Privacy

PRIVACY POLICY

INTENT 
St Margaret’s Anglican Girls School is owned and operated by The Society of the Sacred Advent Schools  Pty Ltd ACN 104 269 785 as trustee for The Society of the Sacred Advent - St Margaret's Trust (the  school).  
 
The school is committed to protecting the privacy of its Employees, Students and Parents. This Privacy Policy sets out how the school manages Personal Information and your rights in relation to your Personal Information, including how to complain and how we deal with complaints. 
 
The school is bound by the Australian Privacy Principles (APPs) contained in the Privacy Act. 
 
The school may, from time to time, review and update this Policy to take account of new laws and  technology, changes to the school’s operations and practices and to make sure it remains appropriate  to the changing school environment. The current version of this Policy is published on the school  website. 

SCOPE

This policy applies to all school council members, Employees, volunteers and others such as Parents, contractors and consultants associated with the school and Students.   
 
The school will issue collection notices at the time of collecting personal information, which will set out  specific details of how the school will collect, use and disclose your Personal Information, depending  on your relationship with the school. In the event of an inconsistency between this Policy and the  collection notice that is relevant to you, the relevant collection notice will supersede the Policy to the  extent of the inconsistency. 

DEFINITIONS 
 
Employee means any person employed by the school, including past employees, whether paid or unpaid, full time, part time or casual.  
 
Employee Record means a record as defined in the Privacy Act, being records of Personal Information that relate to the employment of the Employee.  
 
Health Information is a subset of Sensitive Information. It is information or an opinion about the health or disability of an individual and information collected to provide, or in providing a Health Service.  
 
Health Service includes an activity performed to assess, record, maintain or improve an individual’s health, to diagnose an illness or disability, to treat an individual, or the dispensing on prescription of a drug or medicinal preparation by a pharmacist. 
 
Parent means the parent, carer or guardian of a Student.  
 
Personal Information is information or an opinion, whether true or not, and whether recorded in material form or not, about an identified individual or an individual whose identity is reasonably apparent, or can be determined, from the relevant information or opinion.  
 
Privacy Act means the Privacy Act 1988 (Cth). 
 
Sensitive information is a type of Personal Information. It includes information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preference or practice, or criminal record. Sensitive Information also includes biometric information that is used for the purpose of automated biometric verification, biometric identification or biometric templates. 
 
Student means prospective, current or past students of the school. 

KINDS OF PERSONAL INFORMATION WE COLLECT  
The school collects, uses and discloses Personal Information so that it can exercise its function and activities as a school and fulfil all relevant duties and obligations. 
 
In doing this, the type of information the school collects includes (but is not limited to) Personal Information, including Health Information and Sensitive Information, about: 

• Students and Parents before, during and after the course of a Student's enrolment at the school: 
  • name, contact details (including next of kin), date of birth, gender, language background, 
  • previous school and religion; 
  • Parents' education, occupation, language spoken at home, nationality and country of birth; 
  • Health Information about the Student (e.g. details of disability and/or allergies, dietary requirements, absence notes, immunisation details, medical reports and names of doctors); 
  • results of assignments, tests and examinations; 
  • conduct and complaint records, or other behaviour notes, and school reports; 
  • information about referrals to government welfare agencies; 
  • counselling reports; 
  • health fund details and Medicare number; 
  • any Court orders relating to parenting orders or the education and welfare of the Student; 
  • volunteering information; and 
  • photos and videos at school events. 
• Employees, job applicants, volunteers and contractors including: 
  • name, contact details (including next of kin), date of birth, and religion; 
  • professional development history; 
  • salary and payment information, including superannuation details; 
  • Health Information (e.g. details of disability and/or allergies, and medical certificates); 
  • complaint records and investigation reports; 
  • leave details; 
  • photos and videos at school events; 
  • private email addresses; and  
• other people who encounter the school including name, contact details and any other information necessary for the contact with the school. 

