Privacy Policy

Campion College's functions necessitate the collection and use of personal information about its students, staff and other clients. Campion recognises that, in collecting, storing, and using this information, it has obligations for the protection of personal privacy.

1. General principles and responsibilities for privacy
   Campion College recognises that staff and students, both past and present, and other clients and individuals having links to the College, have a legitimate expectation that the College will protect and appropriately manage the personal information it collects and holds about them.
   
   It is the responsibility of all staff to respect personal privacy in so far as they collect, access or use personal information in the course of their duties, and to comply with the specific requirements of this policy. The Registrar has general responsibility for privacy management.
   
   
2. Definition of personal information
   This policy applies to "personal information". This is defined as any information or opinion, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. For the purposes of this definition, information includes unique identifiers such as student/staff numbers, tax file numbers, photographs and images, and extends to information in any format. Where data is recorded in a way which does not link it to a known individual, then the privacy principles do not apply.
   
   
3. Collection of personal information
   Personal information should only be collected by the College for inclusion in its records or publications where:
   
   • it is collected for a lawful purpose relating to a function or activity of the College;
   • the information is relevant to the purpose of collection; and
   • the information is as up-to-date and complete as can reasonably be expected.
     
   The College will not collect personal information by unlawful, unfair or intrusive means.
   
   
4. Access to personal information records
   A significant means of protecting personal privacy within the College is by ensuring that individual staff access personal information records (whether in physical files or computerised formats) only where there is a legitimate need to do so, and only to the extent required to perform the staff member's duties.
   
   Management of access to personal information records is a responsibility of the College Executive. Access to personal information in information systems should be granted on the "least privilege principle", so that rights to modify personal information are granted with particular care. Systems and processes should be in place to revoke access that is no longer required, for example, in the case of a change in position or formal responsibilities or termination of employment.
   
   
5. Security of personal information
   The College has a responsibility to implement procedures to protect the security of personal information, to prevent loss and unauthorised access, use, modification, disclosure or any other misuse of such information. Care must be taken to ensure secure and confidential destruction of records containing personal information.
   All staff must take responsibility for IT security, as this is an integral means of protecting personal privacy. Individual user responsibilities relating to security are outlined in the Policy on Acceptable Use of Information Technology Facilities.
   
   Personal information records held in physical files must be secured. Care should be taken by all staff handling physical files to ensure that storage facilities are locked when not in use and that work areas are also adequately secured.
   
   
6. Use of personal information records
   Personal information should only be used in circumstances where it is relevant, and provided that it is used only for the purpose for which it has been collected or a directly related purpose.
   
   
7. Prohibition on disclosure of personal information
   Disclosure refers to release of personal information out of the effective control of the College (i.e. to a body, agency or person separate from the College). Staff must not disclose personal information outside the College except as specified in this policy.
   
   
8. Exceptions relating to disclosure of personal information
   Consent
   Personal information may be disclosed where the individual concerned has consented to that disclosure. Consent must be expressly given and it is expected that the consent will be given in writing. In limited circumstances, verbal consent may be acceptable if it is verifiable and the disclosure is clearly in the best interests of the individual.
   
   Previous provision of a privacy notice
   Personal information may be disclosed where individuals have been informed of the usual practices for disclosure.
   
   Other situations
   Disclosure of personal information may also be permitted where:
• disclosure is necessary to prevent or lessen an imminent and serious threat to a person's life or health;
• disclosure is required by law (for example, requirements to provide information to the ATO or DEST);
• disclosure is necessary for enforcement of criminal or other laws imposing penalties such as fines.
  
  
9. Register of graduates
   Privacy principles do not apply to material which is maintained on a public register, which includes the register of graduates. A graduate's name, the degree conferred and the date of conferral is available to any member of the public upon formal request in writing.
   
   
10. Access to and amendment of an individual's own record
    An individual is generally entitled to have access to the personal information which the College holds about them, and to amend it where it is inaccurate, incomplete, out-of-date or misleading.