Privacy Policy

Privacy Policy

This Privacy Policy details how Loreto Normanhurst manages personal, sensitive and medical information provided to or collected by the School.

The School is bound by the Australian Privacy Principles contained in the Commonwealth
Privacy Act 1988. The School is also bound by NSW Health Privacy Principles which are
contained in the Health Records and Information Privacy Act 2002 (Health Records Act).
The School may, from time to time, review and update this policy to take account of new laws and technology, changes to the School’s operations and practices and to make sure it remains appropriate to the changing school environment.

What kinds of personal information does Loreto Normanhurst collect and how is this collected?

The type of information the School collects and holds includes (but is not limited to) personal information, including health and other sensitive information, about:

  • students and parents and/or guardians (‘parents’) before, during and after the course of a student’s enrolment at the School;
  • job applicants, staff members, volunteers and contractors; and
  •  other people who come into contact with the School.

Examples of personal information are names, addresses and other contact details; dates of birth, next of kin details, financial information, photographic images and attendance records.

Examples of sensitive information (particularly in relation to student and parent records) include information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices or criminal record, that is also personal information; health information and biometric information about an individual.

Examples of health information (particularly in relation to student and parent records are medical records, disabilities, immunisation details, individual health care plans, counselling reports, nutrition and dietary requirements.

Personal Information you provide

The School will generally collect personal information held about an individual by way of forms filled out by parents or students, face-to-face meetings and interviews, emails and telephone calls. On occasions people other than parents and students provide personal information.

If you provide the School with personal information about other people, such as doctors or emergency contacts, we encourage you to inform them that you are disclosing that information to the School, why you are disclosing and that the individual has the right to access their information if they wish.

Personal Information provided by other people

In some circumstances, the School may be provided with personal information about an individual from a third party, for example a report provided by a medical professional or a reference from another school.

Exception in relation to employee records

Under the Privacy Act and Health Records and Information Privacy Act 2002 (NSW), the Australian Privacy Principles and Health Privacy Principles do not apply to an employee record. As a result, this policy, does not apply to the School’s treatment of an employee record, where the treatment is directly related to a current or former employment relationship between the School and employee.

How will the School use the personal information you provide?

The School will use personal information it collects from you for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected by you, or to which you have consented.

Students and Parents

In relation to personal information of students and parents, the School’s primary purpose of collection is to enable the School to provide education for the student, exercise its duty of care, and perform associated administrative activities, which will enable students to take part in activities of the School. This includes satisfying the needs of parents, the needs of the student and the needs of the School throughout the whole period the student is enrolled at the School (see Attachment A below).

The purposes for which the School uses personal information of students and parents include:

  • to keep parents informed about matters related to their child’s education, through correspondence, newsletters and magazines;
  • day-to-day administration of the School;
  • looking after students’ educational, social and medical wellbeing;
  • seeking donations and marketing for the School; and
  • to satisfy the School’s legal obligations and allow the School to discharge its duty of care.

In some cases where the School requests personal information about a student or parent, if the information requested is not provided, the School may not be able to enrol or continue the enrolment of the student or permit the student to take part in a particular activity.

Job applicants, staff members and contractors: In relation to personal information of job applicants, staff members and contractors, the School’s primary purpose of collection is toassess and (if successful) to engage the applicant, staff member or contractor, as the case may be (Attachment B). The purposes for which the School uses personal information of job applicants, staff members and contractors include:

  • in administering the individual’s employment or contract, as the case may be;
  • for insurance purposes;
  •  seeking donations and marketing for the School; and
  • to satisfy the School’s legal obligations, for example, in relation to child protection legislation.

Volunteers

The School also obtains personal information about volunteers who assist the School in its functions and associated activities in order to enable the School and the volunteers to work together.

Marketing and fundraising

Loreto Normanhurst treats marketing and seeking donations for the future growth and development of the School as an important part of ensuring that the School continues to provide a quality learning environment in which both students and staff thrive.

Personal information held by Loreto Normanhurst may be disclosed to organisations that assist in the School’s fundraising. Parents, staff, contractors and other members of the wider School community may from time to time receive fundraising information. School publications, like newsletters and magazines, which include personal information, may be used for marketing purposes.

Who might the School disclose personal information to and store your information with?

