St Margaret’s College Privacy Policy
Responsibility for Policy: Human Resources Manager / Associate Principal Approving Authority: Executive Principal / Trust Board
Applies to: Anyone within the care of St Margaret’s College Last Review Date: June 2022
Next Review Date: June 2024
Introduction
All references in this Privacy Policy to "SMC", "the College" and "the school" are references to St Margaret’s College.
Rationale
This Policy is provided to maintain the Privacy of information at SMC in accordance with the requirements of the Privacy Act (the “Act”) and to describe the potential collection, use, disclosure and the protection of personal information of individuals.
This Policy does not limit or exclude any of the individual rights under the Act. If additional information on this Act is desired, see: https://www.privacy.org.nz/the-privacy-act-and codes/privacy-act-and-codes-introduction/
An individual may be asked to provide SMC with 'personal information'. SMC has developed this Privacy Policy to describe when personal information is collected, for what purposes and to whom this personal information may be disclosed to, and to ensure that SMC complies with its obligations under any of the Privacy Act Bills. By using the SMC website and providing personal information to the school, an individual is deemed to have consented to its use in accordance with this Privacy Policy and the SMC Website Privacy Policy. Any questions or concerns regarding this Privacy Policy, should be referred to SMC.
Who does this Privacy Policy apply to?
This Privacy Policy applies to SMC staff, students, parents/guardians and the wider SMC community plus any other persons who provide personal information when visiting the SMC website or otherwise providing personal information to the school.
Privacy Officer
SMC has appointed a Privacy Officer who will be able to provide further information related to this Policy.
What is personal information?
'Personal Information' is defined in the Privacy Act as information about an identifiable individual, i.e. information about a natural person (as opposed to information about a company or other legal entity), in a form which enables that person to be identified.
Appendices:
1. What information does SMC collect?
2. Use and storage of Personal information
3. Physical Security of Information, Electronic Information Privacy ,Disposal of Information, Disclosure of Personal Information, Use of ‘cookies’, Email and other Electronic Communications
4. Privacy Breaches
5. Accessing Personal Information and Refusal to Supply Requested Information
6. Oranga Tamariki Privacy (Child’s Individual Information)
7. Key Principles of the Privacy Act
Policy Changes
SMC may review this Policy regularly and any changes will be notified by posting an updated version on the SMC website. Use of the SMC website following any updates constitutes acceptance of this Policy as amended. It is recommended that the Policy be regularly reviewed when visiting the school website. If an individual does not agree with any aspect of the updated Policy, then SMC must promptly be notified and use of the SMC services should cease.
This Policy links to:
(a) SMC Child Protection Policy
(b) Health and Safety Policy
(c) Student IT Use Policy
(d) Health Centre Policy
Appendix 1
What information does SMC collect?
SMC will collect the following types of information, but this information is not limited to:
A. Students
(a) Prior education records including identification of last school attended (b) Details of medical conditions (including mental health)
(c) Details of any relevant disqualification
(d) Student progress
(e) Details of vehicle/s requiring student parking permits
(f) Photograph/s (for identification and marketing purposes)
(g) Information relevant to Ministry of Boarding Bursaries or Scholarship applications (h) Correspondence between SMC and the student
(i) Personal information relating to the investigation and resolution of a disciplinary matter (j) Contact information for parents
(k) Custodial arrangements
(l) Proof of eligibility - birth certificate or passport for domestic students. For international students - student visa and passport details
(m) Primary language
(n) Religion
(o) Special cultural considerations
(p) Criminal convictions or criminal investigation
(q) Legal name change documentation
(r) Mobile phone number
(s) Application form: -
(i) To notify SMC of any change in information,
(ii) Permission to share information to staff, SMC community, Trust Board, Foundation and Old Girls’ Association.
(iii) Permission to release information relating to students' health, welfare or safety outside of SMC (Ministry of Education and Health, Dental)
(iv) Permission for contact lists and details and consent for photos of student
B. Parents:
(a) Full name
(b) Date of birth (if parents provide their daughter’s birth certificate)
(c) Occupation
(d) Employer (greater understanding of our school community)
(e) Address details
(f) Phone and email details
(g) Marital status
(h) Custodial arrangements and formal agreements
(i) Bank account and other financial information
(j) Passport details
(k) Visa details
(l) Police vetting information
(m) Old Girl information - for leavers of Year 13 and past relatives who have attended SMC who may like to join the Old Girls’ Association.
