Privacy Policy

1. Purpose of this policy

  1. 1.1  Calrossy Anglican School (CAS) is committed to ensuring procedures are in place to protect the privacy of parents, students and staff.

  2. 1.2  The school is bound by the Australian Privacy Principles contained in the Commonwealth Privacy Act 1988 (Commonwealth Privacy Act) and the New South Wales Health Privacy Principles in the Health Records and Information Privacy Act 2002 (Health Records Act).

  3. 1.3  A Privacy Policy is needed to inform individuals about the practices of CAS in relation to personal information. It also serves as a guide to the School's staff as to the standards to be applied in respect of handling personal information and ensure consistency in the School's approach to privacy.

2. Principles

  1. 2.1  A Privacy Policy is needed to inform individuals about the practices of CAS in relation to personal information. It also serves as a guide to the School's staff as to the standards to be applied in respect of handling personal information and ensure consistency in the School's approach to privacy.

  2. 2.2  This Privacy Policy sets out how the School manages personal information provided to or collected by it.

  3. 2.3  The School may, from time to time, review and update this Privacy Policy to take account of new laws and technology, changes to the School’s operations and practices and to make sure it remains appropriate to the changing school environment.

3. Aims of the policy

  1. 3.1  To ensure records are appropriately secure and that personal information is protected.

  2. 3.2  To ensure records are only kept for as long as is necessary.

4. Legal and regulatory basis for compliance

  1. 4.1  Australian Privacy Principles contained in the Commonwealth Privacy Act 1988.

  2. 4.2  Health Privacy Principles which are contained in the Health Records and Information Privacy Act 2002 (NSW).

  3. 4.3  The privacy laws regulate personal information that is recorded – either written or on a data base. If personal information is not recorded it is not regulated by the Privacy Act.

5. Key definitions

  1. 5.1  PERSONAL INFORMATION: Includes but not limited to a person’s name, address, financial information, marital status or billing details.

  2. 5.2  SENSITIVE INFORMATION: Information relating to a person’s racial or ethnic origin, political opinions or membership of a political organisation, religion, philosophical beliefs, trade union, professional or trade association membership, sexual orientation or practices, criminal record, health and biometric/genetic information.

  3. 5.3  The Working with Children Check (WWCC) is a screening mechanism to prevent certain persons from engaging in child-related work.

  4. 5.4  HEALTH INFORMATION: Includes any information collected about an individual’s health or disability and any information collected in relation to a health service that is provided. It includes such things as notes of symptoms, diagnosis or treatments, doctor’s reports, appointment times and prescriptions.

6. Scope

This policy outlines the circumstances in which we obtain personal information, how we use and disclose that information and how we manage requests to access and/or change that information.

CAS has, where possible, attempted to standardise the collection of personal information by using specifically designed forms (e.g. an Enrolment Application Form or Health Information Disclosure Form). However, given the nature of our operations we also receive personal information by email, letters, notes, via our website, over the telephone, in face-to-face meetings, through financial transactions and through surveillance activities such as the use of CCTV security cameras or email monitoring.

We may also collect personal information from other people (e.g. a third-party administrator, referees for prospective employees) or independent sources. However, we will only do so where it is not reasonable and practical to collect personal information from the individual directly.

We may collect information based on how individuals use our website. We use ‘’cookies’’ and other data collection methods to collect information on website activity such as the number of visitors, the number of pages viewed and the internet advertisements which bring visitors to our website. This information is collected to analyse and improve our website, marketing campaigns and to record statistics on web traffic. We do not use this information to personally identify individuals.

6.1 What kinds of personal information does the School collect and how does CAS collect it?

The collection of personal information depends on the circumstances in which CAS is collecting it. If it is reasonable and practical to do so, we collect personal information directly from the individual.

