Privacy Management Plan
Acknowledgement: The NSW Education Standards Authority (NESA) acknowledges the use of the Privacy Management Plan provided by the Information and Privacy Commission NSW (IPC) in the development of this policy.
- About the NSW Education Standards Authority
- Who are we?
- Why we have a Privacy Management Plan
- What this plan covers
- When will we review this plan?
- What personal information does NESA collect?
- How do we manage personal information?
- About the privacy laws
- The Privacy and Personal Information Protection Act 1998 (PPIP) Act and personal information
- The Health Records and Information Privacy Act 2002 (HRIP Act) and health information
- Other laws that affect how we comply with the IPPS and HPPS
- How to access and amend personal and health information
- Formal request
- Reviews, complaints and investigations
- What do I do if I believe my privacy has been breached?
- What does an internal review involve?
- How will I be informed of the outcome of an internal review?
- Staff, contractors and visitors
- Promoting the plan
- Executive and governance
- NESA staff
- Public awareness
- Contact details
- Access and Privacy Officer
- Information and Privacy Commission NSW
This plan explains how NESA manages personal and health information.
NESA replaced the Board of Studies, Teaching and Educational Standards NSW (BOSTES) on 1 January 2017.
NESA has an increased focus on:
- developing evidence-based policy to improve student achievement and support teachers
- risk-based monitoring of Teacher Accreditation Authorities and schools.
NESA will set and monitor quality teaching, learning, assessment and school standards. This includes responsibility, across NSW public, Catholic and independent schools for:
- Kindergarten to Year 12 curriculum
- accreditation of teachers and teaching degrees
- the internationally recognised HSC
- school registration and home schooling.
NESA is a NSW Government agency, under the NSW Education Standards Authority Act 2013.
NESA’s functions are conferred by the education and teaching legislation:
- NSW Education Standards Authority Act 2013
- Education Act 1990
- Teacher Accreditation Act 2004, including regulations and other instruments made under those Acts.
In particular, NESA has functions in relation to:
- the school curriculum for primary and secondary school children
- the approval of initial and continuing teacher education courses and programs that are relevant to the accreditation of persons under the Teacher Accreditation Act 2004
- the accreditation of teachers and the monitoring of the accreditation process across all schools and early childhood education centres under that Act
- basic skills testing
- the granting of Records of School Achievement and Higher School Certificates
- the registration and accreditation of schools
- the approval of providers of courses at schools to overseas students
- the development, content and application of professional teaching standards
- reporting and advising on matters relating to NESA’s functions.
NESA is subject to the control and direction of the NSW Minister for Education in the exercise of its functions, except in relation to:
- the contents of any advice, report or recommendations it makes to the Minister or any other person or body, or
- its functions under Part 8 of the Education Act 1990.
Why we have a Privacy Management Plan
NESA has a privacy management plan because we want our stakeholders and staff to know how NESA manages personal information. NESA is required to have a plan under s33 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
This plan explains how NESA manages personal information in line with the PPIP Act and health information under the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).
This plan shows how NESA will manage personal or health information when our stakeholders give it to us. It also explains who a person can contact when they have questions about personal or health information NESA holds, and what they can do if they think NESA may have breached the PPIP Act or the HRIP Act.
We also use this plan to train our staff about how to deal with personal and health information. This helps to ensure that NESA complies with the PPIP Act and the HRIP Act.
What this plan covers
Section 33(2) of the PPIP Act sets out the requirements of this plan.
This plan must include:
- information about how NESA develops policies and practices in line with the PPIP Act and the HRIP Act
- how NESA trains staff in these policies and practices
- our internal review procedures
- anything else that NESA considers relevant to the plan in relation to privacy and the personal and health information we hold.
When will we review this plan?
NESA will review this plan every 12 months, or earlier if any legislative, administrative or systemic changes affect how NESA needs to manage personal and health information.
What personal information do we collect?
NESA deals with personal and health information as follows:
Financial information – timely payment of salaries for the examination presiding officers and supervisors, examination markers and seasonal clerical staff involved in the HSC program.
Personnel records (office staff) – are maintained by the Human Resources Unit in paper file and electronic format. The information recorded in these files includes: name, address and next of kin details, bank account details, tax file number, and Equal Employment Opportunity information (provision of which is voluntary). All personal information is collected from employees or where provided, by another organisation, for entitlement purposes, has been authorised by the officer.
