A NSW Government website

Navigation Menu

Menu
back to top of page
start portlet menu bar end portlet menu bar

Privacy Management Plan

Can't find what you're looking for? Search Resources

Acknowledgement: The NSW Education Standards Authority (NESA) acknowledges the use of the Privacy Management Plan provided by the Information and Privacy Commission NSW (IPC) in the development of this policy.

Contents

Introduction

This plan explains how NESA manages personal and health information.

About NESA

NESA replaced the Board of Studies, Teaching and Educational Standards NSW (BOSTES) on 1 January 2017 and is a NSW Government agency, under the Education Standards Authority Act 2013 .

NESA has an increased focus on:

  • developing evidence-based policy to improve student achievement and support teachers
  • risk-based monitoring of Teacher Accreditation Authorities and schools.

NESA will set and monitor quality teaching, learning, assessment and school standards. This includes responsibility, across NSW public, Catholic and independent schools for:

  • Kindergarten to Year 12 curriculum
  • accreditation of teachers and teaching degrees
  • the internationally recognised HSC
  • school registration and home schooling.

What do we do?

NESA’s functions are conferred by the education and teaching legislation:

In particular, NESA has functions in relation to:

  • the school curriculum for primary and secondary school children
  • the approval of initial and continuing teacher education courses and programs that are relevant to the accreditation of persons under the Teacher Accreditation Act 2004
  • the accreditation of teachers and the monitoring of the accreditation process across all schools and early childhood education centres under that Act
  • basic skills testing
  • the granting of Records of School Achievement and Higher School Certificates
  • the registration and accreditation of schools
  • the approval of providers of courses at schools to overseas students
  • the development, content and application of professional teaching standards
  • reporting and advising on matters relating to NESA’s functions.

NESA is subject to the control and direction of the NSW Minister for Education in the exercise of its functions, except in relation to:

  1. the contents of any advice, report or recommendations it makes to the Minister or any other person or body, or
  2. its functions under Part 8 of the Education Act 1990.

Who are our stakeholders?

  • The Minister for Education
  • NESA Board and its committees
  • Schools
  • Teachers
  • Students
  • Parents
  • Tertiary education sector
  • Employers
  • Community
  • Staff

NESA also has administrative  responsibility for the Australian Music Examination Board of New South Wales (AMEB NSW) and provides corporate services support to the NSW Aboriginal Education Consultative Group Inc.

Further information about NESA and its key functions is available in the latest NESA Annual Report.

Why we have a Privacy Management Plan

NESA has a privacy management plan because we want our stakeholders and staff to know how we manage personal information. NESA is required to have a plan under s33 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).

This plan explains how NESA manages personal information in line with the PPIP Act and health information under the Health Records and Information Privacy Act 2002 (NSW) (HRIP) Act when our stakeholders give it to us. This plan also explains who a person can contact when they have questions about personal or health information NESA holds, and what they can do if they think NESA may have breached the PPIP Act or the HRIP ActWe also use this plan to train our staff about how to deal with personal and health information. This helps to ensure that NESA complies with the PPIP Act and the HRIP Act.

What this plan covers

Section 33(2) of the PPIP Act sets out the requirements of this plan.

This plan must include information about:

  • NESA’s policies and practices to ensure compliance with the PPIP Act and the HRIP Act
  • how NESA promotes these policies and practices
  • NESA’s internal review procedures
  • anything else that NESA considers relevant  to privacy and the personal and health information we hold.

When will we review this plan?

NESA will review this plan every 12 months, or earlier if any legislative, administrative or systemic changes affect how NESA needs to manage personal and health information.

What personal information do we collect?

NESA collects the following personal or health information related to our functions.

Student records

Personal information is collected for NESA’s functions in relation to granting Records of School Achievement and Higher School Certificates and in relation to basic skills testing.

Records of School Achievement and Higher School Certificates - Most student records are submitted online by schools, thus negating the need to retain paper records within NESA for those students. Schools submitting information online retain the paper records. Student information is held on NESA’s exam system in electronic form and includes name, home address and telephone numbers, date of birth, school attended, and ethnicity and disability data. HSC students must provide a photograph of themselves, which is used for the identification of students during exams. Assessment data and examination mark data are added to the record. Data in relation to HSC, Year 11, School Certificate and Record of School Achievement (RoSA) candidates is retained indefinitely.

