PRIVACY POLICY 2019

Forming part of: Giant Steps Tasmania’s Health & Safety Manual

Policy Statement

Giant Steps Tasmania is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988.

Because Giant Steps Tasmania is a not-for-profit organisation with currently (as of May 2019) a turnover of less than $3 million a year, it is not required to comply with the Notifiable Data Breaches Scheme. The school does however take the security of the data (both general and sensitive) it holds on students, parents/ carers, staff and volunteers very seriously.  Paper records are held in lockable filing cabinets and electronic records are password protected.

Giant Steps Tasmania will regularly review and update this Privacy Policy to take account of new laws and technology, changes to the school’s operations and practices and to make sure it remains appropriate to the changing school environment.

 

Purpose

This Privacy Policy sets out how Giant Steps Tasmania manages personal information provided to or collected by the organisation. Giant Steps Tasmania uses The Information Lifecycle Model described by the Office of the Australian Information Commissioner in its Guide to Securing Personal Information, which is also available at: 

https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information

 

 

The information lifecycle

Consider whether it is actually necessary to collect and hold personal information in order to carry out your functions or activities

Plan how personal information will be handled by embedding privacy protections into the design of information handling practices

Assess the risks associated with the collection of the personal information due to a new act, practice, change to an existing project or as part of business as usual 

Take appropriate steps and put into place strategies to protect personal information that you hold

Destroy or de-identify the personal information when it is no longer needed. 

 

 

Definitions

Giant Steps Tasmania adheres to the Office of the Australian Information Commissioner’s understanding of Sensitive Information as being a subset of personal information and is defined as:

  • “information or an opinion (that is also personal information) about an individual’s:
    • racial or ethnic origin
    • political opinions
    • membership of a political association
    • religious beliefs or affiliations
    • philosophical beliefs
    • membership of a professional or trade association
    • membership of a trade union
    • sexual orientation or practices, or
    • criminal record
  • health information about an individual
  • genetic information (that is not otherwise health information)
  • biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
  • biometric templates

Sensitive information is generally afforded a higher level of privacy protection under the APPs (Australian Privacy Principles) than other personal information. This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual or those associated with the individual. For example, discrimination or mistreatment is sometimes based on a person’s race or ethnic origin or union membership. Mishandling of sensitive information may also cause humiliation or embarrassment or undermine an individual’s dignity.”

https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-b-key-concepts#app-entity

 

 

Implementation

Giant Steps Tasmania carefully considers the kinds of personal information it collects, how it collects it, how it uses it and how it maintains the security of this information:

 

about pupils and parents and/or guardians before, during and after the course of a pupil's enrolment at the school including:

  • name, contact details (including next of kin), date of birth, gender, language background, previous school and religion;
  • parents'/ carers’ education, occupation and language background;
  • medical information (e.g. details of disability and/or allergies, absence notes,
  • medical reports and names of doctors);
  • behaviour notes, and school reports;
  • information about referrals to government welfare agencies;
  • counselling reports;
  • health fund details and Medicare number;
  • any court orders;
  • photos and videos at school events.

 

about job applicants, staff members, volunteers and contractors, including:

  • name, contact details (including next of kin), date of birth, and religion;
  • information on job application;
  • professional development history;
  • salary and payment information, including superannuation details;
  • medical information (e.g. details of disability and/or allergies, and medical
  • certificates);
  • complaint records and investigation reports;
  • leave details;
  • photos and videos at school events;
  • work emails and private emails (when using work email address) and Internet browsing history.

 

about other people who come into contact with the school, including:

  • name and contact details and
  • any other information necessary for the particular contact with the school.

 

Personal Information individuals provide: Giant Steps Tasmania may collect personal information held about an individual by way of forms filled out by parents/ carers, face-to-face meetings and interviews, emails and telephone calls. On occasions people other than Parents and pupils provide personal information.

 

Personal Information provided by other people: In some circumstances Giant Steps Tasmania may be provided with personal information about an individual from a third party, for example a report provided by a medical professional or a reference from another school.

 

How Giant Steps Tasmania uses the personal information provided

The school uses the personal information it collects for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected, or to which parents/ carers have consented.

 

Pupils and Parents/ Carers: In relation to personal information of pupils and parents/ carers, the school's primary purpose of collection is to enable Giant Steps Tasmania to provide schooling to enrolled pupils, exercise its duty of care, and perform necessary associated administrative activities, which will enable pupils to take part in all the activities of the school. This includes satisfying the needs of Parents, the needs of the pupil and the needs of the school throughout the whole period the pupil is enrolled at the school.