Personnel records (casual staff) – including seasonal clerical staff, examination markers, presiding officers and supervisors and committee members, name and address details, bank account details and tax file numbers. The applicants provide all information. Applications for membership on committees or as examiners/markers require the endorsement of the school principal/director. Applicants are aware of this requirement, and that NESA will not accept the application without such endorsement. The original application form is retained, as is an electronic record.
School and student records – Most student records are submitted online by schools, thus negating the need to retain paper records within NESA for those students. Schools submitting information online retain the paper records. All data is held on NESA’s exam system in electronic form. Information held includes name, home address and telephone numbers, date of birth, school attended, and ethnicity and disability data. HSC students must provide a photograph of themselves. Assessment data and examination mark data are added to the record.
Data in relation to HSC, Year 11, School Certificate and Record of School Achievement (RoSA) candidates is retained indefinitely.
Disclosure of examination candidate details and results are released to:
- the student
- the school principal
- the NSW Department of Education
- the Catholic Education Office (results of affiliated schools)
- Universities Admissions Centre
- Technical Committee on Scaling
- The Association of Independent Schools (results of affiliated schools).
Replacement certificates – candidates are able to apply for a replacement certificate at any time on a fee-for-service basis. Data such as personal details and credit card information in relation to the replacement of credentials is retained until the authorised destruction date.
Student photographs – photographs of students are also made available to presiding officers by schools for the identification of students during HSC written exams. These are returned to the school at the end of this period each year.
Images of staff and visitors to NESA premises – Overt Closed Circuit Television (CCTV) is installed in the public areas at NESA. The cameras are visible and the public is notified of the use of CCTV through prominent signage. The cameras record 24 hours a day seven days a week. A monitor displaying images from the cameras is located in the control room. The cameras were installed in compliance with the code of practice for the Use of Overt Video Surveillance in the Workplace.
Non-government school records – the registration and accreditation details of non-government schools and teachers, school providers with overseas students, and home-schooled students are maintained by NESA including:
- details of the qualifications and experience of teaching staff of non-government schools
- student details such as home address, guardian and visa details for students from overseas undertaking courses with approved school provider
- details of applicants and children registered for home schooling, including home address and, if relevant, details of court orders and medical information
- details of complainants about non-government schools, registration systems, approved school providers and home schoolers.
How do we manage personal information?
Information is maintained in electronic and hard copy and maintained according to the ISO 27001 Information Security Management Standard. Security and confidentiality of all information is maintained, and hard copy files are held in locked cabinets. Access to information is limited to particular staff members. All records are captured electronically into the official record-keeping system and hard copies are maintained. Security of information is in accordance with the NESA Security of Electronic Information Systems Policy.
About the privacy laws
This section contains a general summary of how NESA must manage personal and health information under the PPIP Act, the HRIP Act and other relevant laws. For more information, please refer directly to the relevant law or visit/contact the Information and Privacy Commission.
The PPIP Act and personal information
The PPIP Act sets out how we must manage personal information.
Personal information is defined in s4 of the PPIP Act and is essentially any information or opinions about a person where that person’s identity is apparent or can be reasonably ascertained. Personal information can include a person’s name, address, family life, sexual preference, financial information, fingerprints and photos.
There are some kinds of information that are not personal information, for example information about:
- someone who has been dead for more than 30 years
- someone that is contained in a publicly available publication
- information or an opinion about a person’s suitability for employment as a public sector official.
Health information is generally excluded here as it is covered by the HRIP Act.
Information Protection Principles
Part 2, Division 1 of the PPIP Act contains 12 Information Protection Principles (IPPs) with which NESA must comply. Here is an overview oas they apply to us:
Principle 1 – Lawful
Only collect personal information for a lawful purpose, which is directly related to NESA’s activities and necessary for that purpose.
Principle 2 – Direct
Only collect personal information directly from the person concerned, unless it is unreasonable or impracticable to do so.
Principle 3 – Open
Inform the person why you are collecting personal information, what you will do with it and who else might see it. Tell the person how they can view and correct their personal information and any consequences that may apply if they decide not to provide their information to you.
Principle 4 – Relevant
Ensure that the personal information is relevant, accurate, not excessive and up-to-date and that the collection does not unreasonably intrude into the personal affairs of the individual.
Principle 5 – Secure
Store personal information securely. Keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.
