Attention: You are using an outdated browser, device or you do not have the latest version of JavaScript downloaded and so this website may not work as expected. Please download the latest software or switch device to avoid further issues.

Cranbrook School Privacy Policy

This Privacy Policy details how Cranbrook School (the “School”) manages personal information provided to or collected by it and complies with the requirements of the Privacy Act 1988 (Cth) and the Australian Privacy Principles, as well as the requirements of the Health Records and Information Privacy Act 2002 (NSW) and the Health Privacy Principles.

Who the School Collects Personal Information From

Personal information is information or an opinion about an individual from which they can be reasonably identified.

Depending on the circumstances, the School collects personal information from individuals in their capacity as a student, prospective student, parent, prospective parent, job applicant, employee, volunteer, alumni, contractor, visitor, or in any other capacity in which they may come into contact with the School.

Kinds of Personal Information the School Collects and Holds

The kinds of personal information the School collects and holds is largely dependent upon whose information is being collected and why it is being collected.

In general terms the School may collect and hold information including, but not limited to, the below:

  • Personal Information including names, addresses, other contact details, dates of birth, gender, next of kin details, financial information, photographs, images, videos, references, regulatory accreditation, media references, directorships, driver’s licence information, school reports, academic, attendance and behavioural records.
  • Health Information including medical records and reports, health fund information, disabilities, allergies, immunisation details, individual health care plans, counselling reports and notes, nutrition and dietary requirements.
  • Other Sensitive Information including religious beliefs, government identifiers, nationality, citizenship, country of birth, racial or ethnic origin, languages spoken at home, professional memberships, family court orders, criminal records.

The School may also collect any other information necessary for the particular contact with the School.

In some cases, where the School has requested personal information about you, if the information is not provided, the School may not be able to continue its relationship with you. In the case of a student or parent, if the information requested is not provided the School may not be able to enrol or continue the enrolment of the student or permit the student to participate in a particular activity. In the case of a prospective employee, contractor or volunteer, if the information requested is not provided the School may not be able to engage you or continue the engagement with you.

Employee records are not covered by the Australian Privacy Principles or the Health Privacy Principles where they relate to a current or former employment relationship between the School and the employee. As a result, this Privacy Policy does not apply to the School’s treatment of an employee record where this is directly related to a current or former employment relationship between the School and the employee.

How the School Collects Personal Information

The collection of personal information depends on the circumstances in which the School is collecting the information. If it is reasonable and practical to do so, the School collects personal information directly from you.

Solicited Information

The School has, where possible, attempted to standardise the collection of personal information by using specifically designed forms (for example, an Application for Admission Form). However, given the nature of the School’s operations, personal information is also received by email, letters, notes, via the School’s website and intranet, over the telephone, in interviews, in face to face meetings, through financial transactions, and through surveillance activities such as the use of CCTV security cameras or email monitoring.

The School may also collect personal information about you from other people (for example, a personal reference, reference from another school or previous employer, or report from a medical professional) or independent sources (for example, a telephone directory), however the School will only do so where it is not reasonable and practical to collect the information directly from you.

The School may collect information on the use of the School’s website, intranet and social media channels by using “cookies” and other data collection methods to collect information on activity such as the number of visitors, the number of pages viewed and the internet advertisements which bring visitors to these sites and channels. This information is collected to analyse and improve the School’s website, intranet, social media channels and marketing campaigns, and to record statistics on web, intranet and social media traffic. This information is not used to personally identify you.

Unsolicited Information

At times the School may be provided with personal information without having sought it through the School’s usual means of collection. This is known as “unsolicited information” and is often collected by misdirected postal mail, misdirected electronic mail, employment applications sent that are not in response to an advertised vacancy, or other information provided to the School which was not requested.

Where the School collects such unsolicited information, that information will only be held, used and disclosed if the School could otherwise do so had it been collected by usual means. If that unsolicited information could not have been collected by usual means then the School will destroy, permanently delete or de-identify the information as appropriate.