C. Staff:
(a) Application form (e.g. including confirmation of eligibility to work in New Zealand, qualifications, previous experience, list of referees, criminal convictions, health issues relevant to the job)
(b) Curriculum Vitae
(c) Evaluative material (references from previous employers, SMC staff) (d) Criminal record check (relevant to the job)
(e) Health record checks (relevant to the job)
(f) Salaries/wages
(g) Details of job including units, titles, nature of job and employment contract (e.g. fixed term individual), dates of employment, hours worked
(h) Bank and tax information
(i) Emergency contact details
(j) Details of vehicle/s requiring staff parking permit
(k) Photograph/s (for identification purposes)
(l) Correspondence between SMC and the staff member
(m) Information relating to the investigation and resolution of a disciplinary matter (n) Police Vetting information
(o) Teacher registration information
(p) Passport details
(q) Drivers licence information
(r) Airline loyalty details
D. Event bookings:
(a) While making an event booking (ticket purchases) an individual may be required to provide certain personal information to complete a booking which may include the person’s name, address, telephone number and email address
(b) If payment is made for an event, financial information including credit card number and expiration date may be collected. This information is collected through a secure server and credit card information is not retained
(c) SMC will, however, retain the transaction details for an event on its website for audit purposes.
E. SMC Trust Board / SMC Foundation / SMCOGA
(a) The personal information collected by the SMC Trust Board and/or SMC Foundation and/or the SMC Old Girls’ Association will be used to provide services that have been authorised or requested.
(b) The personal information collected may include:
(i) Name and contact details
(ii) SMC history (if relevant)
(iii) Donation history (if relevant)
(c) SMC may also use the personal information collected to:
(i) carry out internal research and development, including planning for future fundraising
(ii) prepare communications in respect of fundraising outcomes
(iii) respond to any questions or correspondence from the individual
(iv) manage and improve the SMC website and any related services
(v) provide information about activities run by the Trust Board, Foundation or SMCOGA (including updates, events and announcements)
(vi) analyse website usage, trends and statistics
(vii) with specific permission, supply an individual with further information concerning the products and services which may be of interest
(viii) carry out any other use that is authorised or notified to the individual at the time of collection.
Appendix 2
Use and Storage of Personal Information
SMC may use personal information for the following purposes:
(a) To enable the features of the SMC website, to improve the website by determining which of our features and services are most popular, and to personalise the experience of website users
(b) To establish, maintain and improve SMC community relationship with an individual or to provide offers or promotional material
(c) Surveys conducted by SMC or third parties and participation in market research studies conducted by third parties
(d) To compile aggregate data for internal and external business purposes and generate and review reports and data about website usage patterns
(e) To provide an individual with requested services to respond to comments, concerns or requests for information
(f) To communicate with an individual, as permitted by law, and to inform the individual about SMC’s services and events
(g) Personal information may also be used for other disclosed purposes to which consent is given (whether expressly or by implication by providing SMC with personal information with knowledge of how SMC intends to use it), or to meet SMC’s legal obligations
(h) SMC may also collect and/or use personal information without consent for purposes that are permitted by applicable law, including but not limited to meeting the school’s legal obligations, assisting in the investigation of a breach of an agreement or a law, or assisting in law enforcement requests
(i) Individual information may be collected for external purposes for the protection and wellbeing of an individual’s enrolled daughter for external visits such as camps, sports tournaments, day visits and other purposes. Where possible, specific permission to use such information will be sought.
How Is Personal Information Stored:
Any personal information that SMC holds may be stored on computer databases and/or in hard copy.
Storage and Protection of Personal Information:
(a) SMC may record and store personal information and will take all reasonable steps to keep personal information secure and prevent unauthorised disclosure and to keep any such personal information accurate and up-to-date.
(b) However, SMC does not guarantee that personal information cannot be accessed by an unauthorised person (e.g. a hacker) or that unauthorised disclosures will not occur. If any passwords or other security devices are provided, it is important that such passwords and devices are kept confidential and are not allowed to be used by any other person. SMC should be notified immediately if the security of these devices is breached to prevent the unauthorised disclosure of personal information.
Appendix 3
Physical Security of Information, Electronic Information Privacy,
Disposal of Information, Disclosure of Personal Information
Use of ‘cookies’, Email and other Electronic Communications
Physical Security of Information:
(a) A “clear desk approach” will be followed where there is the potential for paperwork to be observed (including outside standard office times) by unauthorised persons. Any information will be locked away.
(b) Access to personal information through electronic systems will be secured through the use of passwords.
(c) Passwords or key-pad codes shall not be provided to unauthorised personnel. (d) Computer screens should be turned away from public areas. Where this is not possible, doors should be closed or screens placed on windows to prevent viewing of whiteboard information
(e) Computers, faxes and printers shall be placed where they cannot be accessed by unauthorised personnel
(f) Staff personnel files are to be locked away and only accessed by those with appropriate management approved authorisation.