Access and accuracy
Principle 6 – Transparent
Explain to the person what personal information about them is being stored, why it is being used and any rights they have to access it.
Principle 7 – Accessible
Allow people to access their personal information without unreasonable delay or expense.
Principle 8 – Correct
Allow people to update, correct or amend their personal information where necessary.
Principle 9 – Accurate
Make sure that the personal information is relevant and accurate before using it.
Principle 10 – Limited
Only use personal information if the person has given their consent or if they were informed at the time of collection.
Principle 11 – Restricted
Only disclose personal information with a person’s consent or if the person was told at the time that it would be disclosed. Personal information can be used without a person’s consent in order to deal with a serious and imminent threat to any person’s health or safety.
Principle 12 – Safeguarded
An agency cannot disclose sensitive personal information without a person’s consent, for example information about their ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities or trade union membership. It can only disclose sensitive information without consent in order to deal with a serious and imminent threat to any person’s health or safety.
Exemptions to the IPPs
If a public sector agency believes that the Information Protection Principles are unworkable in a particular circumstance, it can either make a Privacy Code of Practice or seek an exemption from, or modification to, the principle from the Privacy Commissioner.
Privacy Codes of Practice allow an agency to modify one or more of the information protection principles. Codes of Practice can be made in relation to one of three things:
- a particular type of personal information (s29(5)(a))
- a particular organisation or type of organisation (s29(5)(b))
- a type of activity (s29(5)(c)).
A Privacy Code of Practice can change or delete any of the information protection principles but it cannot change or delete any of the exceptions to the principles, nor can it increase the level of privacy protection above that of the information protection principles.
Offences can be found in s62–66 of the PPIP Act. It is an offence for NESA to:
- intentionally disclose or use personal information accessed in doing our jobs for an authorised purpose
- offer to supply personal information that has been disclosed unlawfully
- hinder the Privacy Commissioner or a member of staff from doing their job.
The HRIP Act and Health Information
The HRIP Act sets out how NESA must manage health information.
Health information is a more specific type of personal information and is defined in s6 of the HRIP Act. Health information can include information about a person’s physical or mental health such as a psychological report, blood tests or an X-ray, or even information about a person’s medical appointment. It can also include some personal information that is collected to provide a health service, such as a name and contact number on a medical record.
Health Privacy Principles
Schedule 1 to the HRIP Act contains 15 Health Privacy Principles (HPPs) that we must comply with. Here is an overview of them as they apply to us:
Principle 1 – Lawful
An agency or organisation can only collect your health information for a lawful purpose. It must also be directly related to the agency or organisation’s activities and necessary for that purpose.
Principle 2 – Relevant
An agency or organisation must ensure that your health information is relevant, accurate, up-to-date and not excessive. The collection should not unreasonably intrude into your personal affairs.
Principle 3 – Direct
An agency or organisation must collect your health information directly from you, unless it is unreasonable or impracticable to do so.
Principle 4 – Open
An agency or organisation must inform you of why your health information is being collected, what will be done with it and who else might access it. You must also be told how you can access and correct your health information and any consequences if you decide not to provide it.
Principle 5 – Secure
An agency or organisation must store your personal information securely, keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.
Access and accuracy
Principle 6 – Transparent
An agency or organisation must provide you with details regarding the health information they are storing, why they are storing it and what rights you have to access it.
Principle 7 – Accessible
An agency or organisation must allow you to access your health information without unreasonable delay or expense.
Principle 8 – Correct
An agency or organisation must allow you to update, correct or amend your health information where necessary.
Principle 9 – Accurate
An agency or organisation must make sure that your health information is relevant and accurate before using it.
Principle 10 – Limited
An agency or organisation can only use your health information for the purpose for which it was collected, or a directly related purpose that you would expect (unless one of the exemptions in HPP 10 applies). Otherwise separate consent is required.
Principle 11 – Restricted
An agency or organisation can only disclose your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 11 applies). Otherwise separate consent is required.
Identifiers and anonymity
Principle 12 – Not identified
An agency or organisation can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.
Principle 13 – Anonymous
You are entitled to receive health services anonymously, where this is lawful and practicable.
Transferrals and linkage
Principle 14 – Controlled
Your health information can only be transferred outside NSW in accordance with HPP 14.
Principle 15 – Authorised
Your health information can only be included in a system to link health records across more than one agency or organisation if you have consented.