Exception in relation to Employee Records 
Under the Privacy Act, the APPs do not apply to Employee Records. As a result, this Policy does not apply to Employee Records held by the school. 
 
Anonymity   
The school needs to be able to identify individuals with whom it interacts and to collect identifiable information about them to facilitate the delivery of schooling to its Students and its educational and support services, conduct the job application process and fulfil other obligations and processes. 
 
However, in limited circumstances some activities and interactions with the school may be done anonymously where practicable, including making an inquiry, complaint or providing feedback. 
 
Otherwise, if you elect to de-identify yourself then that may result in the school being unable to provide services to you or otherwise deal with you. 

HOW WE COLLECT PERSONAL INFORMATION 
Personal Information you provide: The school generally collects Personal Information about an individual directly from the individual or their Parent, in the case of Students. This includes by way of forms, face-to-face meetings and interviews, emails and telephone calls.  
 
Personal Information provided by other people: In some circumstances the school may be provided with Personal Information about an individual from a third party, for example a report provided by a medical professional, a reference from another school or a referee for a job applicant. If a Student transfers to us from another school, we may collect Personal Information about the Student from the previous school to facilitate the transfer. 

PURPOSES FOR WHICH WE COLLECT, USE AND DISCLOSE PERSONAL INFORMATION 
The school will only use and disclose Personal Information for the primary purpose for which it was collected, as authorised by law or otherwise as specified in this Policy. 
 
Personal Information may also be used for purposes other than the primary purpose if consent from the individual has been obtained, where the individual would reasonably expect the school to use the Personal Information in that way or if such use or disclosure falls within an exception that is permitted under the Privacy Act or the APPs. These are known as secondary purposes. 
 
The primary and secondary purposes for which the school collects, uses and discloses Personal Information will depend on our relationship with you and includes the following: 
 
Students and Parents 

• providing schooling and school activities; 
• making required reports to government authorities; 
• keeping Parents informed about matters related to their child’s schooling, through correspondence, apps, newsletters and magazines; 
• day-to-day administration of the school; 
• looking after Students’ educational, social and medical wellbeing; 
• seeking donations and marketing for the school (see the ‘Marketing and Fundraising’ section of this Policy); 
• to satisfy the school’s legal obligations and allow the school to discharge its duty of care. 

In some cases where the school requests Personal Information about a Student or Parent, if the information requested is not provided the school may not be able to enrol or continue the enrolment of the Student or permit the Student to take part in a particular activity. 
 
On occasions, information such as academic and sporting achievements, Student activities and similar news is published in school newsletters and magazines, on the school intranet [and website] which may include photographs and videos of Student activities such as sporting events, school camps and school excursions. The school will obtain permission annually from the Student's Parent (and from the Student if appropriate)if the school would like to include such photographs or videos [or other identifying material] in the school’s promotional material or otherwise make this material available to the public such as on the internet. 
 
Volunteers 

• contact you about, and administer, the volunteer position; 
• for insurance purposes; and 
• satisfying the school’s legal obligations, for example, in relation to child protection legislation. 

The school also obtains Personal Information about volunteers who assist the school in its functions or conduct associated activities, such as alumni associations, to enable the school and the volunteers to work together.  
 
Job applicants, staff members and contractors 

• assessing and (if successful) engaging the applicant or contractor; 
• administering the individual’s employment or contract; 
• seeking donations and marketing for the school (see the ‘Marketing and Fundraising’ section of this Policy); 
• for insurance purposes; and 
• satisfying the school’s legal obligations, for example, in relation to child protection legislation. 

