Privacy Policy

1. What is this policy about?
   1. This policy is about the management of personal information by the Education Directorate (the Directorate).
2. Policy Statement
   1. The Directorate is committed to managing personal information in accordance with the Information Privacy Act 2014 (ACT), including complying with the Territory Privacy Principles (TPPs).
   2. The Directorate will not act in a way, or engage in a practice, that breaches a TPP.
   3. All officers and employees are responsible for the protection and safeguarding of personal information.
   4. All officers and employees are responsible for responding to suspected or identified privacy breaches.
   5. The Procedures set out how the Directorate manages personal information and responds to privacy breaches and complaints.
3. Who does this policy apply to?
   1. All Directorate officers and employees have obligations and responsibilities under the Act for the management of personal information.
   2. The policy also applies to students, parents and carers, contractors, volunteers, visitors and other users of school facilities.
4. Context
   1. The Act requires the Directorate to have a clearly expressed and up to date policy about the management of personal information.
   2. Territory Privacy Principle (TPP) 1.3 of the Act specifies the requirements for a policy about the management of personal information (referred to as a TPP privacy policy). The Directorate satisfies the Act ’s requirements through its Privacy Policy and the Privacy Procedures (the Procedures).
   3. The Directorate collects, retains, uses and discloses personal information  to carry out its functions and activities under the Education Act 2004 and the Education and Care Services National Law (ACT) Act 2011.
   4. The Directorate’s functions and activities that relate to personal information include:
      • provision of education services and wellbeing supports to students
      • establishment and operation of ACT public schools
      • provision of systems and services that support the delivery of education services to students, for example, software providers
      • registration of non-Government schools and home education in the ACT
      • management and administration of officers, employees, contractors, subcontractors and service providers
      • administration of local, national and international assessment programs
      • collection, management, reporting and dissemination of data relating to education in the ACT
      • consulting with stakeholders, for example, in relation to programs and policy development
      • maintaining registers about students, officers, employees, school boards, committees, ministerial correspondence, complaints and contracts
      • esponding to requests for information, including from police and Care and Protection Services
      • managing complaints, internal reviews and legal matters, including privacy complaints
      • taking regulatory action under national and ACT legislation
      • communicating with the public, stakeholders and the media, including through websites and social media platforms
   5. The TPPs cover the collection, management, access to, accuracy, use and disclosure of personal information. In summary, they are:
      • TPP 1 – open and transparent management of personal information. Personal information must be managed in an open and transparent way, including the requirement that public sector agencies comply with the TPPs and have a privacy policy that is publicly available.
      • TPP 2 – anonymity and pseudonymity. Individuals have the option of not identifying themselves, or of using a pseudonym, when dealing with a public sector agency.
      • TPP3 – collection of solicited personal information. Outlines when an agency can collect solicited personal information. It applies higher standards to the collection of sensitive information.
      • TPP 4 – dealing with unsolicited personal information. Details how an agency deals with receipt of unsolicited personal information.
      • TPP 5 – notification of the collection of personal information. Sets out the notification requirements when personal information is collected. Higher standards are applied to the collection of sensitive information – see section 3.5 of the Procedures.
      • TPP6 – use or disclosure of personal information. Covers how an agency may use or disclose personal information.
      • TPP 8 – cross-border disclosure of personal information. Addresses disclosure of personal information to an overseas recipient.
      • TPP10 – quality of personal information. An agency must take reasonable steps to ensure that personal information is accurate, up-to-date and complete.
      • TPP 11 – security of personal information. An agency must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access or disclosure
      • TPP12 – access to personal information. Individuals must be able to access their personal information.
      • TPP 13 – correction of personal information. Covers correction of personal information to ensure it is accurate, up-to-date, complete, relevant and not misleading.
      • see also the Complaints Policy on the Directorate’s website.

