• Policy Number: SCS2022022
• Document Rescinds/Replaces: HR201705-3.0
• Policy released: 15 August 2022
• Review Date: 15 August 2025
• Policy Type: Operational
• Audience: Public
• Approved: Executive Director
• Document Owner: Director: Governance & Legal

This Privacy Policy sets out how Sydney Catholic Schools (SCS) manages personal information provided to or collected by it and its schools.

The purpose of the Privacy Policy is to inform:

  • SCS staff about their obligations concerning personal information and the relevant supporting documents to assist them to meet these obligations; and
  • members of the wider school community about how SCS manages their personal information and how they may request access to this information, including making a complaint about how SCS has managed their information.

This policy applies to SCS staff. In this policy, SCS staff means all employees, members of religious orders engaged in schools, volunteers, trainees, interns and labour hire employees.

This policy also applies to contractors, job applicants, parents/carers, students, and other members of the SCS school community.

Failure to comply with this policy may lead to disciplinary action including termination of employment of SCS staff.

3.1 Personal information of students and parents/carers

SCS collects and holds personal information, including health and other sensitive information about students and parents/carers before, during and after the period of a student’s enrolment at a school, including:

  • name, contact details (including next of kin), date of birth, gender, language background, previous school and religion
  • parents’/carers’ education, occupation and language background
  • medical information (e.g. details of a disability and/or allergies, absence notes, medical reports and names of health professionals)
  • conduct and complaint records, or other behaviour notes and school reports
  • information about referrals to government welfare agencies
  • counselling reports
  • health fund details and Medicare numbers
  • any court orders such as parenting orders and Apprehended Domestic Violence Orders (ADVOs)
  • volunteering information
  • photos and videos at school events.

3.2 Personal information of job applicants, staff members, volunteers and contractors

SCS collects and holds personal information, including health and other sensitive information, about job applicants, staff members, volunteers and contractors, including:

  • name, contact details (including next of kin), date of birth and religion
  • information on job application
  • professional development history
  • salary and payment information, including superannuation details
  • medical information (e.g. details of disability and/or allergies, medical reports and medical certificates)
  • complaint records and investigation reports
  • leave details
  • photos and videos at school events
  • technical or metadata fields (e.g. IP addresses, device identifiers for every device on the SCS ICT network) that can reasonably identify an individual
  • emails sent or received using a SCS email account or SCS service, internet browsing history and all activity on SCS ICT resources
  • workplace surveillance information collected in accordance with the SCS Workplace Surveillance Policy.

3.3 Personal information of others who come into contact with SCS

SCS collects and holds personal information, including health and other sensitive information about other people who come into contact with SCS or a school, including name and contact details and any other information necessary for the particular contact with SCS.

3.4 How personal information is collected by SCS

SCS will generally collect personal information held about an individual through paper or electronic forms filled out by parents/carers or students, face-to-face meetings and interviews, emails and telephone calls.

On applying to enrol a student, parents/carers provide permission for schools to obtain information from third parties including other schools. For example, SCS may obtain a report provided by a medical professional or a reference from another school. Detailed information about personal information SCS collects is set out in the Standard Collection Notice that is attached to the application to enrol.

3.5 Exception in relation to employee records

Under the Privacy Act 1988 (Cth) (the Privacy Act) and Health Records and Information Privacy Act 2002 (NSW) ( the Health Records Act), the Australian Privacy Principles and Health Privacy Principles do not apply to an employee record. As a result, this Policy does not apply to SCS’ treatment of an employee’s record, where the treatment is directly related to a current or former employment relationship between SCS and the employee. However, as a matter of best practice, SCS respects the privacy of its employees and the importance of keeping their personal information confidential.

3.6 Issue of Collection Notices

SCS will issue the applicable information collection notices in the following circumstances:

SCS will use personal information it collects for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected by the individual, or to which they have consented.

4.1 Use of personal information – students and parents/carers

SCS’ primary purpose of collection of personal information of students and parents/carer is to enable SCS and the school to provide education to students enrolled at the school, exercise its duty of care and perform necessary associated administrative activities which will enable students to take part in all the activities of the school. This includes satisfying the needs of parents/carers, students, SCS and the school throughout the whole period of enrollment.