 

The purposes for which Giant Steps Tasmania uses personal information of pupils and

parents/ carers include:

  • to keep parents/ carers informed about matters related to their child's schooling, through correspondence, newsletters and magazines;
  • day-to-day administration;
  • looking after pupils' educational, social, emotional and medical wellbeing;
  • seeking donations and marketing for the school; and
  • to satisfy Giant Steps Tasmania’s legal obligations and allow the school to discharge its duty of care.

 

In some cases where Giant Steps Tasmania requests personal information about a pupil or parent/ carer, if the information requested is not obtained, the school may not be able to enrol or continue the enrolment of the pupil or permit the pupil to take part in a particular activity or provide an alternative activity.

 

Job applicants and contractors: In relation to personal information of job applicants and

contractors, Giant Steps Tasmania’s primary purpose of collection is to assess and (if the individual is successful) to engage the applicant or contractor.

 

The purposes for which Giant Steps Tasmania uses personal information of job applicants and contractors include:

  • administering the individual's employment or contract, as the case may be;
  • for insurance purposes;
  • seeking funds and marketing for the school; and
  • satisfying the school's legal obligations, for example, in relation to child protection legislation.

 

Volunteers: The school also obtains personal information about volunteers who assist the school in its functions or conduct associated activities to enable the school and the volunteers to work together.

 

Marketing and fundraising: Giant Steps Tasmania treats marketing and seeking donations for the future growth and development of the school as an important part of ensuring that the school continues to be a quality learning environment in which both pupils and staff thrive. Personal information held by a school may be disclosed to an organisation that assists in the school's fundraising. Parents/ Carers, staff, contractors and other members of the wider school community may from time to time receive fundraising information. School publications, like newsletters and magazines, which include personal information, may be used for marketing purposes with permission.

 

Who the school discloses personal information to and who it stores information with

Giant Steps Tasmania may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:

  • other schools and teachers at those schools;
  • government departments (including for policy and funding purposes);
  • medical practitioners;
  • people providing educational, support and health services to the school, including specialist visiting teachers, sports coaches, volunteers, and counsellors;
  • providers of learning and assessment tools;
  • assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test Administration Authorities (who will disclose it to the entity that manages the online platform for NAPLAN);
  • people providing administrative and financial services to the school;
  • recipients of school publications, such as newsletters and magazines;
  • pupils' parents or guardians;
  • anyone parents/ carers authorise the school to disclose information to; and
  • anyone to whom the school is required or authorised to disclose the information by law, including child protection laws.

 

Sending and storing information overseas: Giant Steps Tasmania may disclose personal information about an individual to overseas recipients, for instance, to facilitate a student moving abroad. However, the school will not send personal information about an individual outside Australia without:

  • obtaining the consent of the individual or her/ his parent/ carer (in some cases this consent will be implied); or
  • otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

 

Giant Steps Tasmania  may use online or 'cloud' service providers to store personal information and to provide services to the school that involve the use of personal information, such as services relating to email, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users who access their services. This personal information may be stored in the 'cloud' which means that it may reside on a cloud service provider's servers which may be situated outside Australia. An example of such a cloud service provider is Microsoft 365.

 

How Giant Steps Tasmania treats sensitive information

In referring to 'sensitive information', the school means: information relating to a person's racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices or criminal record; health information and biometric information.

 

Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless the student (or parent/ carer) agrees otherwise, or the use or disclosure of the sensitive information is allowed or required by law.

 

Management and security of personal information

Giant Steps Tasmania’s staff are required to respect the confidentiality of pupils' and parents'/ carers’ personal information and the privacy of individuals.

The school has in place steps to protect the personal information it holds from misuse, interference and loss, unauthorised access, modification or disclosure by the use of various methods including locked storage of paper records and password access rights to computerised records.

 

Access and correction of personal information

Under the Commonwealth Privacy Act an individual has the right to seek and obtain access to any personal information which the school holds about them and to advise the school of any perceived inaccuracy.

 

Pupils will generally be able to access and update their personal information through their

parents/ carers, but older pupils may seek access and correction themselves.

If a parent/ carer wishes to make a request to access or to update any personal information the school holds on them or their child, they should contact the Principal by telephone or in writing.