Exemptions to the HPPs
Exemptions are located mainly in Schedule 1 to the HRIP Act, and may allow NESA not to comply with the HPPs in certain situations.
Health privacy codes of practice and public interest directions can modify the HPPs for any NSW public sector agency. All of these are available on the Privacy Commissioner’s website.
Offences can be found in s68–70 of the HRIP Act. It is an offence for NESA to:
- intentionally disclose or use health information accessed in doing our jobs for anything else other than what we are authorised to
- offer to supply health information that has been disclosed unlawfully
- attempt to persuade a person from making or pursuing a request for health information, a complaint to the Privacy Commissioner or an internal review under the PPIP Act.
Other laws that influence compliance with the IPPs and HPPs
This section contains information about the main laws that affect how NESA complies with the IPPs and HPPs.
- Education Act 1990 and regulations
- Government Information (Public Access) Act 2009
- Crimes Act 1900
- ICAC Act 1988
- Public Interest Disclosures Act 1994
- State Records Act 1998 and regulations.
The following policies and procedures support compliance with the Act:
- NSW Government Personnel Handbook issued by the Public Service Commission.
- Privacy Code of Practice for the NSW Public Sector Workforce Profile, Department of Premier and Cabinet.
- State Records Authority of NSW, Government Recordkeeping Manual.
- NESA Code of Conduct and Ethics establishes standards of professional behaviour expected of staff of NESA. The code was developed to assist all officers in clarifying their professional and ethical responsibilities in executing their duties, thereby encouraging public confidence in the work of NESA.
- Use of NESA Communications Devices Policy, which sets out the principles underpinning the use of NESA communication devices. The policy covers the responsibilities of all staff in relation to economy, personal use, record keeping, security and privacy, and unlawful use.
- Records Management Policy provides a basis for the effective management of the records generated by NESA, which in turn are assets of NSW. The policy is designed to inform staff about their responsibilities in relation to the creation, control, management, preservation and disposal of official records in all mediums.
- Security of Electronic Information Systems Policy. NESA holds a considerable amount of data in its various computer systems, much of which is confidential and sensitive. This policy, and its accompanying procedures and materials, address all aspects of security relating to NESA’s systems. It sets out the principles held by NESA regarding security, identifies responsibilities of staff, and outlines NESA’s procedures in a wide range of areas.
How to access and amend personal and health information
People have the right to access personal and health information NESA holds about them.
NESA encourages people wanting to access or amend their own personal or health information to contact the staff member or team managing their information. NESA aims to respond to informal requests within five working days and will tell the person how long the request is likely to take, particularly if it may take longer than first expected.
People also have a right to make a formal application to access or amend personal or health information. A person does not need to ask informally before making a formal application, and a person can make a formal application if they have already asked informally.
A person can make a formal application to the Access and Privacy Officer by email, fax or post. The application should:
- include the person’s name and contact details (postal address, telephone number and email address if applicable)
- state whether the person is making the application under the PPIP Act (personal information) or the HRIP Act (health information)
- explain what personal or health information the person wants to access or amend
- explain how the person wants to access or amend the information.
NESA aims to respond in writing to formal applications within 20 working days. NESA will contact the person to advise how long the request is likely to take, particularly if it may take longer than expected.
If a person thinks NESA is taking an unreasonable amount of time to respond to an application, they have the right to seek an internal review. Before seeking an internal review, NESA encourages people to contact our office to ask for an update or timeframe.
Reviews, complaints and investigations
What do I do if I believe my privacy has been breached?
If an individual has a complaint about the conduct of NESA or a member of its staff in relation to the collection, storage, use or disclosure of personal or health information, a written request should be sent to NESA so that an internal review can be undertaken.
Under section 53 (3) of the Privacy and Personal Information Protection Act, an application for an internal review must:
- be in writing
- be addressed to NESA
- specify an address in Australia to which a notice can be sent
- be lodged with NESA within six (6) months (or such later date as NESA may allow) from the time the applicant first became aware of the conduct of the subject of the application; and
- comply with such other requirements as may be prescribed by the regulations to the Act.
What does an internal review involve?
An application for an internal review will be dealt with by an officer authorised by delegation in the NESA Administrative and Financial Delegations Manual. This officer would not have been substantially involved in the matter that is the subject of the application.
The review will be completed as soon as is reasonably practicable in the circumstances and within 60 days from the day on which the application was received.