Purposes for which SCS and a school use personal information of students and parents/carers include:

  • to keep parents/carers informed about matters related to their child’s schooling and spiritual and social wellbeing through correspondence, newsletters and magazines
  • day-to-day administration of SCS and the school
  • looking after students’ educational, social, spiritual and medical wellbeing
  • seeking donations and marketing for SCS and the school
  • to satisfy the legal obligations of SCS and the school including obligations under child protection and other legislation, court orders and to meet our duty of care.

In some cases, where SCS or a school requests personal information about a student or parents/carers and the information requested is not provided, the school may not be able to enrol or continue the enrollment of the student, or permit the student to take part in a particular activity.

4.2 Use of personal information – job applicants and contractors

SCS or a school’s primary purpose of collection of personal information of job applicants and contractors is to assess and (if successful) engage the applicant or contractor. Purposes for which SCS or a school uses the personal information of job applicants and contractors include:

  • administering the individual’s employment or contract
  • insurance
  • satisfying the legal obligations of SCS and the school, e.g. in relation to child protection.

4.3 Use of personal information – volunteers

SCS and our schools also obtain personal information about volunteers who assist a school in its functions or conduct associated activities, such as alumni associations, to enable the school and the volunteers to work together.

4.4 Use of personal information – marketing and fundraising

SCS and our schools regard marketing and seeking donations for future development to be an important part of ensuring that SCS schools continue to provide a high-quality learning environment in which students and staff thrive. Personal information held by SCS or a school may be disclosed, with consent, to organisations that assist in a school’s fundraising, for example, SCS’ Catholic Education Foundation or alumni organisation and/or, on occasions, external fundraising organisations.

Parents/carers, SCS staff, contractors and other members of the wider school community may from time to time receive fundraising information or school publications such as newsletters and magazines.

4.5 Use of personal information – sharing between SCS schools

The Privacy Act does not prevent each school from sharing personal (including sensitive) information with the other schools operated by SCS provided appropriate consents are sought from parents and carers. Parents and carers are made aware on enrolment that personal information may be shared between SCS schools. Other schools may then only use this shared personal information for the purpose for which it was originally collected by SCS as set out in the Collection Notices.

This allows schools to transfer information between them; for example, when a student transfers from one SCS school to another. Sharing sensitive information, such as medical information, requires direct consent from parents and carers which is sought on the student’s enrolment and throughout the student’s schooling. Sensitive information is stored securely on Compass and access is restricted to staff on a strictly “need to know” basis.

5.1 Who might SCS disclose personal information to?

SCS or a school may disclose personal information, including sensitive information, held about an individual for educational, spiritual, social, administrative and support purposes, to:

  • other schools operated by SCS and teachers at those schools
  • Catholic Schools NSW (CSNSW)
  • Catholic schools in the dioceses of NSW and the ACT for which CSNSW is the approved system authority in respect of the Nationally Consistent Collection of Data (NCCD) on school students with disability
  • government departments (including for policy and funding purposes)
  • the school’s local parish, the Archdiocese of Sydney, or other related church agencies/entities
  • medical practitioners
  • people providing educational, support and health services to a school, including specialist visiting teachers, counsellors and sports coaches and other school coaches and tutors
  • providers of specialist advisory services and assistance, including in the areas of human
    resources, child protection and children with additional needs
  • providers of learning and assessment tools
  • assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN (National Assessment Platform Literacy and Numeracy) Test Administration Authorities, who will disclose it to the managers of NAPLAN’s online platform
  • for students enrolled in Vocational Education and Training (VET) courses, the National Centre for Vocational Education Research Ltd (NCVER), a student’s employer, Commonwealth, State and Territory government departments and authorised agencies, organisations conducting student surveys and researchers
  • people and organisations providing administrative and financial services to the school
  • recipients of school publications such as newsletters and magazines
  • students’ parents/carers
  • anyone an individual authorises SCS or the school to disclose their information to
  • anyone to whom SCS or the school are required or authorised by law to disclose the information, including by child protection laws.