 

Consent and rights of access to the personal information of pupils

Giant Steps Tasmania respects every parent's/ carer’s right to make decisions concerning their child's education. The school will refer any requests for consents and notices in relation to the personal information of a pupil to the pupil's parent/ carer. A school will treat consent given by a parent/ carer as consent given on behalf of the pupil, and notice to parents/ carers will act as notice given to the pupil. Parents/ Carers may seek access to personal information held by the school about them or their child by contacting the Principal by telephone or in writing. However, there may be occasions when access is denied. Such occasions would include:

  • where release of the information would have an unreasonable impact on the privacy of others, or
  • where the release may result in a breach of the school's duty of care to the pupil.

 

Enquiries and complaints

If a parent/ carer would like further information about the way Giant Steps Tasmania manages the personal information it holds, or wishes to make a complaint that the school has breached the Australian Privacy Principles, they should in the first instance contact the Principal by telephone or in writing at:

PO Box 300, Deloraine, Tasmania 7304,

Tel: 6362 2522.

 

 

The school, possibly with the involvement of the Board, will investigate any complaint and will notify the complainant of a decision as soon as is practicable. (Please see also: Grievance Policy and Procedure).

 

Authorised by:

Paul Bowman

Position:

Chair of Board

Signature:

 

Date:

 

Original policy prepared by:

Chris Jacobsen

Position:

(Previously) Education Administrator

Date:

May,  2018

Date of last review:

May, 2019

Review prepared by:

Chris Jacobsen (Fairlight Educational Consulting)

Staff Consultation period:

Week beginning April 8th

Date for next review:

May, 2021

 

 

The attached sheets regarding the personal information held by Giant Steps on Students, Parents/ Carers and Employees/ Volunteers are regularly reviewed and updated.

 

 

At May 2019, the Fair Work Ombudsman requires that employee records must be kept for 7 years.

 

At May 2019, the ATO requires that employee financial records must be kept for 5 years.

 

To streamline processes, from May 2019 all information on Giant Steps employees will be stored for 7 years. On leaving Giant Steps Tasmania, staff may request that the school holds their records for longer (e.g. if they feel they may want to request a reference/ employment summary from Giant Steps Tasmania later than 7 years after leaving).

 

While there is no legal minimum or maximum time limit on the preservation of student records for Independent schools, given that many students at Giant Steps are part of at-risk groups and also from a risk and reputational management perspective for the school, Giant Steps Tasmania is, as of May 2019, considering various options for the indefinite storage of student records for all currently-enrolled students.

 

Given that all students at Giant Steps Tasmania are part of the Nationally Consistent Collection of Data (NCCD) annual census and that information about families is included in the census, information about students’ parents/ carers will also be stored indefinitely



PERSONAL INFORMATION - Student

Summary of Personal

I

Summary of personal info

Needed for function or activity of school

From whom info is collected

Where recorded

Who can access

How long kept

Level of risk to individual of unintentional disclosure*

 

 

PA = parent/ carer

PU = pupil

SM =staff member

HP = Health Professional

OTH = Other (specify)

P = Paper file

E = Electronically

PR = Principal

LS = Limited staff

AS = All staff

 

H = High

M = Medium

L = Low

Name

ü

PA

P and E

AS

Indefinitely

M

Address

ü

PA

P and E

AS

Indefinitely

M

Phone number(s)

ü

PA

P and E

AS

Indefinitely

M

Date of birth (& age)

ü

PA

P and E

AS

Indefinitely

M

Birth certificate

ü

PA

P and E

PR

Indefinitely

M

Emergency contact

ü

PA

P and E

AS

Indefinitely

L

Names of doctors

ü

PA

P and E

AS

Indefinitely

L

School reports

ü

SM

P and E

AS

Indefinitely

M

Assessments

ü

PA/ GP/ Psych/ Therapists

P

LS

Indefinitely

M

Referrals

ü

PA/ GP/ Psych/ Therapists

P

LS

Indefinitely

M

Details of disability

ü

PA/ GP/ Psych/ Therapists

P and E

LS

Indefinitely

M

Court Orders

ü

PA/ Family Court

P

LS

Indefinitely

M

Behaviour notes

ü

PA/ SM

P and E

LS

Indefinitely

M

Previous school

ü

PA/ Previous school

P and E

LS

Indefinitely

L

Health fund details

ü

PA

P and E

LS

Indefinitely

M

Medicare number

ü

PA

P and E

LS

Indefinitely

M

Medical reports

ü

PA/ GP

P and E

LS

Indefinitely

M

Absence notes

ü

PA

P and E

LS

Indefinitely

L

Case management notes

ü

PA/ Social Services

P

LS

Indefinitely

M

Photos, videos

ü

PA/ SM

E

AS

Indefinitely

M

?

