Purpose
The Privacy Policy defines Haileybury’s approach for managing personal information collected as part of the School’s activities and is designed to ensure Haileybury meets the requirements of the Australian Privacy Principles (APPs) and its obligations under the Privacy Act 1988 (the Privacy Act).
Scope
The Privacy Policy applies to the management of personal information collected by all campuses and school operations of Haileybury, including Haileybury Pangea, in the course of our operations, including that which is collected by solicited and unsolicited means, and is applicable to the management of any personal information which is under the control of Haileybury.
The management of personal information refers to the circumstances in which we obtain personal information, how we use and disclose that information and how we manage requests to access, dispose of and/or change that information.
The policy is not applicable to information which is under the control of any third party to which Haileybury provides personal information in accordance with this policy.
What is Personal Information?
Personal information is information or an opinion about an individual from which they can be reasonably identified. Haileybury may collect personal information from an individual in their capacity as a current or prospective student or parent/guardian, contractor, volunteer, job applicant, employee, alumni, visitor or others who come into contact with the School.
Collection of Personal Information
If it is reasonable and practical to do so, Haileybury will collect personal information directly from the individual.
In the course of providing our services, we may collect and hold information including but not limited to:
- Personal information, such as names, addresses, phone numbers, gender, date of birth, place of birth, nationality, government identifiers and religious beliefs
- Medical information and history
- Criminal history
- Financial and business information
- Personal information of emergency contacts
- Photographic images, sound and video recordings.
Generally, Haileybury will seek consent from the individual in writing before collecting their sensitive information (including health information).
It is noted that employee records are not covered by the APPs where they relate to current or former employment relations between the School and the employee. However, a current or former employee’s health records are covered by the Victorian Health Privacy Principles.
Solicited Information
Haileybury has, where possible, attempted to standardise the collection of personal information by using specifically designed forms to ensure that only the information required for Haileybury to provide its services is collected.
However, the School may also receive personal information necessary to effectively deliver its services or meet its legislative obligations and duty of care via email, letters, notes, our website, over the telephone, in face-to-face meetings, through financial transactions and through surveillance activities such as the use of CCTV security cameras or email monitoring.
Haileybury may also collect personal information from other sources (e.g. a third-party administrator, referees for prospective employees etc.). Personal information will only be collected from third parties where it is not reasonable and practical to collect the personal information from the individual directly.
Unsolicited Information
Haileybury may be provided with personal information without having sought it through our normal means of collection. This is known as “unsolicited information” and can be collected by
- Misdirected postal mail – Letters, notes, documents
- Misdirected electronic mail – Emails, electronic messages
- Employment applications sent to us that are not in response to an advertised vacancy
- Information entered into or stored in online systems and platforms
- Information communicated through mail, email, telephone or verbal communication.
Unsolicited information obtained by Haileybury will only be held, used or disclosed if it is considered as personal information that could have been collected by normal means. If that unsolicited information could not have been collected by normal means it will be destroyed, permanently deleted or de-identified as appropriate.
Device Information and Activity
When visiting our websites, we may collect information about your device and activity, for example technical information, including the IP address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, cookies, operating system and platform, type of device. Additionally, as you browse our websites and platforms, we collect information about the individual web pages or products that you view, what websites or search terms referred you to across those platforms, and information about how you interact with our Suite of Products. We refer to this automatically collected information as “Device Information”).
We collect Device Information using the following technologies:
- “Cookies” are data files that are placed on your device or computer and often include an anonymous unique identifier. For more information about cookies, and how to disable cookies, visit http://www.allaboutcookies.org
- "Log files” track actions occurring on our websites, and collect data including your IP address, browser type, Internet service provider, referring/exit pages, and date/time stamps; and
- “Web beacons”, “tags”, and “pixels” are electronic files used to record information about how you browse our websites.
Information from Third Parties
Information may be collected by us or on our behalf via third parties including the date and time of your visit to our websites, IP address, documents and pages you access, type of browser and setting, operating system, address of a recurring site you are about to visit; information you submit regarding payment particulars, device identifier, including Unique Device Identifiers (UDID), device details, pages visited, language selections, cookies, tracking pixels, geographic area and location.
Why we collect this information:
- to provide you with local information and alerts about our products and services on behalf of Institutions
- to improve our website and services
- to comply with local legal restrictions
- to gather anonymous statistics
- for analytical purposes
- to ensure proper function of the website and online software
- any other reason allowed at law.
Collection and use of sensitive information
Haileybury will only collect sensitive personal information if it is:
- reasonably necessary for the delivery of our services or to meet our legislative obligations
- necessary to lessen or prevent a serious threat to life, health or safety
- another permitted health situation.
Haileybury may share sensitive information with other entities in our organisational structure, but only if necessary, to provide our products or services. Sensitive information may also be disclosed outside of Haileybury where required or permitted under legislation, such as under the Family Violence Information Sharing Scheme.
Use of Personal Information
Haileybury only uses personal information that is reasonably to deliver ours services (the primary purpose), for a related secondary purpose that would be reasonably expected by the individual, or for an activity or purpose to which an individual has consented.
Haileybury’s primary uses of personal information include, but are not limited to:
- Providing education, pastoral care, extra-curricular and health services
- Satisfying our legal obligations including our duty of care and child safety and wellbeing obligations
- Sharing School information with parents
- Marketing, promotional and fundraising activities
- Supporting the activities of school associations such as the Old Haileyburians’ Association
- Supporting the activities of the Haileybury Foundation
- Supporting community-based causes and activities, charities and other causes in connection with the School’s functions or activities
- Helping us to improve our day-to-day operations including training our staff
- Systems development; developing new programs and services; undertaking planning, research and statistical analysis
- School administration including for insurance purposes
- Employment of staff
- Engagement of volunteers.