5.2 Sending information overseas and storing information

SCS may disclose personal information about an individual to overseas recipients outside Australia, for example, to facilitate an overseas student exchange. However, SCS will not send personal information outside Australia without:

  • obtaining the consent of the individual (in some cases this consent will be implied); or
  • otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

SCS may use online or ‘cloud’ service providers to store personal information and to provide services to SCS that involve the use of personal information, such as services relating to email, instant messaging, online learning resources and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may be stored on a cloud service provider’s server which may be situated outside Australia, for example Google.

In referring to ‘sensitive information’, SCS means:
a. information about an individual relating to their racial or ethnic origin, political opinions, religion, trade union or other professional or trade association membership, philosophical beliefs, sexual orientation or practices or criminal record, that is also personal information; and
b. health information and biometric information about an individual.

Sensitive information will be used and disclosed only for the purpose for which it was provided, or a directly related secondary purpose, unless the individual agrees otherwise, or the use or disclosure of the sensitive information is allowed by law.

SCS staff are required to respect the confidentiality of students’ and parents/carers’ personal information and the privacy of individuals.

SCS and each school has steps in place to protect the personal information held from misuse, interference, loss, unauthorised access, modification or disclosure. These include secure storage of paper records and password protected access to computerised records.

SCS and each school also store personal information on a centralised digital information management and storage platform called ONCE that includes a centralised student information system (Compass) and centralised digital storage system called CeD3. Access to personal information may be granted to students and parents/carers via Compass to allow them to update personal information online. Students’ and parents/carers’ privacy and information access rights remain the same regardless of where or how the information is stored.

Under the Privacy Act and Health Records Act, an individual has the right to access any personal information which SCS or a school holds about them and to advise SCS and/or the school of any perceived inaccuracy.

A request to access or update any personal information SCS or a school holds about an individual, may be made in writing as follows:
• by a student or parent/carer, to the school Principal; and
• by any other individual, to SCS, via the SCS Privacy Officer at legal@syd.catholic.edu.au,

A fee may be charged to cover the cost of verifying an application and locating, retrieving, reviewing and copying the material requested. If the information sought is extensive, SCS or the school will advise the likely cost in advance. If SCS or the school cannot provide access to the requested information, a written notice will be provided explaining the reasons.

SCS respects parents/carers’ right to make decisions concerning their child’s education. Generally, SCS or the school will refer any requests for consent and notices in relation to a student’s personal information to their parents/carers. SCS and the school will treat consent given by parents/carers as consent given on behalf of the student.

A notice to parents/carers will act as notice given to the parent/carer. Parents/carers may seek access to personal information held by the school about them or their child by contacting the school Principal. However, there will be occasions when access is denied, such as where release of information would have an unreasonable impact on the privacy of others, is prevented by a court order or where the release may result in a breach of a school’s duty of care to the student.

Students will generally be able to access and update their personal information through their parents/carers, but older students may seek access and correction themselves. There are some exceptions to these rights set out in the applicable legislation.

A school may, at its discretion, on the request of a student, grant that student access to information held by the school about them, or allow a student to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the capacity and maturity of the student and/or the student’s personal circumstances warrant. As a general rule, SCS may assume a student over the age of 15 has capacity to consent. However, it may be appropriate in individual cases for parents/carers to consent on a student’s behalf.

For further information about the way SCS or a school manages the personal information it holds, or to complain about an alleged breach of the Australian Privacy Principles, please contact:
• the school Principal; or
• the SCS Privacy Officer on 02 9569 8416 or by email to: legal@syd.catholic.edu.au.

The school or SCS will investigate any complaint and will notify the individual making the complaint of the decision as soon as is practicable.

If you have any questions about this Policy or would like further information, please contact the Legal Team in Governance & Legal on (02) 9568 8416 or legal@syd.catholic.edu.au.

• Policy Number: SCS2022022
• Document Rescinds/Replaces: HR201705-3.0
• Policy released: 15 August 2022
• Review Date: 15 August 2025
• Policy Type: Operational
• Audience: Public
• Approved: Executive Director
• Document Owner: Director: Governance & Legal

PRINTABLE PDF – PRIVACY POLICY