Rosebank College Crest

Privacy policy

Rosebank College promotes an inclusive, welcoming, healthy, and safe environment for all children, and provides transparent, accountable, risk-based approaches to ensure child safeguarding.

I. Purpose

This Privacy Policy (Policy) outlines Rosebank’s obligations under the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW), and the processes for ensuring compliance with those obligations and protecting the privacy of individuals.

This Policy sets out how Rosebank College collects, manages, and discloses Personal Information, and provides guidelines to all Staff on how to handle Personal Information.

II. Privacy Rights

Privacy is a human right, which purpose is to protect information about a person’s being, actions, association, and beliefs, ensuring their dignity, safety, and self-determination. Failure to protect privacy of information may result in reputational damage, emotional distress, identity theft, intimidation, financial loss.

III. Information

Rosebank is an independent Good Samaritan Benedictine Catholic co-educational school. Rosebank will only collect Personal Information that is reasonably necessary for its operations.

The College will notify or make the individual aware of the collection of Personal Information before the collection or as soon as reasonably practicable. When collecting information, the College will inform the individual of:

  • The name and contacts for the College, if the individual has a complaint, wishes to access, or modify their Personal Information.
  • The collection and the circumstances of the collection, if the individual was not aware of the collection, e.g., collection through third-party.
  • Whether the collection is required by law.
  • The purposes of the collection and the consequences if the individual objects to the collection (if any).
  • The parties to whom the College may disclose the information (if applicable), e.g., contractors, government agencies.
  • This Policy and its contents of this Policy.
     

i. Type of information

In its day-to-day activities, Rosebank may collect Personal Information from

  • Students and Parents before, during and after the Student’s enrolment at the College.
  • Job applicants, Staff, volunteers, and contractors.
  • Any other people that might interact / contract with the College to allow the College to perform its activities.
     

Rosebank may collect the Personal Information, including:

  • Name and contact details.
  • Next to kin’s details.
  • Gender.
  • Language background.
  • Ethnicity.
  • Health Information.
  • School records.
  • Referrals.
  • Counselling reports.
  • Photos and videos.
  • Vehicle registration.

Volunteers’ Records are subject to this Policy.

ii. Collection of Information

Rosebank may collect Personal Information through several ways, including use of the College’s website, email, supplier forms, enrolment forms, email.

i. Information provided by the individual

The College will collect Personal Information provided by the individual in writing or verbally, e.g., emails, enrolment forms, meetings, phone calls.

ii. Information provided by third parties

In some circumstances, the College may collect Personal Information provided by third parties, e.g., school records, medical records, counselling report, criminal checks.

iii. Unsolicited Information

At times, the College may receive or collect Personal Information that it has not requested (Unsolicited Information). The College only holds, uses, and discloses Unsolicited Information if the College would or could have collected such information through its normal operations, e.g., enrolment.

Upon receiving Unsolicited Information, the College will determine if it could have received such information by other means through its normal operations. Otherwise, the College will destroy, permanently delete or de-identify the information.

Staff must not make notes of Unsolicited Information received verbally.

iv. Sensitive Information

The collection of Sensitive Information is subject to:

  • Consent, except relating to information necessary to prevent or mitigate serious threat to the person.
  • Legal requirement.
  • Specific circumstances, e.g., Health Information.

v. Surveillance

The College has surveillance systems, including CCTV and computer monitoring systems. The use of those systems may result in collection of Personal Information, according to the College’s Surveillance Policy.

Rosebank’s Acceptable Use of Information Technology Resources provides for the use and monitoring of the College’s technology resources and network. All Staff, Students and Parents receive the Rosebank’s Acceptable Use of Information Technology Resources Policy and must sign Rosebank’s Acceptable Use of ICT Agreement.

IV. Consent 

Rosebank will request the individual’s consent for the collection and use of their Personal Information. The consent given by the Parent will be treated as a consent on behalf of the Student. Individuals may withdraw their consent at any time.

