1. Overview
1.1 The School is bound by the Australian Privacy Principles contained in the Privacy Act 1988 (Cth), the Fair Work Regulations 2009 (Cth) and the Health Records Act 2001 (Vic).
1.2 This Policy outlines the way the School collects, holds, uses and discloses personal information.
1.3 We may update this Policy from time to time without notice if our information collection practices change. You are advised to regularly check this Policy on our website for any updates.

2. What personal information do we collect?
2.1 The information we collect depends on the nature of your relationship and interaction with us. We may collect information about:
a) students, parents/legal guardians and homestay providers;
b) our employees, contractors, volunteers, gap assistants, prospective employees;
c) our suppliers and their employees; and
d) other people who come into contact with the School.
2.2 We generally collect and hold information such as names, date of birth, contact details, biometric data, passport details, occupation, company name, payment details, employment history, education and qualifications, testimonials and feedback and other information which may assist us in providing education to our students, marketing the School or complying with our legal and regulatory obligations. We may also collect sensitive information, including health information, membership of a professional association or religious affiliations.
2.3 We may also collect non-personal information provided by your browser when you visit our website (for example, the website you came from, your location information, IP address and the date and time of accessing our website).

3. How do we collect and hold your personal information?
3.1 We collect information in various ways, including:
a) face to face meetings, interviews and telephone calls;
b) correspondence;
c) when you apply for employment at the School;
d) enquiries via telephone, email or our website;
e) paper or online forms completed by parents, students and employees;
f) through visitor sign in at our campus receptions;
g) from a third party, for example a report provided by a medical professional, a reference from another school;
h) taking photographs or video of students, employees and School community members at functions and events;
i) through the use of Cookies on our website to assist in remembering preferences;
j) through third party providers to manage our event registrations;
k) through third party platforms to survey people about a range of matters relevant to the School;
l) through third party platforms to analyse traffic on our website and social media channels; and
m) indirectly through publicly available sources.
3.2 We use social networking services such as Twitter, Facebook and Instagram to communicate news with the wider School community and the public. When someone communicates with us using these services, we may collect Personal Information, but it is only used it to help us to communicate with the person and the School community and the public.
3.3 The social networking service will also handle personal information for its own purposes. These services have their own privacy policies which can be found on their websites.
3.4 The Privacy Act does not cover employee records unless the information is used for a purpose that is not directly related to the employment relationship. However, School Employees may request to access their personal information under the Fair Work Regulations 2009 (Cth).
3.5 The School handles employee health records in accordance with the Health Privacy Principles in the Health Records Act.

4. Using personal information
4.1 At all times, we will try to use personal information we collect for the particular function or activity we require it for. Occasionally, we may use that information for related secondary purposes. The following table explains the general purpose for using personal information:

GroupPurpose
Students and parents/legal
guardians
Enabling us to provide exceptional education for our students, including:
keeping parents/legal guardians informed about their child;
day to day administration;
looking after a student’s educational, social and medical wellbeing;
seeking donations and marketing for the School; and satisfying our legal obligations and allow us to discharge our duty of care.
Job Applicants, employees, and
contractors
Assessing and (if successful) engaging those people. Information is used for
administering employment contracts, satisfying insurance requirements and
satisfying our legal obligations (for example, in relation to child protection
legislation).
VolunteersCollecting information to assist us with our functions or associated activities and
satisfy legal obligations (for example in relation to child protection legislation).
Legal requirementsTo satisfy the School’s legal obligations (for example, child protection and safety
obligations.)
Marketing and fundraisingWe treat marketing and seeking donations for the future growth and development
of the School as an important part of ensuring that we continue to be a quality
learning environment. Personal Information held by us in this context may be
disclosed to an external organisation solely for the purpose of assisting with our
fundraising activities.
Members of the School community may, from time to time, receive fundraising
information. School publications, like newsletters and magazines, which include
personal information and sometimes visual images of students, parents/legal
guardians or employees, may be used for marketing purposes.

5. Sensitive Information
5.1 We also collect sensitive information including information about health, disability, racial or ethnic origin, religious, political or philosophical beliefs, professional association or trade union memberships, sexuality or criminal record.
5.2 The School will not collect sensitive information about you unless you consent to the collection, it is reasonably necessary, or it is required by law.
5.3 Sensitive information collected by the School will be used and disclosed only for the primary purpose for which it was provided, or for a purpose directly related to the primary purpose. The use or disclosure must be necessary to assist with the School’s functions or activities, or when the use or disclosure of the Sensitive Information is allowed by law.

6. Disclosure of personal information
6.1 We will only disclose personal information if one or more of the following applies;
a) a student or their parents/legal guardians have consented to the disclosure by agreeing to the Conditions of Entry and signing the Offer of Place;
b) if it could be reasonably expected that we would use or disclose the information in that way;
c) if we are authorised or required to do so by law;
d) if disclosure will lessen or prevent a serious threat to the life, health or safety of an individual or to public safety; or
e) where another permitted general situation or permitted health situation exception applies.
6.2 Subject to clause 7.1, we may disclose personal information to:
a) another school;
b) government departments;
c) medical practitioners;
d) people providing services to the School, including without limitation, specialists visiting teachers and sports coaches, third party providers assisting us with our compliance and legal obligations;
e) recipients of our publications, like newsletters and magazines;
f) newspapers;
g) parent association/committees;
h) other parents or guardians; and
i) other third parties if you have consented to the disclosure.