We will only use or disclose sensitive or health information for a secondary purpose if an individual would reasonably expect us to use or disclose the information and the secondary purpose is directly related to the primary purpose.
We may share personal information with related bodies corporate, but only if necessary, for us to provide our services.
Storage and Security of Personal Information
Haileybury stores personal information in a variety of locations including, but not limited to:
- Local servers
- Remote servers
- Hard copy files
- Personal devices, including laptop computers
- Third-party storage providers such as cloud storage facilities.
Haileybury takes all reasonable steps to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure.
These steps include, but are not limited to:
- Restricting access and user privilege of information by staff depending on their role and responsibilities
- Educating staff and students on protection of personal passwords
- Ensuring hard copy files are stored in lockable filing cabinets in lockable rooms. Staff access is subject to user privilege
- Implementing security measures around the School buildings and grounds Ensuring our IT and cyber security systems, policies and procedures are implemented and current
- Monitoring staff compliance with internal policies and procedures when handling personal information
- Undertaking due diligence with respect to third-party service providers who may have access to personal information, including customer identification providers and cloud service providers, to ensure as far as practicable that they are compliant with the APPs or a similar privacy regime
- The destruction, deletion or de-identification of personal information we hold that is no longer needed or required to be retained by any other laws.
Responding to Data Breaches
The School maintains procedures for responding to data breaches, including initial containment, formal investigation the formation of a data breach response team.
If we have reasonable grounds to believe that a data breach has occurred which is likely to result in serious harm to any individual, Haileybury will:
- Enact procedures to contain and investigate the data breach
- Attempt to notify the affected and or at-risk individuals directly or, if it is not possible to notify individuals directly, publish a statement on our website and through appropriate public channels, and
- Provide a statement to the Office of the Australian Information Commissioner (OAIC) including details of the breach.
Disclosure of Personal Information
Personal information is used for the purposes for which it was given to Haileybury, or for purposes which are directly related to one or more of our functions or activities.
Personal information may be disclosed to government agencies, other parents, other schools, employees, recipients of School publications, visiting teachers, counsellors and coaches, our service providers, agents, contractors, business partners, related entities and other recipients from time-to-time, if the individual:
- has given consent; or
- would reasonably expect the personal information to be disclosed in that manner.
Haileybury may disclose personal information without consent or in a manner which an individual would reasonably expect if:
- we are required to do so by law
- the disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety
- disclosure is reasonably necessary for a law enforcement related activity
- another permitted general situation applies
- another permitted health situation exists.
Disclosure of Personal Information to Overseas Recipients
Personal information about an individual may be disclosed to an overseas organisation in the course of providing our services, for example, when sending correspondence to overseas agencies representing international students. The School will only do so in compliance with applicable Australian data protection and privacy laws.
We will however take all reasonable steps not to disclose an individual’s personal information to overseas recipients unless we:
- have the individual’s consent (which may be implied)
- have satisfied ourselves that the overseas recipient is compliant with the APPs, or a similar privacy regime
- form the opinion that the disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety, or
- are taking appropriate action in relation to suspected unlawful activity or serious misconduct.
Personal Information of Students
The Privacy Act does not differentiate between adults and children and does not specify an age after which individuals can make their own decisions with respect to their personal information.
At Haileybury we take a ‘common-sense’ approach to dealing with a student’s personal information and generally will refer any requests for personal information to a student’s parents/carers. We will treat notices provided to parents/carers as notices provided to students and we will treat consents provided by parents/carers as consents provided by a student.
In seeking to respect the rights of children under the Privacy Act and recognising that in certain circumstances (especially when dealing with older students and when dealing with sensitive information), it will be appropriate to seek and obtain consents directly from students. We also acknowledge that there may be occasions where a student may give or withhold consent with respect to the use of their personal information independently from their parents/carers.
There may also be occasions where parents/carers are denied access to information with respect to their children, because to provide such information would have an unreasonable impact on the privacy of others, or result in a breach of the School’s duty of care to the student.
Quality of Personal Information
We take all reasonable steps to ensure the personal information we hold, use and disclose is accurate, complete and up-to-date, including at the time of using or disclosing the information.
If Haileybury becomes aware that the personal information is incorrect or out of date, we will take reasonable steps to rectify the incorrect or out of date information.
Access and Correction of Personal Information
You may submit a request to the School to access the personal information we hold, or request that we change or update the personal information. Upon receiving such a request, we will take steps to verify your identity before granting access or correcting the information.
If we reject the request, you will be notified accordingly. Where appropriate, we will provide the reason/s for our decision. If the rejection relates to a request to change personal information, an individual may make a statement about the requested change and we will attach this to their record.
Complaints
Haileybury takes all complaints seriously. Privacy complaints can be made to the School’s Privacy Officer and will be handled in accordance with our Complaints Policy and Procedures.
How to contact us
Haileybury can be contacted about this Privacy Policy or about personal information generally, by:
Email: privacyofficer@haileybury.vic.edu.au
Phone: (03) 9904 6150
Mail: Privacy Officer, Haileybury, 855 Springvale Rd KEYSBOROUGH VIC 3173
Changes to our privacy and information handling practices
This Privacy Policy is subject to change at any time. Please check our Privacy Policy on our website regularly for changes.