Nature's Atelier Community School
Nature's Atelier Community School will manage personal information with openness and transparency by ensuring all data collection is strictly necessary for its educational functions. In accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles, the School commits to rigorous data security measures to protect the community's sensitive information from unauthorised access or misuse.
The purpose of this policy is to outline the framework through which Nature's Atelier Community School manages personal information that is provided to or collected by the institution. The School is strictly bound by the Australian Privacy Principles (APPs) as set out in the Privacy Act 1988 (Cth). In relation to the management of health records, the School also adheres to all relevant State legislation to ensure medical data is handled with the highest degree of sensitivity. We are committed to protecting the privacy of our community while ensuring we remain able to perform our essential functions and activities as an educational institution.
This policy applies to all personal information collected by the School from various stakeholders including students and parents or guardians before, during, and after the course of a student's enrolment. The scope also extends to job applicants, current staff members, volunteers, and contractors engaged by the School. Additionally, this policy covers any other individuals who may come into contact with the School through its administrative or educational operations.
The School is committed to managing personal information in an open and transparent way to ensure the community understands how their data is utilised. We only collect personal information that is reasonably necessary for, or directly related to, the School's primary functions and educational activities. Management takes all reasonable steps to protect the personal information held by the School from misuse, interference, loss, and unauthorised access or disclosure. Where it is lawful and practicable to do so, individuals have the option of not identifying themselves or using a pseudonym when dealing with the School.
Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, regardless of whether the information is true or recorded in a material form.
Sensitive Information: A subset of personal information that includes information about an individual's racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record.
Health Information: Information or an opinion about the health or a disability of an individual, or an individual's expressed wishes about the future provision of health services.
Australian Privacy Principles (APPs): The thirteen statutory principles that govern the standards, rights, and obligations for the handling of personal information by most Australian Government agencies and private sector organisations.
The School collects personal and sensitive information as a necessary requirement to provide schooling, discharge its primary duty of care, and satisfy various legal obligations. This information typically includes names, contact details, medical history, and religious beliefs. Under recent legislative reforms, the School is now required to identify and treat "high risk" data processing activities through mandatory Privacy Impact Assessments (PIAs) to proactively mitigate potential harm to individuals.
The School prioritises the best interests of children as a primary consideration when handling personal data and selecting online service providers. We ensure that all online platforms and applications are configured to high-privacy settings by default and require evidence from vendors that their data processing is not driven by commercial or financial objectives. In accordance with strict data minimisation requirements, the School only collects the minimum personal information necessary for educational purposes and avoids the default collection of data wherever possible. Furthermore, the School ensures that children's data is not utilised for secondary purposes such as targeted advertising, profiling, product marketing, or unrelated analytics.
The School ensures that all collection of personal information is fair and reasonable in the circumstances, regardless of whether consent has been obtained from the individual. Information is generally collected through formal application and enrolment forms, face to face interviews, and telephone communications. Management adopts a "Privacy by Design" approach, embedding privacy considerations and data protection measures into all new administrative systems and educational technologies from the outset.
The primary purpose for which the School uses personal information is to enable students to participate fully in all educational and extracurricular activities. This involves the routine use of data for daily administration, student wellbeing, and communication with families to ensure the student's learning is supported. Under the legislative reforms effective through 2026, every act of disclosure must satisfy the "Fair and Reasonable" test, ensuring that any data sharing is proportionate to the benefit provided to the student and aligns with community expectations.
The School treats geolocation tracking as a high risk area and considers such tracking unnecessary unless it is absolutely essential for the specific functioning of an authorised educational service. We take active steps to ensure that any tracking conducted via online service providers is transparent, minimised, and proportionate. Students maintain the right to be notified whenever geolocation tracking occurs, irrespective of whether parental consent has been previously obtained.
Disclosure of personal information may occur to various government departments and authorities, such as ACARA, to satisfy mandatory reporting and funding requirements. In the interest of health and safety, the School may also disclose relevant information to medical practitioners or health services to ensure students receive appropriate care. The School will not disclose personal information to overseas recipients unless the recipient is subject to a law or binding scheme that provides substantially similar protection to the Australian Privacy Principles.
The School may use personal information for marketing and fundraising purposes specifically to further the School's interests and support its educational mission. However, in accordance with the 2024-2026 privacy reforms, individuals now have an absolute and unqualified right to "opt-out" of receiving any direct marketing communications at any time.
The School is also committed to ensuring transparency regarding any "automated decision making" processes that could significantly affect an individual's rights, interests, or educational outcomes. Under these new compliance standards, the School will provide clear information about how such automated decisions are made and the types of personal information used in these processes. Furthermore, any data processing involved in marketing or automated systems must satisfy the "fair and reasonable" test to ensure it aligns with the expectations of the School community. Individuals who wish to exercise their right to opt-out or who seek further clarification on automated processes should contact the School's Privacy Officer.
The School takes active and systematic steps to protect all personal data from misuse, interference, loss, and unauthorised access, modification, or disclosure. To maintain a high standard of data integrity, staff members are required to adhere to strict internal security protocols, which include the use of complex password requirements and the maintenance of clear desk policies for all physical sensitive information.
In the event that a data breach is suspected or identified, the School will immediately activate its formal Data Breach Response Procedure to contain the incident and assess the risk of harm. Under the mandatory Notifiable Data Breaches scheme, if the School determines that a breach is likely to result in serious harm to any individual, it will notify the Office of the Australian Information Commissioner and all affected individuals as soon as practicable, and no later than 30 days after the assessment. Furthermore, the School maintains comprehensive records of all data breaches to facilitate ongoing security improvements and regulatory audits.
Individuals have a legal right to seek access to the personal information the School holds about them and to advise the School of any perceived inaccuracy. In alignment with recent privacy reforms, individuals may now also request the deletion of their personal information, known as the Right to Erasure, in circumstances where that data is no longer necessary for the School's specific legal or operational requirements. While the School aims to be as open as possible, access may be denied if providing the information would have an unreasonable impact on the privacy of others or relate to existing legal proceedings. All requests for access, correction, or erasure must be made in writing to the Principal.
The School fundamentally respects the right of parents and guardians to make significant decisions concerning their child's education and the management of their personal data. In alignment with the Children's Online Privacy Code, the School requires that consent for data collection be voluntary, informed, specific, and current. While students aged 15 years or older may be determined to have sufficient maturity to provide consent independently, parental or guardian consent is strictly required for any child under the age of 15.
All granted consents are valid for a maximum period of 12 months, after which they must be renewed. To promote transparency and respect student agency, the School will provide alerts to children whenever a parent or guardian provides consent on their behalf. The assessment of a student's capacity to consent independently is made on a case-by-case basis, typically considering students aged 15 or over as having the requisite maturity unless specific reasons suggest otherwise.
Note: Printed copies of this policy/procedure are uncontrolled, and currency can only be assured at the time of printing. This policy/procedure is scheduled for review yearly from the approval date.