V. Use and Disclosure of Personal Information

i. Students and Parents

Rosebank will collect information from Parents and Students for several purposes, including:

  • Provide schooling to Students.
  • Enrolment.
  • Collection of fees.
  • College’s day-to-day operation.
  • Communicate with Parents about Students and Rosebank’s activities.
  • Student’s wellbeing.
  • Donations and marketing.
  • Fundraising: the College may disclose Personal Information to organisations that assist with fundraising, e.g., Parents and Friends Association or Alumni organisation.
  • Insurance.
  • Legal requirements.

If Students or Parents refuse to provide the requested information, the College might be unable to enrol, continue the enrolment of the Student or provide its services.

ii. Applicants, Staff and Volunteers

Rosebank will collect information from applicants, Staff and Volunteers for several purposes, including:

  • Recruitment.
  • Employment.
  • Insurance.
  • Legal requirements.

iii. Contractors and Vendors

Rosebank will collect information from contractors and vendors for several purposes, including:

  • Tenders.
  • Services.
  • Payment.
  • Enable the College’s operations.

Rosebank may disclose Personal Information to

  • Other schools.
  • Government agencies.
  • Medical practitioners.
  • Persons and organisations providing services to the College, e.g., administrative, and financial services.
  • Students and Parents.
  • Overseas schools, to facilitate students’ exchange programs.
  • Legal requirements.

Rosebank may disclose Personal Information to overseas recipients, e.g., to facilitate the Benedictine Exchange Program or Pilgrimage. In this case, the Rosebank will obtain the individual’s consent for this purpose.

VI. Access to the information

Upon request, the College will provide the individual with access to their Personal Information held by the Rosebank.

Requirements to access Personal Information:

  • Writing request indicating the information subject to the request.
  • Proof of identity, e.g., Parents’ request for access their child’s information.
  • Payment of access fees, if providing access to the information will subject the College to significant costs, e.g., high volume of documents, photocopy, costs associated with locating, retrieving or reviewing the information.

Exceptions to access include:

  • Access may pose the risk of serious threat to the individual or public interest.
  • Access would violate the privacy of others.
  • The request is frivolous.
  • The information is privileged or there is a legal requirement to deny access.
  • The information could negatively affect negotiations with the person.
  • Access is unlawful.

The information would reveal commercially sensitive information.

The College will respond to a request for access within a reasonable timeframe and provide the information if reasonable to do so. If the College refuses access to information, the College will communicate the reasons for refusal to the individual.

Parents may request access to Personal Information of their child/ren.

In some circumstances, Rosebank may charge reasonable fees for access to Personal Information.

Requests for access to information must be directed to the Principal or the Privacy Officer.

VII. Updating information

Rosebank is committed to ensure the accuracy of the Personal Information it holds. An individual who wishes to update their Personal Information must contact the College.

VIII. Security of Records

The College will do all reasonably necessary to ensure the security of Records, and prevent misuse, interference, loss, unauthorised access, or disclosure of Personal Information.

Records kept in hard copy are securely stored in locked cabinets or rooms with restricted access.

Electronic Records are kept in accordance with the College’s ICT Framework.

Records no longer necessary for the purpose it was collected will be destroyed or de-identified, unless otherwise required by law.

All Staff must comply with this Policy and take all reasonable steps to protect Personal Information held by the College, including respect and protect the privacy of Students, Parents and other Staff.

IX. Data Breach

Data Breach might result from malicious third party’s acts, human error, system failure or policy breach causing unauthorised access to or disclosure of Personal Information.

Under the Notifiable Data Breach Scheme (NDB Scheme), Rosebank must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an Eligible Data Breach, that is, a Data Breach:

  • that is likely to result in risk of serious harm to the affected individual (s), and
  • Rosebank was unable to prevent the risk with remedial measures.

A serious harm includes physical, psychological, emotional, financial or reputational harm.