Sensitive Information

Sensitive information is information that is personal information in relation to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices, criminal record, health information and biometric information.

The School only collects sensitive information if:

  • It is reasonably necessary for one or more of the School’s functions or activities, and we have your consent;
  • It is necessary to lessen or prevent a serious threat to life, health or safety; or
  • A permitted general situation (such as locating a missing child) or health situation (such as a health professional providing a health service) exists.

How the School Uses Personal Information

The School will only use personal information for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection (or directly related to the primary purpose of collection in the case of sensitive information) and that would be reasonably expected by you.

The School may also use personal information if:

  • You have consented to that use;
  • The use is necessary to lessen or prevent a serious threat to life, health or safety;
  • A permitted general situation (such as locating a missing child) or permitted health situation (such as a health professional providing a health service) exists;
  • The use is required or authorised by law; or
  • The use is reasonably necessary for a law enforcement activity.

The primary purposes for which the School collects, holds, uses and discloses personal information include, but are not limited to:

  • Providing education, pastoral care, extra-curricular and health services to students, and satisfying the needs of students, parents and the School throughout the whole period a student is enrolled;
  • Satisfying legal obligations including duty of care and child protection obligations;
  • Keeping parents informed about matters relating to their child’s schooling and school community matters through 3 correspondence, newsletters and magazines, on its website and intranet, and through social media;
  • Marketing, promotional, networking, social and fundraising activities;
  • Supporting the activities of the Cranbrook Foundation and School associations including the Old Cranbrookians' Association Inc. and the Cranbrook School Parents’ Association Inc.;
  • Supporting community causes, activities, charities and other causes in connection with the School’s functions or activities;
  • Helping to improve day to day operations including training of staff, systems development, developing new programs and services, and undertaking planning, research and statistical analysis;
  • Day to day operations and administration of the School, including for insurance purposes; and
  • Employment/engagement of staff, contractors and volunteers, including identifying and engaging potential members of the governing bodies and committees of the School and its related entities and associations.

Disclosure of Personal Information

Disclosure of personal information may be made to government agencies or departments including but not limited to assessment and educational authorities (for example, for policy and funding purposes), other parents, other schools and staff of those schools, recipients of School publications such as newsletters and magazines, people who view the School’s website, intranet or social media channels, medical professionals, volunteers, people providing educational, support or health services to the School (for example, visiting specialist teachers, coaches and counsellors), providers of specialist advisory services and assistance (for example, in the area of human resources, child protection, law, accounting, and students with additional needs), contractors (for example, caterers and tour operators), providers of educational and assessment tools, agents, business partners and related entities.

The School will only disclose personal information for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection (or directly related to the primary purpose of collection in the case of sensitive information) and that would be reasonably expected by you.

The School may also disclose personal information if:

  • If you have consented to that disclosure;
  • The disclosure is necessary to lessen or prevent a serious threat to life, health or safety;
  • A permitted general situation (such as locating a missing child) or permitted health situation (such as to a health professional providing a health service) exists;
  • The disclosure is required or authorised by law; or
  • The disclosure is reasonably necessary for a law enforcement activity.

Marketing and Fundraising

The School treats marketing and fundraising for future growth and development as an important part of ensuring that the School continues to provide a quality learning environment in which both students and staff thrive.

Personal information held by the School may be disclosed to organisations that assist in the School's fundraising, for example, the Cranbrook Foundation, Cranbrook School Parents’ Association Inc., Old Cranbrookians’ Association Inc., or, on occasions, external fundraising organisations.

Personal information may be contained in School publications, including without limitation, newsletters and magazines, the School website and intranet, and School social media accounts, which may be used for marketing purposes including relating to fundraising. These may be distributed to current, prospective and past parents, students, alumni, staff, contractors and other members of the wider School community.

Overseas Recipients

The School may disclose personal information about an individual to overseas recipients in certain circumstances. Such circumstances may include when the School is organising an overseas excursion, facilitating a student exchange, storing information with a ‘cloud service provider’ which stores data outside of Australia, or establishing online accounts for students for educational and assessment tools where data relating to the account is stored outside of Australia. These overseas recipients may be located in many different countries.