WHO WE DISCLOSE PERSONAL INFORMATION TO 
The school may disclose Personal Information, including Sensitive Information, for educational, care  and administrative purposes, and to seek support and advice. This may include to: 

• other schools or staff at those schools, including a new school to which a Student transfers to facilitate the transfer; 
• government departments (including for policy and funding purposes);
• medical practitioners; 
• people providing educational, extracurricular, support and Health Services to the school, including specialist visiting teachers, camp and travel providers, coaches, volunteers, and counsellors; 
• providers of learning and assessment tools; 
• assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test administration authorities (who will disclose it to the entity that manages the online platform for NAPLAN) 
• people and organisations providing technology services to the school; 
• recipients of school publications, such as newsletters and magazines;  
• Parents;
• agencies and organisations to whom we are required to disclose Personal Information for education, funding and research purposes; 
• anyone you authorise the school to disclose information to; and  
• anyone to whom we are required or authorised to disclose the information to by law, including child protection laws. 
• organisations that assist us with fundraising (see the ‘Marketing and Fundraising’ section of this Policy); 
• providers of specialist advisory services and assistance to the school, including in the area of Human Resources, child protection, Students with additional needs and for the purpose of administering Microsoft Office 365 and ensuring its proper use (see the ‘Sending and Storing Information Overseas section of this Policy);  
• any external provider of our information management and storage system and any other external information technology services; and 
• related entities of the school, including but not limited to the school council and the school foundations. 
• The school does use generative artificial intelligence and other forms of automated decision making from time to time for the purposes set out above. If the school proposes to do this in a way that could significantly affect the rights or interest of a person, then the school will notify you. 

STORING AND ARCHIVING 
The school stores your Personal Information physically and or digitally.  
 
The school may use online or ‘cloud’ service providers to store Personal Information and to provide services to the school that involve the use of Personal Information. See the ‘Sending and Storing Information Overseas’ section of this Policy. 
 
We use information management and storage systems provided by third party service providers. Personal Information is stored with and accessible by the third party service providers for the purpose of providing services to the school in connection with the systems. 

SENDING AND STORING INFORMATION OVERSEAS 
The school may disclose Personal Information about an individual to overseas recipients in certain circumstances, for instance, to facilitate a school exchange or overseas tour. However, the school will not send Personal Information outside Australia without taking such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to that 
Personal Information. 
 
The school may use online or cloud service providers to store Personal Information and to provide services to the school that involve the use of Personal Information, such as services relating to email, instant messaging and education and assessment applications. Some limited Personal Information may also be provided to these service providers to enable them to authenticate users that access their 
services.  
 
The school, where possible will always choose a provider that stores information in cloud-based services that reside within Australia.   

MARKETING AND FUNDRAISING 

The school treats marketing and seeking donations for the future growth and development of the school as an important part of ensuring that the school continues to provide a quality learning environment in which both Students and staff thrive. Personal Information held by the school may be disclosed to organisations that assist in the school's fundraising, for example, the school's foundation or alumni organisation or, on occasions, external fundraising organisations. 
 
Parents, staff, contractors, and other members of the wider school community may from time to time receive fundraising information. School publications, like newsletters and magazines, which include Personal Information, may be used for marketing purposes. 
 
If you would like to opt-out of fundraising or direct marketing communications, please contact Reception via email to reception@stmargarets.qld.edu.au. 
 
SECURITY OF PERSONAL INFORMATION 
The school has steps in place to protect the Personal Information the school holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records. 
 
These steps include:  

• Restricting access to information on a need-to-know basis, with different levels of security being allocated to staff based on their roles and responsibilities and security profile. 
• Ensuring all staff are aware that they are not to reveal or share personal passwords. 
• Ensuring where Personal Information and Health Information is stored in hard copy files that these files are stored in lockable filing cabinets and rooms. 
• Implementing physical security measures around the school buildings and grounds to prevent break-ins. 
• Implementing ICT security systems, policies and procedures, designed to protect Personal Information storage on our computer networks. 
• Implementing human resource policies and procedures designed to ensure staff follow correct protocols when handling Personal Information, such as email and internet usage, confidentiality and document security policies.,. 
• Undertaking due diligence with respect to third party service providers who may have access to Personal Information, including cloud service providers, to ensure as far as practicable that they are compliant with the APPs or a similar privacy regime. 

