February 2020


The purpose of this policy is to establish a framework for the Diocesan Schools System (DSS) to comply with the requirements of all relevant Commonwealth and State privacy legislation in an open and transparent way. This Policy applies to schools conducted by the DSS and sets out how each school and the Catholic Schools Office (CSO) manages personal information provided to or collected by the CSO and schools that are members of the DSS.

The DSS is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988. In relation to health records the DSS is also bound by the Health Privacy Principles contained in the Health Records and Information Privacy Act 2002 NSW (Health Records Act).


Personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information is true or not.

Sensitive information, means information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, trade union or other professional or trade association membership, sexual orientation or practices or criminal record, and includes health information and biometric information about an individual.

Health information means information about the health or disability of an individual.

What kinds of personal information does a school collect and how does a school collect it?

The type of information schools collect and hold includes (but is not limited to) personal information, including health and other sensitive information, about:

– Students and parents and/or guardians (parents) before, during and after the course of a student’s enrolment at the school:

  • name, contact details (including next of kin), date of birth, gender, language background, previous school and religion;
  • parents’ education, occupation and language background;
  • medical information (eg. details of disability and/or allergies, absence notes,
  • medical reports and names of doctors);
  • results of assignments, tests and examinations;
  • conduct and complaint records, or other behaviour notes, and school reports;
  • information about referrals to government welfare agencies;o counselling reports;
  • health fund details and Medicare number;
  • any court orders;
  • volunteering information;
  • photos and videos at school events;

– Job applicants, staff members, volunteers and contractors:

  • name, contact details (including next of kin), date of birth, and religion;
  • information on job application;
  • professional development history;
  • salary and payment information, including superannuation details;
  • medical information (eg. details of disability and/or allergies, and medical certificates);
  • complaint records and investigation reports;o leave details;
  • photos and videos at school events;
  • workplace surveillance information;
  • work emails and private emails (when using work email address) and internet browsing history; and

– other people who come into contact with the school, including name and contact details and any other information necessary for the particular contact with the school.

Personal Information provided by the individual:

A school will generally collect personal information held about an individual by way of forms filled out by parents or students, face-to-face meetings and interviews, emails and telephone calls. A school also collects personal information when a secondary student uses their issued Compass card for example to record attendance.

If an enrolment application is made to two (or more) schools in the Broken Bay Diocesan Schools System (DSS) the personal information provided during the application process may be shared between the schools. This personal information may include health information and is used for the purpose of considering and administering the enrolment of the student within the DSS.

Personal Information provided by other people:

In some circumstances a school may be provided with personal information about an individual from a third party, for example, a report provided by a medical professional or a reference from another school.

Exception in relation to employee records:

Under the Privacy Act and the Health Records and Information Privacy Act 2002 (NSW), the Australian Privacy Principles and Health Privacy Principles do not apply to an employee record. As a result, this Privacy Policy does not apply to the treatment by a school or the CSO of an employee record, where the treatment is directly related to a current or former employment relationship between the school or CSO and employee.

How will a school use the personal information it collects?

A school will use personal information it collects for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected, or to which consent has been given.

Students and Parents:

In relation to personal information of students and parents, a school’s primary purpose of collection is to enable the school to provide schooling for students enrolled at the school, exercise its duty of care, and perform necessary associated administrative activities, which will enable students to take part in all the activities of the school. This includes satisfying the needs of parents, the needs of the student and the needs of the DSS and school throughout the whole period the student is enrolled at the school.

The purposes for which the DSS and a school uses personal information of students and parents include:

  • keeping parents informed about matters related to their child’s schooling, through correspondence, newsletters and magazines
  • day-to-day administration, including seeking the payment of fees for schools within the DSS when a student transfers between such schools
  • looking after students’ educational, social, spiritual and medical wellbeing
  • seeking donations and marketing for the school
  • satisfying legal obligations of the DSS and the school and enabling the school to discharge its duty of care.

In some cases where a school requests personal information about a student or parent, if the information requested is not obtained, the school may not be able to enrol or continue the enrolment of the student or permit the student to take part in a particular activity.

Job applicants and contractors:

In relation to personal information of job applicants and contractors, a school’s primary purpose of collection is to assess and (if successful) to engage the applicant or contractor, as the case may be. The purposes for which a school uses personal information of job applicants and contractors include:

  • administering the individual’s employment or contract, as the case may be;
  • contact in an emergency;
  • insurance;
  • seeking funds and marketing for the school; and
  • satisfying the DSS’s and the school’s legal obligations, for example, in relation to child protection legislation.


A school also obtains personal information about volunteers who assist the school in its functions or who conduct associated activities, such as ex-student associations or parent advisory bodies, to enable the school and the volunteers to work together.

Marketing and fundraising:

Parents, staff, contractors and other members of the wider school community may from time to time, receive fundraising information. School publications, like newsletters and magazines, which include personal information, may be used for marketing purposes. Personal information held by a school may be disclosed to an organisation that assists in the school’s fundraising, for example, the school’s ex-student association.

To whom might a school disclose personal information?