The type of information CAS collects and holds includes (but is not limited to) personal information, including health and other sensitive information, about:

a. pupils and parents and/or guardians ('Parents') before, during and after the course of a pupil's enrolment at the School, including:

  1. name, contact details (including next of kin), date of birth, gender, language background, previous school and religion;

  2. parents' education, occupation and language background;

  3. medical information (e.g. details of disability and/or allergies, absence notes,

    medical reports and names of doctors);

  4. conduct and complaint records, or other behaviour notes, and school reports;

  5. information about referrals to government welfare agencies;

  6. counselling reports;

  7. health fund details and Medicare number;

  8. any court orders;

  9. volunteering information; and

  10. photos and videos at School events;

  11. job applicants, staff members, volunteers and contractors, including:

    1. name, contact details (including next of kin), date of birth, and religion;

    2. information on job application;

    3. professional development history;

    4. salary and payment information, including superannuation details;

    5. medical information (e.g. details of disability and/or allergies, and medical


    6. complaint records and investigation reports;

    7. leave details;

    8. photos and videos at School events;

    9. workplace surveillance information;

    10. work emails and private emails (when using work email address) and Internet

      browsing history; and

  12. other people who come into contact with CAS, including name and contact details and any other information necessary for the particular contact with the CAS.

Personal Information you provide: CAS will generally collect personal information held about an individual by way of forms filled out by Parents or pupils, face-to-face meetings and interviews, emails and telephone calls. On occasions people other than Parents and pupils provide personal information.

Personal Information provided by other people: In some circumstances CAS may be provided with personal information about an individual from a third party, for example a report provided by a medical professional or a reference from another school.

Exception in relation to employee records: Under the Privacy Act and the Health Records Act, the Australian Privacy Principles and Health Privacy Principles do not apply to an employee record. As a result, this Privacy Policy does not apply to CAS's treatment of an employee record, where the treatment is directly related to a current or former employment relationship between CAS and employee.

Unsolicited information: CAS may be provided with personal information without having sought it through our normal means of collection. This is known as “unsolicited information” and is often collected by:

  1. Misdirected postal mail – letters, notes, documents

  2. Misdirected electronic mail – emails, electronic messages

  3. Employment applications sent to us that are not in response to an advertised


  4. Additional information provided to us which was not requested.

Unsolicited information obtained by CAS will only be held, used and or disclosed if it is considered as personal information that could have been collected by normal means. If that unsolicited information could not have been collected by normal means then we will destroy, permanently delete or de-identify the personal information as appropriate.

6.2 How will CAS use the personal information you provide?

CAS will use personal information it collects from you for the primary purpose of collection, and for such other secondary purposes that are related to the primary purpose of collection and reasonably expected by you, or to which you have consented.

Pupils and Parents: In relation to personal information of pupils and Parents, the School's primary purpose of collection is to enable CAS to provide schooling to pupils enrolled at the school, exercise its duty of care, and perform necessary associated administrative activities, which will enable pupils to take part in all the activities of CAS. This includes satisfying the needs of Parents, the needs of the pupil and the needs of the School throughout the whole period the pupil is enrolled at CAS.

The purposes for which CAS uses personal information of pupils and Parents include:

  1. to keep Parents informed about matters related to their child's schooling, through

    correspondence, newsletters and magazines;

  2. day-to-day administration of the School;

  3. looking after pupils' educational, social and medical wellbeing;

  4. seeking donations and marketing for the School; and

  5. to satisfy CAS's legal obligations and allow the School to discharge its duty of


In some cases where CAS requests personal information about a pupil or Parent, if the information requested is not provided, CAS may not be able to enrol or continue the enrolment of the pupil or permit the pupil to take part in a particular activity.

Job applicants and contractors: In relation to personal information of job applicants and contractors, CAS’s primary purpose of collection is to assess and (if successful) to engage the applicant or contractor, as the case may be.

The purposes for which CAS uses personal information of job applicants and contractors include:

  1. administering the individual's employment or contract, as the case may be;

  2. for insurance purposes;

  3. seeking donations and marketing for CAS; and

  4. satisfying CAS's legal obligations, for example, in relation to child protection


Volunteers: CAS also obtains personal information about volunteers who assist the School in its functions or conduct associated activities, such as alumni associations, to enable CAS and the volunteers to work together.

Marketing and fundraising: CAS treats marketing and seeking donations for the future growth and development of the School as an important part of ensuring that CAS continues to provide a quality learning environment in which both pupils and staff thrive. Personal information held by CAS may be disclosed to organisations that assist in the School's fundraising, for example, the School's Foundation or alumni organisation or, on occasions, external fundraising organisations.

Parents, staff, contractors and other members of the wider School community may from time to time receive fundraising information. School publications, like newsletters and magazines, which include personal information, may be used for marketing purposes.