Upon a Data Breach, the College must follow Rosebank’s Data Breach Response Plan will assess the breach to determine if it is an Eligible Data Breach. In which case, the College will notify the affected individual (s) and the OAIC using the Notifiable Data Breach Form.

X. Privacy Officer

Rosebank’s Privacy Officer is the Head of Audit, Risk and Reporting.

The College’s Privacy Officer is responsible for privacy related issues at Rosebank. Any issues relating to privacy must be raised with the Privacy Officer at privacy@rosebank.nsw.edu.au or via telephone (02) 9713 3126.

XI. Enquiries and Complaints

The College welcomes feedback. Individuals who wish to:

  • make a complaint
  • obtain more information about how the College manages Personal Information.
  • believe Rosebank College has breached the Australian Privacy Principles should contact the College Privacy Officer by email on privacy@rosebank.nsw.edu.au or telephone (02) 9713 3126.
     

Rosebank College will investigate all complaints.

XII. Record management

Rosebank College takes all reasonable steps to ensure Personal Information is securely stored, and it does not keep Personal Information that is no longer necessary. The storage, retention and destruction of Personal Information is outlined in the Rosebank’s Record Management Policy.

XIII. Compliance with this Policy

All Staff must comply with this Policy. A breach to this Policy may result in disciplinary and legal consequences.

XIV. Review

The College will review this Policy every 12 months.

XV. Definitions

  • Data Breach means the unauthorised access or disclosure of Personal Information, or loss of Personal Information.
  • Parent(s) means a parent of a Student, includes guardians and carers.
  • Personal Information means a range of information or opinion that could identify an individual.
  • Personal Information includes name, signature, address, phone number, date of birth, Sensitive Information, Credit Information, employment records, images, internet protocol (IP) address. Biometrics, location history (e.g., mobile device tracking).
  • Personal Information does not include information publicity available.
  • Primary Purpose of Collection means the main purpose for which the Personal Information is
    collected.
  • Secondary Purpose of Collection means the purpose that relates to the Primary Purpose of Collection which is reasonably expected by the individual. In the event of Sensitive Information, the Secondary Purpose of Collection must be directly related to the Primary Purpose of Collection.
  • Sensitive Information means Personal Information that includes information or opinion about a
    person’s:
    • Race or ethnic origin
    • Political opinion or association
    • Religious or philosophical beliefs
    • Sexual orientation or practices
    • Criminal records
    • Health or genetic information.
  • Record(s) means a document, electronic or other device containing Personal Information Rosebank or College means Rosebank College.
  • Staff or Employee(s) means all persons employed by Rosebank College, paid or unpaid, on permanent or causal basis, includes volunteers and contractors.
  • Student (s) means a person of any age enrolled as a student at Rosebank.
  • Health Information means sensitive information relating to the health or disability of a person, including a person’s wishes about their preferences for treatment or health service provider(s).
  • Includes information provided by a person to their health service provider.

XVI. Related legislation, regulations and standards

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles
  • Privacy and Personal Information Protection Act 1998 (NSW)
  • My Health Records Act 2012 (Cth)
  • Health Records and Information Privacy Act 2002 (NSW)
  • Children’s Guardian Act 2019 (NSW)
  • Child Protection (Working with Children) Act 2012 (NSW)
  • Child Protection (Working with Children) Regulation 2013 (NSW)
  • Children and Young Persons (Care and Protection) Act 1998
  • Crimes Act 1900 (NSW)
  • Children and Young Persons (Care and Protection) Regulation 2012
  • Children and Young Persons (Care and Protection) (Child Employment) Regulation 2015
  • ISO 3100:2018

XVII. Rosebank related documents

  • Code of Conduct
  • Surveillance Policy
  • Data Breach Response Plan
  • Employment Collection Notice
  • Standard Collection Notice
  • Records Management Policy and Procedure
  • Record Retention Schedule
  • Notifiable Data Breach Form

XVIII. Version control
Policy date: May 2023
Next review date: May 2024
Previous versions: 2020-1 - June 2020

Want to learn more?
Rosebank is a great fit