Examination candidate details and results are disclosed to:

  • the student
  • the school principal
  • the NSW Department of Education
  • the Catholic Education Office (results of affiliated schools)
  • Universities Admissions Centre
  • Technical Committee on Scaling
  • the Association of Independent Schools (results of affiliated schools).

Replacement certificates – candidates are able to apply for a replacement certificate at any time on a fee-for-service basis. Data such as personal details and credit card information in relation to the replacement of credentials is retained until the authorised destruction date.

Basic skills testing - NESA is the National Assessment Program – Literacy and Numeracy (NAPLAN) Test Administration Authority (TAA) for all NSW schools and school sectors.  To fulfil our responsibilities as TAA for NSW, we collect the names and a range of other background information on all Year 3, 5, 7 and 9 students who are eligible to participate in the program.  This information is used for a range of purposes including pre-printing student names on the test booklets and later in the production of parent and school reports for NSW.  

NESA provides NSW student results data to the Australian Curriculum, Assessment and Reporting Authority (ACARA) so that it can prepare national reports related to the outcomes of the NAPLAN tests.  This is authorised by an information sharing arrangement, under section 16 of the Education Standards Authority Act 2013.

Government and Non-government school records

The registration and accreditation details of government and non-government schools and teachers, school providers with overseas students, and home-schooled students are maintained by NESA including:

  • details of the qualifications and experience of teaching staff of schools and early childhood centres
  • records, reports and other documents collected during or arising from school inspections conducted by NESA
  • student details such as home address, guardian and visa details for students from overseas undertaking courses with approved school provider
  • details of applicants and children registered for home schooling, including home address and, if relevant, details of court orders and medical information
  • details of children for whom registration was refused or an application withdrawn
  • details of complainants about non-government schools, registration systems, approved school providers and home schoolers.

Teacher accreditation

Name, date of birth, contact details, date and level of accreditation, qualifications, details of current employer, employment history, first language (if not English), country of citizenship and country of residency, indigenous status if person consents to inclusion of that information, history of professional development undertaken to maintain accreditation, and if the person is conditionally accredited under section 31(3) of the Teacher Accreditation Act 2004 (Act), details of the proposal by the person to complete a teaching qualification.  We also collect information from teacher employers in order to maintain a roll of teachers as required by the Act.

AMEB (NSW)

AMEB (NSW) collects personal information provided by music teachers, candidates, and examiners which is collected, stored and administered in accordance with the PPIP Act and HRIP Act.  Further information is in the AMEB Privacy Policy.

Images of staff and visitors to NESA premises

Overt Closed Circuit Television (CCTV) is installed in the public areas at NESA, for security purposes. The cameras are visible and the public is notified of the use of CCTV through prominent signage. The cameras record 24 hours a day seven days a week. A monitor displaying images from the cameras is located at the security control desk on level 4. The cameras were installed in compliance with the code of practice for the Use of Overt Video Surveillance in the Workplace.

Visitors’ book

At Reception on level 4, NESA collects each visitor’s name, organisation, contact number, purpose of visit and signature for workplace health and safety and security purposes. 

Human Resources

Personnel records (office staff)  Name, address, contact and next of kin details, bank account details, tax file number, and Equal Employment Opportunity information (provision of which is voluntary) are collected by Human Resources (HR).  Records may include medical information, details of family and care arrangements, education, secondary employment and declarations of private interests information.  This information is collected for purposes of human resources management, including leave management, workplace health and safety and to ensure that we operate with integrity. 

All personal information is collected from employees, or where provided by another organisation such as for entitlement purposes, collection has been authorised by the officer.

Health information collected in the case of workers’ compensation matters is stored securely, and provided only to our workers compensation insurer or as required by a Court.

Personnel records (casual staff) – including seasonal clerical staff, examination markers, presiding officers and supervisors and committee members. Name,address and contact details, bank account details and tax file number are collected. The applicants provide all information. Applications for membership on committees or as examiners/markers require the endorsement of the school principal/director. Applicants are aware of this requirement, and that NESA will not accept the application without such endorsement. The original application form is retained, as is an electronic record.

Recruitment - Name, contact details and resumés of people who apply for jobs are collected by HR and provided to the convenor of the panel for the position, in electronic or physical files.  The information is not disclosed other than within NESA for business support and to other panel members.  Once recruitment is finalised, the information is returned to HR.  Successful applicants’ information and eligibility lists are retained for 12 months. Unsuccessful applications are destroyed according to General Retention and Disposal Authorities.