SMC will provide Electronic Information Privacy by:
(a) Having appropriate firewalls
(b) Installing and updating antivirus software
(c) Updating passwords regularly, and notifying IT when personnel leave the school to ensure access codes previously authorised are deactivated
(d) Restricting staff access to information - only allowing access to information that staff need to do their particular role
(e) Storing computer backups and limiting access to such backups to authorised persons
(f) Requesting that digital photos are deleted on personal cameras/ phones or other electronic devices owned by a staff member or visitor where practical.
Disposal of information:
When information is no longer needed (after 7 years from the date of the last entry), it must be disposed of in an appropriate manner. Disposal of information could involve: (a) using a shredder
(b) if using an outside contractor, making the secure destruction of documents a condition of the contract e.g. secure document destruction service
(c) Disposing of digital information on USB memory sticks
(d) archiving digital information.
Disclosure of Personal Information
(a) SMC respects the privacy of personal information and will take all reasonable steps to keep it strictly confidential. Otherwise, SMC will only disclose personal information without consent if this is necessary to protect or enforce the school’s legal rights or interests or to defend any claims made against SMC by any person (including the individual whose personal information must be disclosed), to lessen a serious threat to a person's health or safety, or as required by law.
(b) SMC will not sell or receive payment for licensing or disclosing your personal information.
Use of 'cookies' (please refer to the SMC Website Privacy Policy)
(a) A cookie is a piece of programming (that may also hold personal information) which enables SMC to customise services on its website and which may also be used for remarketing purposes. For example, a cookie can be used to store registration information so that information does not have to be re-entered on a subsequent visit to the site. SMC may send cookies to a computer while its website is being accessed.
(b) Non-attributed (anonymous) information regarding use of the SMC website may also be collected. The use of such cookies helps to provide a better experience during your use of the website by allowing SMC to understand what areas of the site are of interest to an individual. Some web browsers enable the receipt of cookies to be declined. If utilisation of this function is desired, the SMC website can still be accessed, but with some enhancement features being reduced.
Email and other Electronic Communications
(a) By using the SMC website or otherwise providing personal information, and individual is deemed to consent to being contacted by the school and/or a permitted recipient using the contact details provided (including, without limitation, via direct mailing, email, SMS, telephone call, and other phone number based messaging)
(b) SMC is committed to full compliance with the Unsolicited Electronic Messages Act 2007.
(c) An individual has the option to subscribe to certain promotional and marketing email and/or text communications. By subscribing to SMC’s email and/or text communications, or otherwise providing the school with their email address and/or mobile number, an individual is deemed to consent to receiving emails and/or texts (as the case may be) which promote and market SMC’s products and services, or the products and services of others, from time to time.
(d) An individual can opt out of those communications at any stage by utilising the corresponding "unsubscribe" facility. Once unsubscribed from the school’s email or text communications, an individual will be removed from the corresponding marketing list within five working days.
Appendix 4
Privacy Breaches
(a) If a serious privacy breach occurs, SMC will be required to notify the affected individuals and the Privacy Commissioner about that breach (where the breach is "notifiable" under applicable privacy law), under the new mandatory reporting change.
(b) If it is not clear whether a suspected data breach is "notifiable", SMC will investigate and assess the breach to determine whether (among other things) the school must notify the affected individuals if their personal information is involved in a privacy breach that is likely to result in serious harm.
(c) Even if the privacy breach is not "notifiable" by law, SMC may decide it is appropriate to notify individuals anyway.
(d) Subject to the ‘Policy Changes’ clause in this Policy, for all aspects relating to the: (i) Containment;
(ii) Assessment;
(iii) Notification; and
(iv) Prevention
of a privacy breach, the process that will be followed is recorded in the following link: https://privacy.org.nz/responsibilities/privacy-breaches/responding-to-privacy breaches/
Information access breaches may include:
(a) Lost records and equipment - lost or stolen laptops, USB memory sticks or paper records
(b) Incorrect e-waste disposal - incorrect computer hardware disposal and return caused by computer hard disk drives or portable storage devices such as USBs being thrown away, recycled or returned to leasing companies, or serviced incorrectly, without the contents first being erased
(c) Employee browsing - accessing or disclosing personal information without authorisation
(d) Document theft - taken from recycling or rubbish bins
(e) Information given to the wrong person - information sent to the wrong physical or email address
(f) Fraudsters - releasing personal information to a person pretending to be someone else
Appendix 5
Accessing Personal Information
Subject to certain grounds for refusal set out in the Act, an individual has the right to access personal information held about them if that personal information is held in a way that it can be readily retrieved. This can be done by emailing [email protected]. Provision of such information is subject to some statutory exceptions. Before this right is exercised, SMC will need evidence to confirm that a requestor is the individual to whom the personal information relates. Please quote your name and any ID number you are associated with, providing an outline of what information you require. In some limited circumstances there may be a charge for providing copies of personal information. If so, SMC will advise of any such charge prior to sending such information.
