This privacy statement sets out how Catholic Education Diocese of Parramatta (CEDP), its schools and related services manage the personal and sensitive information we collect and hold.
We are bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988. In relation to health records, we are bound by the Health Privacy Principles contained in the NSW Health Records and Information Privacy Act 2002 (Health Records Act).
The Privacy Act confers a range of enforcement powers on the Commissioner, including civil penalty provision for serious or repeated interference with privacy. The maximum penalty is $420,000 for an individual and $2.1 million for a body corporate.
Parent means parent and/or guardian.
Pupil means a person who is being taught by another, especially a schoolchild or student, but includes children in our CELCs and COSHCs.
Sensitive information is personal information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, health, sexual orientation or practices or criminal record.
Collection of personal information
The type of personal information CEDP, its schools, CELCs and COSHCs collect and hold includes (but is not limited to) information about:
- pupils and parents before, during and after the course of a pupil’s enrolment at the school:
- name, contact details (including next of kin), date of birth, gender, language background, previous school and religion
- parents’ education, occupation and language background
- medical information (e.g. details of disability and/or allergies, absence notes, medical reports and names of doctors)
- conduct and complaint records, or other behaviour notes, and school reports
- information about referrals to government welfare agencies
- counselling reports
- health fund details and Medicare number
- any court orders
- volunteering information; and
- photos and videos at school events.
- job applicants, staff members, volunteers and contractors, including:
- name, contact details (including next of kin), date of birth, and religion
- information on job application
- professional development history
- salary and payment information, including superannuation details
- medical information (e.g. details of disability and/or allergies, and medical certificates)
- complaint records and investigation reports
- workers compensation claims
- leave details
- photos and videos at school events
- workplace surveillance information
- work emails and private emails (when using work email address) and internet browsing history; and
- other people who come into contact with CEDP, its schools, CELCs and COSHCs, including (but not limited to) name and contact details.
Personal information you provide
CEDP, its schools, CELCs and COSHCs will generally collect personal information held about an individual by way of forms filled out by parents or pupils, from face-to-face meetings and interviews, in emails and from telephone calls. CEDP may collect anonymous, aggregated information about your visit to its websites. This may include cookies, your IP address, general location and device parameters.
Personal information provided by other people
In some circumstances, CEDP, its schools, CELCs and COSHCs may be provided with personal information about an individual from a third party, for example, a report provided by a medical professional or a reference from another school.
Nationally Consistent Collection of Data (NCCD) on Students with Disability CEDP and its schools are required to collect personal information from schools to meet obligations under the Commonwealth Government’s Australian education legislation (Australian Education Act 2013, Australian Education Regulation 2013). The legislation requires relevant school authorities to provide the Commonwealth Department of Education and Training with information about students with a disability.
In NSW, the approved system authority for Catholic schools is Catholic Schools NSW (CSNSW). CEDP is required to disclose its NCCD collection to CSNSW for the purpose of complying with the Australian Education Act and Australian Education Regulation.
Usage of personal information
CEDP, its schools, CELCs and COSHCs will use personal information collected from you for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected, or to which you have consented.
Pupils and Parents
In relation to personal information of pupils and parents, the primary purpose of collection is to enable CEDP, its schools, CELCs and COSHCs to educate pupils, exercise duty of care and perform necessary associated administrative activities, which will enable pupils to take part in all relevant activities. This includes satisfying the needs of parents, the needs of the pupil and our needs throughout the whole period the pupil is enrolled.
The purposes for which we use personal information of pupils and parents include:
- to keep parents informed about matters related to their child's schooling, through correspondence, newsletters and magazines
- day-to-day administration
- looking after pupils’ educational, social, spiritual and medical wellbeing
- seeking donations and marketing for the school; and
- to satisfy our legal obligations and discharge our duty of care.
In some cases where we request personal information about a pupil or parent, if the information requested is not obtained, we may not be able to enrol or continue the enrolment of the pupil or permit the pupil to take part in a particular activity.
We also obtain personal information about volunteers who assist schools in their functions or conduct associated activities to enable us and the volunteers to work together.
Marketing and fundraising
CEDP, its schools, CELCs and COSHCs treat marketing and seeking donations for future growth and development as an important part of ensuring that we continue to provide quality learning environments in which both pupils and staff thrive. Personal information we hold may be disclosed to an organisation that assists in fundraising for the above purpose.
Parents, staff, contractors and other members of the wider school community may from time to time receive fundraising information. Publications, like newsletters and magazines, which include personal information, may be used for marketing purposes.
Exception in relation to related schools
The Privacy Act allows legally related entities to share personal (but not sensitive) information.
This allows (for example) CEDP schools to transfer information when a pupil transfers from one CEDP school to another. However, a CEDP school may only use this personal information for the purpose for which it was originally collected.