6.3 Who might CAS disclose personal information to and store your information with?

CAS may disclose personal information, including sensitive information, held about an individual for educational, administrative and support purposes. This may include to:

  1. other schools and teachers at those schools;

  2. government departments (including for policy and funding purposes);

  3. medical practitioners;

  4. people providing educational, support and health services to CAS, including

    specialist visiting teachers, [sports] coaches, volunteers, and counsellors;

  5. providers of specialist advisory services and assistance to CAS, including in the

    area of Human Resources, child protection and students with additional needs;

  6. providers o flearning and assessmenttools;

  7. assessment and educational authorities, including the Australian Curriculum, Assessment and Reporting Authority (ACARA) and NAPLAN Test Administration Authorities (who will disclose it to the entity that manages the online platform for NAPLAN);

  8. people providing administrative and financial services to CAS;

  9. recipients of School publications,such as newsletters and magazines;

  10. pupils' parents or guardians;

  11. anyone you authorise the School to disclose information to; and

  12. anyone to whom we are required or authorised to disclose the information to by

    law, including child protection laws.

Sending and storing information overseas: CAS may disclose personal information about an individual to overseas recipients, for instance, to facilitate a school exchange. However, CAS will not send personal information about an individual outside Australia without:

  1. obtaining the consent of the individual (in some cases this consent will be implied); or

  2. otherwise complying with the Australian Privacy Principles or other applicable privacy legislation.

CAS may use online or 'cloud' service providers to store personal information and to provide services to the School that involve the use of personal information, such as services relating to email, instant messaging and education and assessment applications. Some limited personal information may also be provided to these service providers to enable them to authenticate users that access their services. This personal information may be stored in the 'cloud' which means that it may reside on a cloud service provider's servers which may be situated outside Australia.

An example of such a cloud service provider is Microsoft. Microsoft provides Office 365 including Outlook for email, and stores and processes limited personal information for this purpose. School personnel and our service providers may have the ability to access, monitor, use or disclose emails, communications (e.g. instant messaging), documents and associated administrative data for the purposes of administering Office365 and ensuring its proper use.

  1. 6.4  How does CAS treat sensitive information?

    Sensitive information will be used and disclosed only for the purpose for which it was provided or a directly related secondary purpose, unless you agree otherwise, or the use or disclosure of the sensitive information is allowed by law.

  2. 6.5  Management, storage and security of personal information
    The CAS staff are required to respect the confidentiality of pupils' and Parents' personal

    information and the privacy of individuals.

    CAS has in place steps to protect the personal information the School holds from misuse, interference and loss, unauthorised access, modification or disclosure by use of various methods including locked storage of paper records and password access rights to computerised records.

    Storage and Security of Personal Information: CAS stores Personal Information in a variety of formats including, but not limited to:

    i. databases
    ii. hard copy files
    iii. personal devices, including laptop computers
    iv. third party storage providers such as cloud storage facilities v. paper based files.

CAS takes all reasonable steps to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure.
These steps include, but are not limited to:

  1. Restricting access and user privilege of information by staff depending on their role and responsibilities.

  2. Ensuring staff do not share personal passwords.

  3. Ensuring hard copy files are stored in lockable filing cabinets in lockable rooms.

    Staff access is subject to user privilege.

  4. Ensuring access to CAS’s premises are secured at all times.

  5. Implementing physical security measures around the school buildings and

    grounds to prevent break-ins.

  6. Ensuring our IT and cyber security systems, policies and procedures are

    implemented and up to date.

  7. Ensuring staff comply with internal policies and procedures when handling the


  8. Undertaking due diligence with respect to third party service providers who may

    have access to personal information, including customer identification providers and cloud service providers, to ensure as far as practicable that they are compliant with the APPs or a similar privacy regime.

  9. The destruction, deletion or de-identification of personal information we hold that is no longer needed, or required to be retained by any other laws.

Our public website may contain links to other third-party websites outside of CAS. CAS is not responsible for the information stored, accessed, used or disclosed on such websites and we cannot comment on their privacy policies.

  1. 6.6  Access and correction of personal information

    Under the Commonwealth Privacy Act and the Health Records Act, an individual has the right to seek and obtain access to any personal information which CAS holds about them and to advise the School of any perceived inaccuracy. Pupils will generally be able to access and update their personal information through their Parents, but older pupils may seek access and correction themselves.

    There are some exceptions to these rights set out in the applicable legislation.

