Vic)
Children Legislation Amendment (Reportable Conduct) Act
2017 (Vic)
Crimes Act 1958 (Vic)
Education and Training Reform Act 2006 (Vic)
Equal Opportunity Act 2010 (Vic)
Ministerial Order No 1359
Health Records Act 2001 (Vic)
Health Privacy Principles
Privacy Act 1988 (Cth)
Australian Privacy Principles
Related Policies & ProceduresData Breach Response Plan
Grievance Policy and Procedure
ICT Staff Policy
ICT Student Policy
Volunteer Procedures
IT Disaster Recovery Plan
Business Continuity Plan
Version6
Amendments Rewording of second sentence to align with other policies
Updated Policy index