The School may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:

  • other schools and teachers at those schools;
  • government departments;
  • medical practitioners;
  • people providing services to the School, including specialist visiting teachers, counsellors and sports coaches;
  • providers of learning and assessment tools;
  • assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test Administration Authorities (who will disclose it to the entity that manages the online platform for NAPLAN);
  • people providing administrative and financial services to the School;
  • Parent Associations/Committees;
  • media professionals;
  • recipients of School publications, such as newsletters and magazines;
  • students’ parents or guardians;
  • anyone you authorise the School to disclose information to; and
  • anyone to whom we are required to disclose the information to by law.

Sending and storing information overseas

Loreto Normanhurst may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange. The School, however, will not send personal information about an individual outside Australia without:

  • obtaining the consent of the individual (in some cases this consent will be implied); or
  • otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

Loreto Normanhurst may use online or ‘cloud’ service providers to store personal information and to provide services to the School that involve the use of personal information, such as services relating to email, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may reside on a cloud service provider’s servers which may be situated outside Australia.

How does the School treat sensitive information?

In referring to ‘sensitive information’, the School means: information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices or criminal record, that is also personal information; health information and biometric information about an individual.

Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or the use or disclosure of the sensitive information is allowed by law.

Management and security of personal information

The School’s staff are required to respect the confidentiality of students’ and parents’ personal information and the privacy of individuals.

Loreto Normanhurst has in place steps to protect the personal information the School holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records through the allocation of varying security levels based on staff security levels.

The School may utilise Third Party providers to deliver online applications for students and staff. Consequently, details may be transferred, stored and processed in other countries utilised by these Third Party providers.

Personal information we hold that is no longer needed is destroyed in a secure manner, deleted or de-identified as appropriate.

Access and correction of personal information

Under the Commonwealth Privacy Act and the New South Wales Health Privacy Principles which are contained in the Health Records and Information Privacy Act 2002 (Health Records Act), an individual has the right to obtain access to any personal information which the School holds about them and to advise the School of any perceived inaccuracy. Students will generally be able to access and update their personal information through their parents, but older students may seek access and correction themselves. There are some exceptions to these rights set out in the applicable legislation.

To make a request to access or update any personal information the School holds about you or your child, please contact the Principal in writing. The School may require you to verify your identity and specify what information you require. The School may charge a fee to cover the cost of verifying your application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the School will advise the likely cost in advance. If the School cannot provide you with access to that information, it will provide you with written notice explaining the reasons for refusal.

Consent and rights of access to the personal information of students

The School respects every parent’s right to make decisions concerning their child’s education. Generally, the School will refer any requests for consent and notices in relation to the personal information of a student to the student’s parents. Loreto Normanhurst will treat consent given by parents as consent given on behalf of the student, and notice to parents will act as notice given to the student.

As mentioned above, parents may seek access to personal information held by the School about them or their child by contacting the Principal. However, there will be occasions when access is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the School’s duty of care to the student.

The School may, at its discretion, on the request of a student grant that student access to information held by the School about them, or allow a student to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the student and/or the student’s personal circumstances so warranted.

Enquiries and complaints

If you would like further information about the way the School manages personal information it holds, or to make a complaint regarding a breach in the Australian Privacy Principles, please contact the Principal in writing. Complaints of this nature are taken very seriously and the School will investigate. A response will be provided to the complainant as soon as practicable but no later than 30 days on receipt of the complaint.

If the response is not acceptable, then the complainant may escalate the matter to the Office of the Australian Information Commissioner (OAIC) via www.oaic.gov.au.

This policy can be found on the HR section of the Intranet.

Version Approved By Version Date Comment  Policy Owner  Review Date
1 Leadership Team 2002 Original   2008
2 Leadership Team April 2014 Review   2015
3 Leadership Team May 2015 Review   2017
4 Leadership Team December 2017 Revised Business Manager 2018
5 Leadership Team February 2018 Revised Business Manager 2020
6 Leadership Team 2020 Revised Chief Operating Officer 2021

  
1 Leadership Team 2002 Original 2008
2 Leadership Team April 2014 Review 2015
3 Leadership Team May 2015 Review 2017
4 Leadership Team December 2017 Revised Business Manager 2018
5 Leadership Team February 2018 Revised Business Manager 2020
6 Leadership Team 2020 Revised Chief Operating Officer 2021

Attachment A
STANDARD COLLECTION NOTICE

This notice has been created in accordance with the requirements of the Australian Privacy
Principles (APPs) contained in the Privacy Act 1988. This notice aims to make you aware of Loreto Normanhurst’s (‘the School’) collection and handling practices in relation to personal information.