ACCESS, CORRECTION AND QUALITY OF PERSONAL INFORMATION 
Under the Privacy Act, an individual has the right to seek access to, and/or correction of any Personal Information which the school holds about them. Students will generally be able to access and update their Personal Information through their Parents, but older Students may seek access and correction themselves.  
 
There are some exceptions to these rights set out in the applicable legislation. 
 
To make a request to access, update or correct any Personal Information the school holds about you or your child, please contact the Principal in writing or via email to principal@stmargarets.qld.edu.au. The school may require you to verify your identity and specify what information you require. The school may charge a reasonable fee for giving access to your Personal Information (but will not charge for the making of the request or to correct your Personal Information). If the information sought is extensive, the school will advise the likely cost in advance. 
 
If the school decides to refuse your request, we will provide you with written notice explaining the reasons for refusal (unless, in light of the grounds for refusing, it would be unreasonable to provide reasons) and how to complain. 

The school will take reasonable steps to ensure that any Personal Information it collects or discloses is accurate, up to date, complete, relevant and not misleading. 

CONSENT AND RIGHTS OF ACCESS TO THE PERSONAL INFORMATION OF STUDENTS 
Generally, the school will refer any requests for consent and notices in relation to the Personal Information of a Student to their Parents. This may depend on the age of the Student, amongst other things. Generally, the school will treat consent given by Parents as consent given on behalf of the Student and a notice to Parents will act as a notice given to the Student. Again, whether the school does this may depend on the age of the Student, amongst other things.  
 
Parents may seek access to Personal Information held by the school about them or their child by contacting the Principal by telephone or in writing (see the  ‘Access, Correction and Quality of Personal Information’ section of this Policy). However, there may be occasions when access is denied. Such occasions may include (but are not limited to) where the school believes the Student has the capacity to consent and the school is not permitted to disclose the information to the Parent without the Student’s consent, where the release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the school’s duty of care to the Student. 
 
The school may, at its discretion, on the request of a Student grant that Student access to information held by the school about them or allow a Student to give or withhold consent to the use of their Personal Information, independently of their Parents. This would normally be done only when the maturity of the Student and or the Student's personal circumstances warrant it. 

ELIGIBLE DATA BREACHES  

Assessment 
If the school suspects that a data breach has occurred, it will conduct a reasonable and expeditious assessment to determine if there are reasonable grounds to believe that an eligible data breach has occurred.    

The school will take all reasonable steps to ensure that the assessment is completed within 30 days of becoming aware of the suspected eligible data breach.   

Notification 
Subject to any restriction under the Privacy Act, in the event an eligible data breach occurs, the school will, as soon as practicable, prepare a statement outlining details of the breach, and: 

a) notify the affected individual of the unauthorised access, disclosure or breach; and   
b) notify the Office of the Australian Information Commissioner of the unauthorised access, disclosure or breach.   

The management of a data breach follows the process outlined in the SSA Mandatory Data Breach 
Notification Response Plan. 

ENQUIRIES AND COMPLAINTS 
If you would like further information about the way the school manages the Personal Information it holds, or wish to make a complaint about the school's breach of the APPs, please contact the Principal in writing or via email to principal@stmargarets.qld.edu.au. The school will investigate any complaint and will notify you of the making of a decision in relation to your complaint as soon as is practicable after it has been made. 
 
If you are not satisfied with the school’s response, you may complain to the Office of the Australian Information Commissioner (OAIC) via the OAIC website, www.oaic.gov.au. 
 
RELATED POLICIES 

1. Complaints Procedures & Practices Policy 
2. SSA Mandatory Data Breach Notification Response Plan 
3. Employment Contract 
4. Enrolment Form 
5. Image Consent Policy 

LEGISLATION 

• Australian Privacy Principles   
• Fair Work Regulations 2009  
• The Privacy Act 1988 (Cth)  

 
Revised Date:  01 April 2025