    To make a request to access or to update any personal information CAS holds about you or your child, please contact the Principal or his delegate by telephone or in writing. CAS may require you to verify your identity and specify what information you require. CAS may charge a fee to cover the cost of verifying your application and locating, retrieving, reviewing and copying any material requested. If the information sought is extensive, CAS will advise the likely cost in advance. If we cannot provide you with access to that information, we will provide you with written notice explaining the reasons for refusal.

  2. 6.7  Consent and rights of access to the personal information of pupils

    CAS respects every Parent's right to make decisions concerning their child's education. Generally, CAS will refer any requests for consent and notices in relation to the personal information of a pupil to the pupil's Parents. CAS will treat consent given by Parents as consent given on behalf of the pupil, and notice to Parents will act as notice given to the pupil.

    Parents may seek access to personal information held by CAS about them or their child by contacting the School by telephone or in writing. However, there may be occasions when access is denied. Such occasions would include where release of the information would have an unreasonable impact on the privacy of others, or where the release may result in a breach of the School's duty of care to the pupil.

CAS may, at its discretion, on the request of a pupil grant that pupil access to information held by the School about them, or allow a pupil to give or withhold consent to the use of their personal information, independently of their parents. This would normally be done only when the maturity of the pupil and/or the pupil's personal circumstances warrant it.

6.8 Enquiries and complaints

If you would like further information about the way CAS manages the personal information it holds, or wish to complain that you believe that the School has breached the Australian Privacy Principles please contact the Principal by:

  1. emailing or

  2. writing to PO Box 1245, Tamworth NSW 2340, or

  3. calling 02 5776 5100.

CAS will investigate any complaint and will notify you of the making of a decision in relation to your complaint as soon as is practicable after it has been made.

7. Roles and responsibilities

  1. 7.1  The CAS Board is responsible for ensuring that the school has an up-to-date Privacy Policy.

  2. 7.2  The Principal is responsible for promoting a culture of good privacy practice.

  3. 7.3  The Principal is responsible for ensuring this policy is implemented in accordance with commonwealth and state privacy legislation.

  4. 7.4  The Principal is responsible for:

    1. ensuring procedures are in place to manage records efficiently in line with this policy

    2. the Privacy Policy is reviewed regularly and frequently.

  5. 7.5  All staff are responsible for applying good record management practices, including good housekeeping.

  6. 7.6  All staff are responsible for ensuring they are compliant with the School’s Privacy Policy.

8. Links to other policies

  1. 8.1  Data Security and Data Breach Policy

  2. 8.2  Records Retention/Archives Policy

  3. 8.3  Risk Management Policy

  4. 8.4  Internet Use Policy

  5. 8.5  Photograph/Video permissions

9 Communication of the policy

  1. 9.1  CAS publishes its Privacy Policy on its website and The HUB.

  2. 9.2  The Privacy Policy is publicly available to governors, contractors, volunteers, staff and anyone who requests it.

10 Policy implementation documents

10.1 The key to achieving compliance and ensuring continued compliance with the Privacy Act will be through the conduct of the School's employees and other staff members. The CAS staff members will be trained in the principal requirements of the Privacy Act. There are a number of ways that employees are made aware of the requirements of APP 1 (and the other obligations under the Privacy Act). These include raising general awareness by:

a. circulating the Privacy Policy to all staff and requiring them to acknowledge receipt b. informing staff of the requirements of confidentiality and extending this obligation

contractually where necessary; and
c. holding internal seminars, workshops and staff PD days

11 Policy review

11.1 TheExecutivewillreviewthePrivacyPolicyannually.

Counselling at CAS – Things You Should Know

CAS provides counselling services for its students as part of its pastoral care program. These are provided through counsellors employed by the School.

Students are encouraged to make use of these services if they need assistance. There are however, a number of things that students and their parents should know before using the counselling service.

  1. Records will be made of counselling sessions and because the counsellor is an employee, those records belong to CAS, not the Counsellor.

  2. CAS is very conscious of the need for confidentiality between Counsellor and student. However at times it may be necessary for the Counsellor to divulge the contents of discussions or records to the Principal if the Principal or the Counsellor considers it necessary for the student's welfare to discharge the School's duty of care to the student.

  3. It is also possible that the Principal may need to disclose aspects of discussions with Counsellors to others in order to assist the student.

  4. Where a disclosure is made it would be limited to those who need to know, unless the student consents to some wider disclosure.

We emphasise that disclosures (if any) would be very limited. However if a student is not prepared to use the counselling services on the basis set out above the student will need to obtain counselling services from outside CAS.