How do we manage personal information?

NESA is compliant with the ISO 27001 Information Security Management Standard. Information is managed in electronic form and in some instances, hard copy. Security of information is in accordance with the NESA Information Security Policy Statement and the NESA Acceptable Use Policy.  Access to information is limited to particular staff members, according to their role and hard copy files are kept in locked storage. Our networks are secure and require individual logins.  Our staff do not give out passwords or let anyone else use their logins.

On commencement, staff sign a confidentiality agreement with respect to information learned in the course of their job.

About the privacy laws

This section contains a general summary of how NESA must manage personal and health information under the PPIP Act, the HRIP Act and other relevant laws. For more information, please refer directly to the relevant law or visit/contact the Information and Privacy Commission.

The PPIP Act and personal information

The PPIP Act sets out how we must manage personal information.

Personal information is defined in s4 of the PPIP Act and is essentially any information or opinion about a person whose identity is apparent or can be reasonably ascertained from the information or opinion. Personal information can include a person’s name, address, family life, sexual preference, financial information, fingerprints and photos.

There are some kinds of information that are not personal information, for example information about:

  • someone who has been dead for more than 30 years
  • someone that is contained in a publicly available publication
  • information or an opinion about a person’s suitability for employment as a public sector official.

Health information is generally excluded here as it is covered by the HRIP Act.

Information Protection Principles

Part 2, Division 1 of the PPIP Act contains 12 Information Protection Principles (IPPs) with which NESA must comply. Here is an overview as they apply to us:

Collection

Principle 1 – Lawful

Only collect personal information for a lawful purpose, which is directly related to NESA’s activities and necessary for that purpose.

Principle 2 – Direct

Only collect personal information directly from the person concerned, unless it is unreasonable or impracticable to do so.

Principle 3 – Open

Inform the person that you are collecting their personal information, why you are collecting it, what you will do with it and who else might see it. Tell the person how they can view and correct their personal information and any consequences that may apply if they decide not to provide their information to you.

Principle 4 – Relevant

Ensure that the personal information is relevant to the purpose for which it is collected and not excessive that it is accurate and up-to-date and that the collection does not unreasonably intrude into the personal affairs of the person.

Storage

Principle 5 – Secure

Store personal information securely. Keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.

Access and accuracy

Principle 6 – Transparent

Explain to the person what personal information about them is being stored, why it is being used and any rights they have to access it.

Principle 7 – Accessible

Allow the person to access their personal information without unreasonable delay or expense.

Principle 8 – Correct

Allow the person to update, correct or amend their personal information where necessary.

Use

Principle 9 – Accurate

Make sure that the personal information is relevant and accurate before using it.

Principle 10 – Limited

Only use personal information for a purpose other than that for which it was collected if the person has given their consent, the purpose is directly related to the purpose for which it was collected or if it is necessary to prevent or lessen a serious and imminent threat to any person’s life or health.

Disclosure

Principle 11 – Restricted

Only disclose personal information if disclosure is directly related to the purpose of collection, or the person is reasonably likely to be aware the information is usually disclosed or with the person’s consent. Personal information can be disclosed without a person’s consent if it is necessary to prevent or lessen a serious and imminent threat to any person’s life or health.

Principle 12 – Safeguarded

An agency must not disclose sensitive personal information, for example information about a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership unless it is necessary to prevent a serious and imminent threat to any person’s life or health.

Exemptions to the IPPs

If a public sector agency believes that the Information Protection Principles are unworkable in a particular circumstance, it can either make a Privacy Code of Practice or seek an exemption from, or modification to, the principle from the Privacy Commissioner.

Privacy Codes of Practice allow an agency to modify one or more of the information protection principles and can be made in relation to one of three things:

  • a particular type of personal information (s29(5)(a))
  • a particular organisation or type of organisation (s29(5)(b))
  • a type of activity (s29(5)(c)).

A Privacy Code of Practice can change or delete any of the information protection principles but it cannot change or delete any of the exceptions to the principles, nor can it increase the level of privacy protection above that of the information protection principles.

At this stage, there are no Privacy Codes of Practice in place for NESA.

Offences

Offences can be found in s62–68 of the PPIP Act. It is an offence for NESA staff to:

  • intentionally disclose or use personal information about another person to which the staff member has access in doing their job, for any purpose other than that which is authorised
  • offer to supply personal information that has been disclosed unlawfully
  • hinder the Privacy Commissioner or a member of her staff from doing their job.