As a result of the review NESA may:
- take no further action on the matter; or
- make a formal apology to the applicant; and/or
- take such remedial action as thought appropriate; and/or provide undertakings that the conduct will not occur again; and/or
- implement administrative measures to ensure that the conduct will not occur again.
NESA is required to:
- notify the NSW Privacy Commissioner of an application for an internal review
- provide reports to the Privacy Commissioner on the progress of the internal review
- inform the Privacy Commissioner of the findings of the review and of the action taken by NESA in relation to the matter.
If requested by NESA, the Privacy Commissioner may undertake the review.
How will I be informed of the outcome of an internal review?
NESA will acknowledge receipt of an internal review within five working days, write to an applicant within 14 days of completing the review and advise the applicant of:
- the findings of the review and the reasons for those findings
- action proposed to be taken and the reasons for taking that action, and
- the right of the applicant to have the findings, and NESA’s proposed action, reviewed by the NSW Civil and Administrative Tribunal.
Staff, contractors and visitors
When people apply for jobs at NESA they need to send us personal information such as their names, contact details and work history. Our Human Resources Unit gives this information to the convenor of the panel for that particular position (stated on the job advertisement) in electronic or physical files.
The convenor of the panel does not disclose this personal information to anyone in NESA except for business support. Convenors store this information securely. The convenor does not disclose the information to anyone outside NESA except for other panel members.
After recruitment is finalised, convenors give all personal information back to the Human Resources Unit. They retain information relating to successful applicants and eligibility lists for 12 months. Unsuccessful applications are destroyed as per General Retention and Disposal Authorities.
Successful applicants are invited to fill out various forms to commence employment with NESA with further personal information such as bank account details, tax file number, emergency contacts and any disabilities that may affect their work.
These forms also encourage people to provide sensitive personal information such as racial and cultural information for statistics about the wider NSW public sector. These items are voluntary.
These forms are kept with the Human Resources Unit and are used for employment purposes such as payroll and personel files.
At times NESA collects and manages personal and health information such as:
- medical conditions and illnesses
- next of kin
- family and care arrangements
- secondary employment
- conflicts of interest.
NESA collects this information for various reasons such as leave management, workplace health and safety, and to operate with integrity. NESA does not ask for more personal information than is actually required. We advise staff when collection is voluntary or mandatory, and of any possible consequence of not providing it to NESA.
NESA does not disclose this information to anyone else without consent.
NESA may use the services of contractors to provide services to or for our office. If they will have or are likely to have access to personal information we make sure that they manage personal and health information in line with the IPPs and HPPs and information security policies.
NESA uses a visitor’s book to record the names of people who enter our office beyond public areas. This book is displayed in our reception area on Level 4. We collect this information for workplace health and safety purposes.
Promoting the plan
Executive and governance
The senior executive team is committed to transparency about how NESA complies with the PPIP Act and the HRIP Act. The senior executive team reinforces transparency and compliance with the PPIP Act and the HRIP Act by:
- endorsing the plan and making it publicly available
- reporting on privacy issues in our Annual Report in line with the Annual Reports (Departments) Act 1985 (NSW)
- confirming support for privacy compliance in the strategic plan and code of conduct
- identifying privacy issues when implementing new systems.
NESA makes sure that staff are aware of and understand this plan, particularly how it applies to the work they do. This plan has been written so that staff can understand their privacy obligations, how to manage personal and health information in their work and what to do if unsure.
]NESA makes our staff aware of their privacy obligations by:
- publishing the plan on our website
- including the plan in induction training and offering training quarterly or as required
- highlighting the plan at least once a year, for example during Privacy Awareness Week.
When staff have questions about how to manage personal and health information and this plan does not directly answer them, they should consult their manager or the Access and Privacy Officer.
This plan is a guarantee of service to our stakeholders of how NESA manages personal and health information. Because it is central to how we do business, NESA will make this plan easy to access and easy to understand for people from all kinds of backgrounds. NESA is required to make this plan publicly available as open access information under the GIPA Act.
Access and Privacy Officer
Mail: NSW Education Standards Authority, GPO Box 5300, Sydney NSW 2001
Phone: (02) 9367 8111
Visit: Level 4, 117 Clarence Street, Sydney NSW 2000
Information and Privacy Commission NSW
Mail: GPO Box 7011, Sydney NSW 2001
Phone: 1800 472 679