7. Sending information overseas
7.1 We will not send information outside Australia without obtaining your consent (sometimes this consent will be implied), or otherwise complying with the Australian Privacy Principles.

8. Event bookings, Surveys and tracking providers
8.1 We use TryBooking to manage our event registrations. TryBooking may collect and hold your personal information. TryBooking’s privacy policy is available on its website.
8.2 We use SurveyMonkey and Microsoft Forms to survey people about a range of matters relevant to the School. SurveyMonkey and Microsoft Forms may collect and hold your personal information. Their privacy policies are available on their websites.
8.3 We use multiple tracking providers such as Google Analytics and others to report analytics and advertise the School. Google may store Personal Information in multiple countries. Google’s privacy policy is available on its website.

9. Management and security of personal and sensitive information

9.1 School Employees are required to respect the confidentiality and privacy of students’ and parents/legal guardians’ personal information.

9.2 We have processes in place to protect the personal and sensitive information we hold from misuse, interference, loss, unauthorised access, modification or disclosure, by use of various methods including locked storage of paper records and pass worded access rights to computerised records.

9.3 Where we no longer require your personal information we will take reasonable steps to destroy or de-identify it.

9.4 Student and employee records are appropriately archived to meet any future inquiries and for historical purposes.

10. Updating information

We endeavour to ensure that the personal and sensitive information we hold is accurate, complete and up to date. You may ask us to update your personal and sensitive information held by us at any time.

11. Accessing and correcting personal information
11.1 You have the right to request access to any of your personal and sensitive information and to advise us of any corrections. There are some circumstances where access may be denied, including where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of our duty of care to a student.
11.2 Requests to access any information we hold about a School Employee, student or member of the School community member (for example, a legal request or a request on behalf of a family member) should be forwarded in writing to the Director of Corporate Services (corporateservices@ggs.vic.edu.au). We may require a person to verify their identity and specify what information they wish to view. We may also charge a fee to cover the cost of verification, document retrieval, review and copying. We will advise of the expected cost in advance if the material requested is extensive. It may take up to 20 working days to make the information available.

12. Consent and rights to accessing personal information of students
12.1 Generally, we will refer any requests for consent and notices in relation to the information of a student to the student’s parents/legal guardian. We will treat consent given by parents/legal guardian as consent given on behalf of the student and notice to parents/legal guardian will act as notice given to the student.
12.2 The School may in its sole discretion permit a student to give or withhold consent to the use of their own personal information, depending on the age and maturity of the student and where appropriate.

13. Unauthorised access, use or disclosure
13.1 We take seriously and deal promptly with any unauthorised access, use or disclosure of personal information, and take all reasonable steps to prevent such unauthorised access, use or disclosure, such as:
a) regularly assessing the risk of unauthorised access, use or disclosure of information and taking measures to address those risks;
b) regularly report risks to the School Council and implement any corrective measures required to mitigate the risk; and
c) destroy information when it is no longer required in line with our relevant document retention and destruction policies.
13.2 The Notifiable Data Breaches scheme requires us to notify you if your information is involved in an “eligible data breach”, that is, a data breach that is likely to result in serious harm to you. We are also required to notify the Office of the Australian Information Commissioner.
13.3 We follow the steps required in our Data Breach Response Plan if a breach is suspected or occurs.

14. How to make a complaint
14.1 If you believe we have breached our obligations under the Australian Privacy Principles, you should forward a complaint in writing to the Director of Corporate Services (corporatesevices@ggs.vic.edu.au). The complaint should include all details so that an assessment can be made as to whether there has been a data breach.
14.2 We will respond to you within a reasonable time after receipt of the complaint. In responding to you, we will determine whether a breach has occurred and, if so, the appropriate response in light of the circumstances.
14.3 If you do not believe the complaint was adequately dealt with by us, you may make a further complaint to the Australian Information Commission. Once referred to the Australian Information Commission, the complaint will be dealt with by way of conciliation. If a resolution cannot be reached the Australian Information Commission may make a determination which is binding on the parties and enforceable at law.
14.4 We encourage anyone wishing to make a complaint to first attempt to resolve any complaint with us directly before referring the complaint to the Australian Information Commission.

15. Review and circulation

Responsible
Department:
☐ Academic ☒ Corporate Services and Risk ☐ Finance and Operations ☐ Head of Campus ☐ Human
Resources ☐ Medical
Approved by:☐ Principal ☐ School Council ☒ Director of Corporate Services
Effective Date:08.01.2020
Review Date:08.01.2022
Applicable
Location:
☒ School wide ☐ Bostock ☐ Corio ☐ Timbertop ☐ Toorak
Applicable
Audience:
☒ School Community ☐ Students ☐ Parents ☐ School Employees
Publication:☐ Portal >Staff Resources ☐ Portal >Student Resources ☐ Portal >Parent Resources ☒ School
Website