Refusal to Supply Requested Information
(a) SMC will not be able to provide personal information if the school does not know or doesn’t have reasonable grounds to believe it is personal information the person requesting such information, or if disclosing the information would involve the unwarranted disclosure of the affairs of another individual.
(b) Correction or amendment of the information held by SMC can be requested at any time by emailing [email protected] and specifying the information that should be changed. If it is reasonable in the circumstances to do so, SMC will make the requested change or correction, otherwise SMC will take reasonable steps to mark that information as having been subject to a change or correction request.
Appendix 6
Oranga Tamariki Privacy (Child’s Individual Information)
(a) This is a summarised guidance of information in the Oranga Tamariki Act related specifically to the privacy of the sharing of information. (Tamariki refers to children and young people aged under 18 years of age)
(b) Information must be shared with Oranga Tamariki or the New Zealand Police if they request it under section 66, unless it is legally privileged.
(c) Legal privilege means any communication between a professional legal adviser and their clients which can’t be disclosed without the permission of the client.
What Kind of Information is Relevant?
(a) The Oranga Tamariki Act itself talks about making sure information is relevant to, or related to the wellbeing or safety of tamariki. There are some requirements of the Privacy Act about sharing information that also apply alongside the Oranga Tamariki Act.
(b) A requestor or provider must make sure the information is:
(i) Relevant to, or related to, addressing or supporting the safety or wellbeing of tamariki (the information sharing provision requires this)
(ii) The information is accurate as possible and not misleading (the Privacy Act requires this) so be clear what’s fact, what’s a person’s professional view, what is someone else’s point of view and what is a worry or concern that hasn’t been confirmed yet.
(iii) The information is as complete as possible (the Privacy Act requires this) for example including contextual information to help with understanding. However, balance this with only sharing the minimum necessary to achieve the purpose of sharing.
(iv) The information is as up to date as possible (the Privacy Act requires this); this can include historical or past information if it helps to understand the current concerns or worries.
Follow the Requirements of the Privacy Act
(a) Section 66Q of the Oranga Tamariki Act explains that many of the principles of the Privacy Act still apply when sharing information using the Oranga Tamariki provisions:
(i) Making sure information is accurate, up to date and as complete as possible (ii) Keeping information safe and secure and protecting it from misuse (iii) Only collecting information for a lawful purpose
(iv) Providing people with the chance to access their information
(v) Providing people with the chance to ask for their information to be corrected if they think it is wrong
(vi) Only keeping information for as long as required for the purpose it was collected
(b) The Oranga Tamariki Act and the Family Violence Act go beyond the Privacy Act in some circumstances, but other parts of the Privacy Act still apply. The Privacy Act has twelve principles (see below) agencies must follow when collecting, storing, using or disclosing personal information. While any sharing of information under the Oranga Tamariki Act or Family Violence Act is not restricted by the limits on disclosure of personal information in the Privacy Act, the other requirements in the Privacy Act (such as storage) still apply.
(c) There are other pieces of legislation that may require or allow sharing of information, for example section 22C of the Health Act 1956.
Appendix 7
Key Principles of the Privacy Act
SMC follows the 12 principles of the Privacy act below in very general terms to the following effect:
Principle 1
Purpose of Collection
Only collect information when you need it for lawful purpose connected with your agency
Principle 2
Source of Information
Obtain the information directly from the person concerned if possible
Principle 3
Collection of information What to tell an individual
Tell the person what you are doing and why you are collecting the information
Principle 4
Manner of Collection
Do not use unfair or unreasonably intrusive means of collecting the information
Principle 5
Storage and Security
Take care of the information once you have obtained it.
Principle 6
Access
The person can ask to see the information (under some circumstances there can be refusal)
Principle 7
Correction
The person can ask to correct the information
Principle 8
Accuracy
Make sure the information is accurate before you use (process) it.
Principle 9
Retention
Dispose of the information once you no longer need it.
Principle 10
Limits on Use
Only use the information for the purpose for which it was obtained.
Principle 11
Limits on Disclosure
Only disclose information if it was the reason for which you obtained it.
Principle 12
Unique Identifiers
Only use unique identifiers in place of the person’s name where necessary