The School will take all reasonable steps not to disclose an individual’s personal information to overseas recipients unless:

  • The School has the individual’s consent (which may be implied);
  • The School has satisfied itself that the overseas recipient is compliant with the Australian Privacy Principles, or a similar privacy regime;
  • The School forms the opinion that the disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety; or
  • The School is taking appropriate action in relation to suspected unlawful activity or serious misconduct.

The School may use online or ‘cloud’ service providers to store personal information and to provide services to the School that involve the use of personal information, such as services relating to email, instant messaging, and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may be stored in the ‘cloud’ which means that it may reside on a cloud service provider’s servers which may be situated outside Australia.

Google, who provides Google Apps for Education, and Microsoft, who provides Microsoft 365, are examples of such cloud storage providers used by the School and who store and process limited personal information for this purpose. School staff and service providers may have the ability to access, monitor, use or disclose emails, communications, documents and associated administrative data for the purposes of administering these services and ensuring their proper use.

Storage and Security of Personal Information

School staff are required to respect the confidentiality of personal information and the privacy of individuals.

The School stores personal information in a variety of formats including on databases, in hard copy paper based files and on personal devices including laptop computers, mobile phones, cameras and other recording devices, and with third party storage providers such as cloud storage facilities.

The security of your personal information is important to the School and the School takes all reasonable steps to protect the personal information it holds about you from misuse, interference, loss, and unauthorised access, modification or disclosure. These steps include, but are not limited to:

  • Restricting access to information on School databases and systems on a need to know basis with different levels of security being allocated to staff based on their roles and responsibilities and security profile.
  • Storing sensitive and health information in hard copy files in lockable filing cabinets in lockable rooms, and access to these records is restricted to staff on a need to know basis.
  • Implementing physical security measures around the School buildings and grounds to prevent break-ins.
  • Storing archived hard copy files with reputable specialised secure record storage providers.
  • Implementing and keeping up to date information technology and cyber security systems, and policies and procedures designed to protect personal information on the School’s network.
  • Implementing policies and procedures, such as email and internet usage, password security, confidentiality and document security policies, designed to ensure that staff follow correct protocols when handling personal information.
  • Undertaking due diligence with respect to third party service providers who may have access to personal information to ascertain as far as practicable they are compliant with the Australian Privacy Principles or a similar privacy regime.

Personal information that is no longer needed or required to be retained by any other laws is destroyed in a secure manner, deleted or de-identified as appropriate.

The School’s website, intranet and social media channels may contain links to third party websites or social media channels. The School does not share your personal information with those third party websites or social media channels and it is not responsible for the information stored, accessed, used or disclosed on such third party websites or social media channels, or for their privacy policies and practices.

Responding to Data Breaches

A data breach concerns the security of personal information and involves the actual unauthorised access or disclosure of personal information or the loss of personal information where the loss is likely to result in unauthorised access or disclosure.

Data breaches are not limited to the malicious acts of third parties such as theft or hacking, but may also arise from human error, systems failure or failure to follow information handling or security policies resulting in accidental loss, access or disclosure.

The School will take appropriate prompt action if it has reasonable grounds to believe that a data breach may have, or is suspected to have, occurred. This will usually include a review of the School’s internal security and other procedures and taking remedial internal action.

In the event a data breach is likely to result in serious harm to one or more individuals and the School is not able to quickly remediate the breach to minimise that risk, the data breach is classified as an eligible data breach.

In the event of an eligible data breach, the School will notify the Office of the Australian Information Commissioner (the “OAIC”) and depending on the nature of the eligible data breach will also either notify the individuals whose personal information was involved in the data breach, notify individuals who are at likely risk of serious harm or, if the School is unable to notify individuals, a statement will be published on the School’s website and reasonable steps will be taken to publicise the contents of this statement. The School has no obligation to notify any individuals or the OAIC where a data breach is not an eligible data breach, but may elect to do so voluntarily.