Disclosure and storage of personal information
In accordance with Australian Privacy Principle 6, CEDP, its schools, CELCs and COSHCs may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:
- other schools and teachers at those schools
- government departments (including for policy and funding purposes)
- CEDP, CSNSW, the school’s local diocese and the parish, other related church agencies/entities, and schools within other dioceses
- medical practitioners
- people providing educational, support and health services to the school, including specialist visiting teachers, coaches, volunteers, and counsellors
- providers of specialist advisory services and assistance to the school, including in the area of Human Resources, child protection and students with additional needs
- providers of learning and assessment tools
- assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test Administration Authorities (who will disclose it to the entity that manages the online platform for NAPLAN)
- people providing administrative and financial services to the school
- recipients of school publications, such as newsletters and magazines
- pupils’ parents
- anyone you authorise the school to disclose information to; and
- anyone to whom we are required or authorised to disclose the information by law, including child protection laws.
Sending and storing information overseas
We may disclose personal information about an individual to overseas recipients, for example, to facilitate a school exchange. However, we will not send personal information about an individual outside Australia without:
- obtaining the consent of the individual (in some cases this consent will be implied); and
- otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.
We may use third party online or ‘cloud’ service providers to store personal information and to provide services that involve the use of personal information, such as services relating to email, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may be stored in the cloud, which means that it may reside on service provider’s servers, which may be situated outside Australia.
An example of such a cloud service provider is Google. Google provides the ‘Google Apps for Education’ (GAFE) including Gmail, and stores and processes limited personal information for this purpose. School personnel, CEDP and their service providers may have the ability to access, monitor, use or disclose emails, communications (e.g. instant messaging), documents and associated administrative data for the purposes of administering GAFE and ensuring its proper use.
We make reasonable efforts to be satisfied about the protection and security of any personal information processed and stored outside Australia as not all countries are bound by laws which provide the same level of protection for personal information provided by the Australian Privacy Principles. Where we use the servers of cloud service providers or other third party service providers, they will be located in countries which have substantially similar protections as the Australian Privacy Principles.
Sensitive information is information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices or criminal record, that is also personal information; health information and biometric information about an individual.
Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or the use or disclosure of the sensitive information is allowed by law.
Management and security of personal information
CEDP, its schools, CELCs, COSHCs and staff are required to respect the confidentiality of pupils’ and parents’ personal information and the privacy of individuals. We have in place steps to protect personal information we hold from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods. These methods include, but are not limited to, locked storage of paper records, access protocols, password protected access to computerised records and encryption.
CEDP will respond to any incidents that may affect the security of the personal information it holds in accordance with its obligations under the Privacy Act, including the notifiable data breaches scheme. If CEDP assesses that the security of personal information is breached in such a way that cannot be remedied and that a person is likely to suffer serious harm as a result of the breach, we will notify that person and the Office of the Australian Information Commissioner of the breach. Moreover, CEDP will respond to any such incidents by taking steps to contain any breach and minimise any likely harm to a person.
Do not share your personal information with anyone without first verifying their identity and confirming the organisation to which they belong. If you believe any of your personal information has been compromised, please let CEDP know immediately.
Access and correction of personal information
Under the Commonwealth Privacy Act and Health Records Act, an individual has the right to request and obtain access to any personal information which we hold about them and may request correction of any perceived inaccuracy in that information. There are some exceptions to the access right set out in the applicable legislation. Pupils will generally be able to access and update their personal information through their parents, but older pupils may seek access and correction themselves. Again, there are some exceptions to these rights set out in the applicable legislation.
To make a request to access or to correct any personal information we hold about you or your child, please contact us. You may be required to verify your identity and specify what information you require. You may be charged a fee to cover the cost of verifying your application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, you will be advised of the likely cost in advance. If we cannot provide you with access to that information, we will provide you with written notice explaining the reasons for refusal.
Consent and rights to personal information of pupils
CEDP respects every parent’s right to make decisions concerning their child’s education.
Generally, a school will refer any requests for consent and notices in relation to the personal information of a pupil to the pupil’s parents. A school will treat consent given by parents as consent given on behalf of the pupil and notice to parents will act as notice given to the pupil.
Parents may seek access to personal information held by a school or CEDP about them or their child by contacting the school principal or CEDP. However, there may be occasions when access is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of our duty of care to the pupil.
A school may, at its discretion, on the request of a pupil, grant that pupil access to information held by the school about them, or allow a pupil to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the pupil and/or the pupil’s personal circumstances warrant it.
If you would like further information about the way we manage the personal information we hold about you, or believe that we have breached our privacy obligations, please contact the Catholic Education Diocese of Parramatta on (02) 9840 5600, via mail (Locked Bag 4, North Parramatta NSW 1750) or at firstname.lastname@example.org.
We will investigate and will notify you of a decision as soon as is practicable.