The HRIP Act and health information

The HRIP Act sets out how NESA must manage health information.

Health information is a more specific type of personal information and is defined in s6 of the HRIP Act. Health information can include information about a person’s physical or mental health such as a psychological report, blood tests or an X-ray, or information about a person’s medical appointment. It can also include personal information that is collected to provide a health service, such as a name and contact number on a medical record.

Health Privacy Principles

Schedule 1 to the HRIP Act contains 15 Health Privacy Principles (HPPs) that we must comply with. Here is an overview of them as they apply to us:

Collection

Principle 1 – Lawful

Only collect a person’s health information for a lawful purpose, which is directly related to NESA’s activities and necessary for that purpose.

Principle 2 – Relevant

Ensure that the health information collected is relevant, accurate, up-to-date and not excessive and that the collection does not unreasonably intrude into the personal affairs of the individual.

Principle 3 – Direct

Only collect health information directly from the person concerned, unless it is unreasonable or impracticable to do so.

Principle 4 – Open

Inform the person why you are collecting their health information, what will be done with it and who else might access it. Tell the person how they can access and correct their health information and any consequences that may apply if they decide not to provide it.

Storage

Principle 5 – Secure

Store health information securely. Keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.

Access and accuracy

Principle 6 – Transparent

Explain to the person what health information about them is being stored, why it is being stored and any rights they have to access it.

Principle 7 – Accessible

Allow the person to access their health information without unreasonable delay or expense.

Principle 8 – Correct

Allow the person to update, correct or amend their health information where necessary.

Principle 9 – Accurate

Make sure that the health information is relevant and accurate before using it.

Use

Principle 10 – Limited

Only use health information for the purpose for which it was collected, or for a directly related purpose that the person would expect.. Otherwise you would generally need their consent to use the health information for a secondary purpose.

Disclosure

Principle 11 – Restricted

Only disclose  health information for the purpose for which it was collected or a directly related purpose that a person would expect (unless one of the exemptions in HPP 11 applies). Otherwise you would generally need separate consent.

Identifiers and anonymity

Principle 12 – Not identified

Only identify people by using unique identifiers if it is reasonably necessary to carry out your functions efficiently.

Principle 13 – Anonymous

Give the person the option to receive services from you anonymously, where this is lawful and practicable.

Transferrals and linkage

Principle 14 – Controlled

Only transfer health information outside NSW in accordance with HPP 14.

Principle 15 – Authorised

Only use health records linkage systems (to link health records across more than one agency or organisation) if the person has provided or expressed their consent.

Exemptions to the HPPs

Exemptions are located mainly in Schedule 1 to the HRIP Act , and may allow NESA not to comply with the HPPs in certain situations.

Health privacy codes of practice and public interest directions can modify the HPPs for any NSW public sector agency. All of these are available on the Privacy Commissioner’s website.

Offences

Offences can be found in s68–70 of the HRIP Act. It is an offence for NESA staff to:

  • intentionally disclose or use health information about another person to which the staff member has access in doing their job, for any purpose other than that which is authorised offer to supply health information that has been disclosed unlawfully
  • attempt to persuade a person from making or pursuing a request for health information, a complaint to the Privacy Commissioner or the Tribunal or an internal review under the PPIP Act.

Other laws that influence compliance with the IPPs and HPPs

This section contains information about the main laws that affect how NESA complies with the IPPs and HPPs.

  • Education Act 1990 and regulations
  • Government Information (Public Access) Act 2009 
  • Crimes Act 1900
  • ICAC Act 1988
  • Public Interest Disclosures Act 1994
  • State Records Act 1998 and regulations.

The following policies and procedures support compliance with the Act:

How to access and amend personal and health information

People have the right to access personal and health information NESA holds about them.

Informal request

NESA encourages people wanting to access or amend their own personal or health information to contact the staff member or team managing their information. NESA aims to respond to informal requests within five working days and will tell the person how long the request is likely to take, particularly if it may take longer than first expected.

Formal request

People also have a right to make a formal application to access or amend personal or health information. A person does not need to ask informally before making a formal application, and a person can make a formal application if they have already asked informally.

A person can make a formal application to the Access and Privacy Officer by email, fax or post. The application should:

  • include the person’s name and contact details (postal address, telephone number and email address if applicable)
  • state whether the person is making the application under the PPIP Act (personal information) or the HRIP Act (health information)
  • explain what personal or health information the person wants to access or amend
  • explain how the person wants to access or amend the information.