* The Level of Risk is for the unintentional disclosure of individual items of information. Where multiple items are disclosed (e.g. name, address and photos, the level of risk for the individual could be considerably higher.

 

PERSONAL INFORMATION - Parent/ Carer

PI collected?

 

Summary of personal info

Needed for function or activity of school

From whom info is collected

Where recorded

Who can access

How long kept

Level of risk to individual of unintentional disclosure

 

 

PA = parent/ carer

PU = pupil

SM =staff member

HP = Health Professional

OTH = Other (specify)

P = Paper file

E = Electronically

PR = Principal

LS = Limited staff

AS = All staff

 

H = High

M = Medium

L = Low

Name

ü

PA

P and E

AS

Indefinitely

L

Address

ü

PA

P and E

AS

Indefinitely

L

Phone number(s)

ü

PA

P and E

AS

Indefinitely

L

Date of birth (& age)

ü

PA

P and E

LS

Indefinitely

L

Languages spoken

ü

PA

P and E

LS

Indefinitely

L

Religion

ü

PA

P and E

LS

Indefinitely

L

Social/ Economic Status

ü

PA

P and E

LS

Indefinitely

M

Court Orders

ü

PA/ Family Court

P and E

LS

Indefinitely

M

Communication with school/ staff

ü

PA

P and E

LS

Indefinitely

L

Health fund details

ü

PA

P and E

LS

Indefinitely

L

Medicare number

ü

PA

P and E

LS

Indefinitely

L

Centrelink information

ü

PA/ Centrelink

P and E

LS

Indefinitely

M

Rebate information

ü

PA

P and E

LS

Indefinitely

L

Photos, videos

ü

PA

P and E

LS

Indefinitely

L

Employment/ Volunteering information

ü

PA

P and E

LS

Indefinitely

L

Unsolicited information

ü

PA

P and E

PR/ LS/ AS

Indefinitely

L-H

 

 

 

 

 

 

 

 

PERSONAL INFORMATION – Employee

Summary of personal info

Needed for function or activity of school

From whom info is collected

Where recorded

Who can access

How long kept

Level of risk to individual of unintentional disclosure

 

 

PA = parent/ carer

PU = pupil

SM =staff member

HP = Health Professional

OTH = Other (specify)

P = Paper file

E = Electronically

PR = Principal

LS = Limited staff

AS = All staff

 

H = High

M = Medium

L = Low

Name

ü

SM

P and E

AS

7 years min.

L

Address

ü

SM

P and E

LS

7 years min.

L

Phone number(s)

ü

SM

P and E

LS

7 years min.

L

Date of birth (& age)

ü

SM

P and/ E

LS

7 years min.

L

Next of kin

ü

SM

P and E

LS

7 years min.

L

Emergency contact numbers

ü

SM

P and E

LS

7 years min.

L

Names of doctors

ü

SM

P and E

LS

7 years min.

L

Job application

ü

SM

P and/or E

LS

7 years min.

L

Employment history

ü

SM

P and/or E

LS

7 years min.

L

Professional development history

ü

SM+Principal

P and E

LS

7 years min.

L

Appraisal information

ü

SM+Principal

P and E

LS

7 years min.

M

Details of disability

ü

SM

P and E

LS

7 years min.

M

Bank details

ü

SM

P and E

LS

7 years min.

M

Pay advices

ü

SM

P and E

LS

7 years min.

M

Superannuation details

ü

SM

P and E

LS

7 years min.

M

Complaint records

ü

SM+Principal

P and E

PR

7 years min.

M

Communication with parents/carers

ü

SM+PA

P and E

LS

7 years min.

L

Referee names, contact numbers

ü

SM

P and E

PR

7 years min.

L

Role description

ü

School Admin

P and E

LS

7 years min.

L

Leave details

ü

School Admin

P and E

LS

7 years min.

L

Medical certificates

ü

SM

P and E

LS

7 years min.

L

Case management notes

ü

SM

P and E

LS

7 years min.

M

Photos, videos

ü

SM

P and E

LS

7 years min.

L

Employment information

ü

SM

P and/or E

LS

7 years min.

L

Workplace emails

ü

SM+School Admin

E

LS

7 years min.

L

Worksafe injury claims

ü

SM+School Admin

P and E

LS

7 years min.

M