      **Note: TPPs 7 and 9 do not apply to the functions or activities of the Directorate.

   6. A privacy breach may present a significant risk to individuals and the community. The impact to the reputation of the Directorate, the ACT Public Service and the Government can be significant and long-term. Privacy breaches must be managed and responded to appropriately by the Directorate.
5. Responsibilities
   1. Directorate Officers and Employees: All officers and employees must comply with this policy and adhere to the legislated responsibilities under the Act.
   2. Privacy Contact Officer: is responsible for establishing and providing leadership in best practice privacy practices, recording privacy breaches; and investigating, documenting, analysing, and reporting on privacy breaches. The position also has responsibilities as specified in the Procedures.
   3. Policy Owner: The Executive Branch Manager, Governance is responsible for this policy.
   4. Senior Executive Staff and Principals: are responsible for promoting a culture that upholds the TPPs. Where a privacy breach has occurred, they are responsible for ensuring actions are taken to contain the breach, identifying the causal factors and liaising with the Privacy Contact Officer.
6. Monitoring and Review
   1. The Policy Owner monitors the policy. This includes an annual scan of operation and review. A full review of the policy will be conducted within a five-year period.
7. Contact
   1. For support, contact Governance Branch on 02 6205 9159 or email EducationPrivacy@act.gov.au.
8. Complaints
   1. Any feedback about this policy, should be raised with the policy owner – see section 5.
9. References
   1. Definitions
      • Employee: an employee is employed to exercise the functions of an office on a temporary basis (s25 of the Public Sector Management Act 1994)
      • Officer: an officer is appointed to an office on a permanent basis (s24 of the Public Sector Management Act 1994)
      • Personal information: is information or an opinion about an identified individual, or an individual who is reasonably identifiable,
      • whether the information or opinion is true or not; and
      • whether the information or opinion is recorded in a material form or not; but does not include personal health information about the individual (s8 of the Act).
      • Further information about personal health information is contained in the Procedures, School Legal Information Manual – Privacy and Health Privacy modules and the Access to Student Records Policy.
      • Privacy breach: an act or practice that is contrary to, or inconsistent with, a TPP. The actions or inactions of officers and employees, and procedures or practices, can be in breach of the principles.
      • Territory Privacy Principle (TPP): refer to section 4.5.
   2. Legislation
      • In addition to the Act, the Directorate must also comply with other legislation which has implications for privacy and personal information, including:.
        • ACT Teacher Quality Institute Act 2010
        • Board of Senior Secondary Studies Act 1997
        • Children and Young People Act 2008
        • Court Procedures Act 2004
        • Domestic Violence Agencies Act 1986
        • Education Act 2004
        • Education and Care Services National Law (ACT) Act 2011
        • Freedom of Information Act 2016
        • Health Records (Privacy and Access) Act 1997
        • Human Rights Act 2004
        • Human Rights Commission Act 2005
        • National Disability Insurance Scheme Act 2013 (Cth)
        • National Redress Scheme for Institutional Child Sexual Abuse Act 2018 (Cth)
        • Ombudsman Act 1989
        • Public Sector Management Act 1994
        • Senior Practitioner Act 2018
        • Standards for Registered Training Organisations (RTOs) 2015
        • Territory Records Act 2002
        • Training and Tertiary Education Act 2003
        • Work Health and Safety act 2011
        • Working with Vulnerable People (Background Checking) Act 2011
        • Workplace Privacy Act 2011
   3. Implementation Documents
      • Privacy Procedures
      • School Legal Information Manual – Privacy module
      • School Legal Information Manual – Health Privacy module
   4. Related Policies and Information
      • Access to Student Records Policy
      • Critical/Non-Critical Incident Management and Reporting Policy
      • Cyber Security Policy
      • Freedom of Information

Privacy Policy: 00082 is the unique identifier of this document. It is the responsibility of the user to verify that this is the current and complete version of the document, available on the Directorate’s website at http://www.education.act.gov.au/publications_and_policies/school_and_corporate_policies/A-Z/.