NESA aims to respond in writing to formal applications within 20 working days. NESA will contact the person to advise how long the request is likely to take, particularly if it may take longer than expected.

If a person thinks NESA is taking an unreasonable amount of time to respond to an application, they have the right to seek an internal review. Before seeking an internal review, NESA encourages people to contact our office to ask for an update or timeframe.

Reviews, complaints and investigations

What do I do if I believe my privacy has been breached?

If an individual has a complaint about the conduct of NESA or a member of its staff in relation to the collection, storage, use or disclosure of personal or health information, a written request should be sent to NESA so that an internal review can be undertaken.

Under section 53 (3) of the PPIP Act, an application for an internal review must:

  • be in writing
  • be addressed to NESA
  • specify an address in Australia to which a notice can be sent
  • be lodged with NESA within six (6) months (or such later date as NESA may allow) from the time the applicant first became aware of the conduct of the subject of the application; and
  • comply with such other requirements as may be prescribed by the regulations to the Act.

What does an internal review involve?

An application for an internal review will be dealt with by an officer authorised by delegation in the NESA Administrative and Financial Delegations Manual. This officer would not have been substantially involved in the matter that is the subject of the application.

The review will be completed as soon as is reasonably practicable in the circumstances and within 60 days from the day on which the application was received.

As a result of the review NESA may:

  • take no further action on the matter; or
  • make a formal apology to the applicant; and/or
  • take such remedial action as thought appropriate; and/or
  • provide undertakings that the conduct will not occur again; and/or
  • implement administrative measures to ensure that the conduct will not occur again.

NESA is required to:

  • notify the NSW Privacy Commissioner of an application for an internal review
  • provide reports to the Privacy Commissioner on the progress of the internal review
  • inform the Privacy Commissioner of the findings of the review and of the action taken by NESA in relation to the matter.

If requested by NESA, the Privacy Commissioner may undertake the review.

How will I be informed of the outcome of an internal review?

NESA will acknowledge receipt of an internal review within five working days, write to an applicant within 14 days of completing the review and advise the applicant of:

  • the findings of the review and the reasons for those findings
  • action proposed to be taken and the reasons for taking that action, and
  • the right of the applicant to have the findings, and NESA’s proposed action, reviewed by the NSW Civil and Administrative Tribunal.

Promoting the plan

Executive and governance

The senior executive team is committed to transparency about how NESA complies with the PPIP Act and the HRIP Act. The senior executive team reinforces transparency and compliance with the PPIP Act and the HRIP Act by:

  • endorsing the plan and making it publicly available
  • reporting on privacy issues in our Annual Report in line with the Annual Reports (Statutory Bodies) Act 1984 (NSW)
  • confirming support for privacy compliance in the strategic plan and code of conduct
  • identifying privacy issues when implementing new systems.

NESA staff

NESA makes sure that staff are aware of and understand this plan, particularly how it applies to the work they do. This plan has been written so that staff can understand their privacy obligations, how to manage personal and health information in their work and what to do if unsure.

NESA makes our staff aware of their privacy obligations by:

  • publishing the plan on our website
  • including the plan in induction training and offering training as required

highlighting the plan at least once a year, for example during Privacy Awareness Week.When staff  have questions about how to manage personal and health information and this plan does not directly answer them, they should consult their manager or the Access and Privacy Officer.

Contractors

NESA may use the services of contractors to provide services to or for our office. If they will have or are likely to have access to personal information we make sure that they manage personal and health information in line with the IPPs and HPPs and information security policies.

Public awareness

This plan is a guarantee of service to our stakeholders of how NESA manages personal and health information. Because it is central to how we do business, NESA will make this plan easy to access and easy to understand for people from all kinds of backgrounds. NESA is required to make this plan publicly available as open access information under the GIPA Act.

Contact details

Access and Privacy Officer

Mail: NSW Education Standards Authority, GPO Box 5300, Sydney NSW 2001

Phone: (02) 9367 8111

Visit: Level 4, 117 Clarence Street, Sydney NSW 2000

Internet: www.educationstandards.nsw.edu.au

Email: [email protected]

Information and Privacy Commission NSW

Mail: GPO Box 7011, Sydney NSW 2001

Phone: 1800 472 679

Internet: www.ipc.nsw.gov.au

Email: [email protected]

 

Copied
Complementary Content
${loading}