Personal Information of Students

The Privacy Act 1988 (Cth) does not differentiate between adults and children and does not specify an age after which individuals can make their own decisions with respect to their personal information.

The School takes a common sense approach to dealing with a student’s personal information and generally will refer any requests for personal information to a student’s parents. The School will treat notices provided to parents as notices provided to students and consents provided by parents as consents provided by a student. The School is, however, cognisant of the fact that children do have rights under the Privacy Act 1988 (Cth).

In certain circumstances the School may grant a student access to personal information held by the School about them. Likewise, the School may also consider a request for correction to personal information, or allow a student to give or withhold consent to the use or disclosure of their personal information independently of their parents. This would normally occur only when the maturity of the student and/or the student’s personal circumstances warrant it.

There may also be occasions where parents are denied access to information with respect to their children, because to provide such information would have an unreasonable impact on the privacy of others, result in a breach of the School’s duty of care to the student, or where the student has provided information in confidence.

Quality of Personal Information

The School takes all reasonable steps to ensure the personal information held, used and disclosed is accurate, complete and up to date. These steps include ensuring that the personal information is accurate, complete and up to date at the time of collection and when using or disclosing personal information.

On an ongoing basis the School maintains and updates personal information when advised by individuals. If the School becomes aware that personal information is incorrect or out of date, the School will take reasonable steps to rectify the incorrect or out of date information.

Please contact the School immediately if any of the details you have previously provided change, or if you believe that the information held about you is not accurate, complete or up to date.

Access or Correction of Personal Information

You may submit a request for access to the personal information the School holds about you, or request that the School corrects a perceived inaccuracy in your personal information, by contacting the School’s Privacy Officer in writing or by email.

The School may take steps to verify your identity before granting access to or amending any information.

The School may charge a fee to cover the cost of verifying your application and locating, retrieving and copying any material requested if the information sought is extensive. The School will advise such costs in advance.

If the School does not agree to provide you with access as requested, or to amend your personal information as requested, you will be notified and provided with the reason(s) for this decision. If a request to amend your personal information is rejected, you may make a statement about the requested amendments and the School will attach this to your record.

Privacy Complaints

If you wish to make a complaint about the manner in which the School manages personal information, including any belief that the School has breached the Australian Privacy Principles or Health Privacy Principles you may do so by providing your complaint by email or letter to the School’s Privacy Officer. You may also make a complaint verbally.

The School does not charge a fee for the handling of complaints.

The Privacy Officer will investigate your complaint and respond within a reasonable time (usually no longer than 30 days). The Privacy Officer may need to seek further information from you in order to provide a full and complete response.

If you are not satisfied with the School’s response, you may refer the complaint to the Office of the Australian Information Commissioner (“OAIC”). A complaint can be made using the OAIC Online Privacy Form found on the OAIC website (www.oaic.gov.au) or by mail, fax or email to the OAIC. A referral to the OAIC should be a last resort once all avenues of resolution directly with the School have been exhausted.

Contact the Privacy Officer

You can contact the School’s Privacy Officer about this Policy, the way the School manages the personal information it holds, or about your personal information by:

Emailing: privacy@cranbrook.nsw.edu.au
Calling: +61 2 9327 9405
Writing to: Privacy Officer, Cranbrook School, 5 Victoria Road, Bellevue Hill NSW, 2023.

You can contact the Privacy Officer anonymously or by using a pseudonym. However, if you choose not to identify yourself, the School may not be able to give you the information or provide the assistance you might otherwise receive.

Changes to Privacy and Information Handling Practices

The School may review and update this Privacy Policy and its information handling practices to take account of new or changed laws or technology, changes to the School’s operations and practices and to make sure it remains appropriate to the changing School environment. As such, this Privacy Policy is subject to change at any time. The School’s Privacy Policy is available on the School’s website and it should be checked regularly by you for any changes.

Published: 21 December 2018

 

Alumni Management Software powered by
ToucanTech