A school may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:

  • other schools and teachers at those schools including a new school to which a student transfers to facilitate the transfer of the student , and schools within the DSS where concurrent applications for enrolment are made to those schools;
  • government departments (including for policy and funding purposes);
  • the CSO and Catholic Schools NSW (CSNSW)
  • the school’s local parish and Diocese of Broken Bay;
  • medical practitioners;
  • people providing educational, support and health services to the school, including specialist visiting teachers, counsellors, sports coaches and volunteers
  • providers of learning and assessment tools;
  • providers of specialist advisory services and assistance to the school, including in the area of human resources, child protection and students with additional needs
  • assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test Administration Authorities (who will disclose it to the entity that manages the online platform for NAPLAN);
  • agencies and organisations to whom the DSS is required to disclose personal information for education and research purposes;
  • people providing administrative, technology and financial services to the school;
  • recipients of school publications, such as newsletters and magazines;
  • students’ parents or guardians;
  • anyone an individual authorises the school to disclose information to; and
  • anyone to whom we are required to disclose the information by law, including child protection laws.

Sending and storing information overseas:

A school may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange or other overseas excursion. However, a school will not send personal information about an individual outside Australia without:

  • obtaining the consent of the individual (in some cases this consent will be implied); or
  • otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

The school uses centralised information management and storage systems (Systems). Some of these Systems are provided by the Catholic Education Network (CEnet) and others by third party service providers. CEnet is owned by the Catholic Dioceses. Personal information is stored with and accessible by CEnet and the third party providers for the purpose of providing services to the school in connection with the Systems and for CEnet, administering the education of students.

The school may use online or ‘cloud’ service providers to store personal information and toprovide online services to the school that involve the use of personal information, such as services relating to email, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users and access their services. This personal information may be stored in the ‘cloud’ which means that it may reside on a cloud service provider’s serverswhich may be situated outside Australia.

An example of such a cloud service provider is Google. Google provides the ‘Google Apps for Education’ (GAFE) including Gmail, and stores and processes limited personal information for this purpose. School personnel, the CSO and CSNSW and its service providers may have the ability to access, monitor, use or disclose emails, communications (eg instant messaging), documents and associated administrative data for the purposes of administering GAFE and ensuring its proper use.

How does a school treat sensitive information?

Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless the individual agrees otherwise, or the use or disclosure of the sensitive information is allowed by law.

Management and security of personal information

CSO and school staff are required to respect the confidentiality of students’ and parents’ personal information and the privacy of individuals. Any staff member who is uncertain about their obligations under this policy should seek clarification from their principal or in the case of CSO staff, from their Head of Service. A failure by a staff member to comply with the important obligations set out in this policy may result in disciplinary action.

Each school is required to have in place steps to protect the personal information the school holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records.

Access and correction of personal information

Under the Commonwealth Privacy Act and the Health Records Act, an individual has the right to seek and obtain access to any personal information which the CSO or a school holds about them and to advise the CSO or the school of any update or perceived inaccuracy. There are some exceptions to this right set out in the Act. Students will generally be able to access and update their personal information through their parents, but older students may seek access and correction themselves.

To make a request to access or update any personal information the CSO or a school holds about an individual or their child, parents should contact the school’s principal in writing.

The school may require a parent to verify their identity and specify what information is required. The school may charge a fee to cover the cost of verifying the application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, the school will advise the likely cost in advance. However, there will be occasions when access is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the school’s duty of care to the student. If the school is not able to provide access to that information, the school will provide the parent with written notice explaining the reasons for refusal (unless given the grounds for refusal, it would be unreasonable to provide reasons).

Consent and rights of access to the personal information of students

The DSS respects every parent’s right to make decisions concerning their child’s education. Generally, a school will refer any requests for consent and notices in relation to the personal information of a student to the student’s parents. A school will treat consent given by parents as consent given on behalf of the student, and notice to parents will act as notice given to the student.

A school may, at its discretion, on the request of a student grant that student access to information held by the school about them, or allow a student to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the student and/or the student’s personal circumstances so warrant it.

Enquiries and complaints

For further information about the way the CSO or a school manages the personal information it holds, or to make a complaint that a school or the CSO has breached the Australian Privacy Principles, individuals should contact the school’s principal (if the complaint relates to a school) or the Privacy Officer at the CSO (if the complaint relates to the CSO).

The school or the CSO will investigate any complaint and will notify the complainant of a decision in relation to their complaint as soon as is practicable after it has been made. The DSS Complaints Handling Policy provides guidelines for the handling of complaints relating to the operation of Diocesan Systemic Schools, including complaints about management of personal information provided to or collected by the CSO and the schools it administers

Individuals may also make a complaint to the Office of the Australian Information Commissioner.

Related legislation, policies and procedures

  • Australian Curriculum, Reporting and Assessment Act 2008 (Cth)
  • Children and Young Persons (Care and Protection) Act 1998
  • Complaints Handling Policy and Procedures
  • Diocesan Schools System Acceptable Use Policy
  • Education Act 1990 (NSW)
  • Education Amendment (School Attendance) Act 2009
  • Health Records and Information Privacy Act 2002 (NSW)
  • Ombudsman Act 1974
  • Privacy Act 1988 (Cth)
  • Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)
  • Schools Assistance (Learning together Through Choice and Opportunity) Act 2004 (Cth)
  • Records Retention for CSO
  • Records Retention for Schools

The Privacy Policy is to be reviewed periodically and not less frequently than once every five years from the date of the implementation of the policy.

authorised by
Dr Tony Bracken
Acting Director of Schools