1. The School collects personal information, including sensitive information about students and parents or guardians before and during a student’s enrolment at the School. This may be in writing or in the course of conversations. The primary purpose of collecting this information is to enable the School to provide education to the students and to enable them to take part in all the activities of the School.

2. Some of the information we collect is to satisfy the School’s legal obligations, particularly to enable the School to discharge its duty of care.

3. Laws governing or relating to the operation of a School require certain information to be collected and disclosed. These include relevant Education Acts, and Public Health and Child Protection laws.

4. Health information about students is sensitive information within the terms of the APPs under the Privacy Act. We may ask you to provide medical reports about students from time to time.

5. The School from time to time discloses personal and sensitive information to others for administrative and educational purposes, including to facilitate the transfer of a student to another School. This may include to:

  • other schools and teachers at those schools;
  • government departments (including for policy and funding purposes);
  • medical practitioners;
  • people providing educational, support and health services to the School, including specialist visiting teachers, coaches, volunteers, and counsellors;
  • providers of learning and assessment tools;
  • assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test Administration Authorities (who will disclose it to the entity that manages the online platform for NAPLAN);
  • people providing administrative and financial services to the School;
  • anyone you authorise the School to disclose information to; and,
  • anyone to whom the School is required or authorised to disclose the information to by law, including child protection laws.

6. Personal information collected from students is regularly disclosed to their parents or
guardians.

7. The School may use online or ‘cloud’ service providers to store personal information and to provide services to the School that involve the use of personal information, such as services relating to email, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may reside on a cloud service provider’s servers which may be situated outside Australia.

8. The School Privacy Policy sets out how parents or students may seek to access or correct their personal information which the School has collected and holds. However, access may be refused in certain circumstances such as where access would have an unreasonable impact on the privacy of others, where access may result in a breach of the School’s duty of care, or where students have provided information in confidence. Any refusal will be notified in writing with reasons if appropriate.

9. The School Privacy Policy also sets out how you may complain about a breach of privacy of the APPs and how the School will deal with such a complaint.

10. As you know, the School from time to time engages in fundraising activities. Information received from you may be used to make an appeal to you. It may also be disclosed to organisations that assist in the School’s fundraising activities solely for that purpose. We will not disclose your personal information to third parties for their own marketing purposes without your consent.

11. On occasions information such as academic and sporting achievements, student activities and similar news is published in School newsletters and magazine and on our website. Photographs of student activities such as sporting events, camps and excursions may be taken both for printed and digital publication in School newsletters, magazines, intranet and website as well as School approved social media sites. The School will obtain permissions from the student’s parent or guardian (and from the student if appropriate) if we would like to include such photographs or videos ([or other identifying material) in our promotional material.

12. If you provide the School with the personal information of others, such as doctors or emergency contacts, we encourage you to inform them that you are disclosing that information to the School and why, that they can access that information if they wish and that the School does not usually disclose this information to third parties.

2014, 2017, Reviewed 2019, 2020

Attachment B

EMPLOYMENT COLLECTION NOTICE

This notice has been created in accordance with the requirements of the Australian Privacy Principles (APP’s) contained in the Privacy Act 1988. This notice aims to clarify Loreto Normanhurst’s collection and handling practices in relation to personal information.

1. In applying for a position of employment at Loreto Normanhurst, you will be providing the School with personal information; for example, your name, address and information contained on your resume. We collect this information in order to assess your application for employment. We may keep this information on file if your application is unsuccessful in case another suitable position becomes available.

2. The School’s Privacy Policy, accessible on the School’s website, contains details of how you may complain about a breach of the Australian Privacy Principles and how you may seek access to, and correction of, your personal information which the School has collected and holds. Access may be refused in certain circumstances, however, such as where access would have an unreasonable impact on the privacy of others. Any refusal will be notified in writing with reasons if appropriate.

3. We will not disclose your information to a third party without your consent unless otherwise permitted.

4. We may be required to conduct a criminal record check to collect information regarding whether you are or have been the subject of an Apprehended Violence Order (AVO) and certain criminal offences under Child Protection laws. We may also collect personal information about you in accordance with these laws.

5. The School may use online or ‘cloud’ service providers to store personal information and to provide services to the School that involve the use of personal information, such as email services. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may reside on a server of a cloud service provider which may be situated
outside Australia. Further information about the School’s use of online or cloud service providers is contained in the School’s Privacy Policy.

6. If you provide us with the personal information of others, such as referee’s names and contact details, we encourage you to inform them that you are disclosing that information to the School and why.

January 2020