IntentTo protect the fundamental right to privacy with respect to the processing of personal, sensitive and health information. To protect the right to confidentiality with regard to information relating to the personal affairs of an individual that may be considered private. To assure compliance with relevant privacy and data protection legislation. To establish principles of transparency and fairness for the management of personal, health, sensitive or confidential information at CWiA School and all its operations.
ScopeThis policy covers the management of all personal, sensitive and health information at CWiA no matter how collected or stored. The policy is applicable to any external providers and contractors contracted by CWiA who may collect, access, use, disclose or manage personal, sensitive, health and confidential information relating to staff, students or any other individual whose information may be collected.
ExclusionsThis policy does not apply to personal information or data which has been manifestly made public by the data subject or is legitimately already within the public domain. This policy does not include information that relates to a corporate, government or business entity.
ObjectivesTo guide staff in the responsible collection, use, disclosure and handling of information collected and managed by CWiA and all its operations, which relates personally to an individual or their affairs.
1. Management of personal, sensitive, health and confidential information (relating to an individual)CWiA is committed to the responsible handling, and open and transparent management, of personal, sensitive, health and confidential information and to protecting the right to privacy of individuals whose information it holds. CWiA must not act or engage in a practice that breaches any relevant privacy or data protection legislation in Victoria, Australia or other jurisdiction in which CWiA operates; except where other Victorian, Australian or international jurisdiction legislation specifically requires or allows the practice. Provisions within this policy also apply to unsolicited personal information received.
2. Basic privacy and confidentiality principlesThe following basic privacy principles must be applied in accordance with the relevant supporting instruction. CWiA and all its operations must:
a. Collect only that information necessary to fulfil CWiA functions and activities;
b. Advise individuals of the purpose of collection and their rights to access that information;
c. Use the information only for the purpose for which it was collected, for related secondary purposes, with consent or as required or permitted by law;
d. Manage all data or privacy breaches in accordance with the Compliance Breach Reporting Procedure and always consider, in a non-self-serving manner, notification to impacted individuals;
e. Do not use or disclose personal information for the purpose of direct marketing, unless an exemption applies or unless express consent has been obtained from the individual.
f. Endeavour to ensure that information is accurate, complete and up-to-date;
g. Ensure the security of information and its proper storage, archiving or disposal in accordance with appropriate recordkeeping standards and information technology safeguards.
h. Be open and transparent about the type of personal information CWiA holds and what is done with such information;
i. By arrangement, enable individuals to access their data and make appropriate corrections, in accordance with relevant access procedures;
j. Assign and use student and staff numbers only to facilitate efficient management of CWiA business and, where possible, not to use other organisations’ identifiers.
k. Transmit personal information / data across geographical borders only to legitimate recipients, after appropriate risk assessment of privacy protections, and when equivalent safeguards are accorded to the information / data by the recipient;
l. Collect and use sensitive information only in accordance with the relevant CWiA procedure or instruction, or where required or permitted by law.
3. Personal student informationThe principles of Victorian privacy law are the base or minimum level of information management and protections for all CWiA students and their personal, sensitive and health information. Where applicable, additional or higher level protections afforded by other jurisdictional law may be applied. Where a law in any jurisdiction appears to be in conflict with Victorian privacy law, consultation must be undertaken with the CWiA Privacy Officer, the Assistant Director, Compliance or an appropriate legal officer to gain advice on additional processes that may need to be implemented to continue privacy protection assurance.
a.Cross border flows of student personal information
Personal student information can be transferred to CWiA operations in other jurisdictions only where:
- Assurance has been gained that the recipient CWiA operation manages and protects personal information in accordance with this policy; and
- That the provision is necessary for legitimate CWiA operations or activities; or
- Specific consent of the individual has been obtained.
Where doubt exists as to the validity of a cross border transfer of information, the CWiA privacy officer must be consulted.