1. Framework
1.1 Purpose
The purpose of this framework is to clearly set out how the Department of Education (the Department) collects, manages, uses and shares personal and health information to fulfil its functions and activities. The framework follows the principles as defined in the Commonwealth Privacy Act 1988 and the Privacy and Responsible Sharing (PRIS) Bill 2024 and supports the open and transparent management of personal information.
1.2 Collection of personal information
Why do we collect personal information?
The Department will collect the personal information of individuals necessary to carry out its core functions and activities. The primary purpose for collecting personal information includes:
- education of students
- student administration
- communicating and engaging with parents
- recruitment and employment (including volunteers, contractors and service providers)
- supporting student and employee social and emotional wellbeing, health and behaviour
- management and administration of the Department (including schools)
- informing policy and strategy
- research or statistical purposes
- insurance purposes (including legal claims)
- legal obligations.
What information do we collect?
The Department will collect and use a broad range of personal, sensitive and health information, which may include the following:
- name (including aliases), gender, date of birth, place of birth, racial or ethnic origin
- contact details (address, email, phone number)
- emergency contact details
- health information, Medicare and private health details
- immunisation status and/or history
- personal circumstances such as occupation, marital status, parenting and access arrangements
- identification documents such as birth certificate, driver’s licence, passport or visa, Australian citizenship or residency documents
- photographs, video recordings, audio recordings, CCTV footage
- education history
- employment history and qualifications
- working with children checks and criminal screening
- teacher registration information
- financial information such as banking details
- government identifiers such as the WA student number or Unique Student Identifier.
How do we collect this information?
Personal information can be collected in the following circumstances:
- student enrolment
- educational purposes
- employee recruitment
- Department administration
- human resource management
- health and wellbeing of an individual
- protection of the wellbeing of an individual
- tender applications
- contract and funding agreements
- campaigns and initiatives
- information access requests (staff only)
- complaints
- software and applications
- websites
- investigations
- audits
- defence of a legal claim
- as required by law.
The Department will take all reasonable steps to ensure that personal information collected, used or disclosed is accurate, complete, up to date and relevant.
1.3 Use and disclosure of personal information
Personal information collected by the Department will be used, disclosed or shared for the primary purpose it is collected, including as follows:
- for a primary purpose (as defined above)
- for a related secondary purpose where one of the following applies:
- it is reasonable for it to be expected in line with the primary purpose
- with consent of an individual or parent/ legal guardian
- when the Department reasonably believes it is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of any individual, public health, public safety or public welfare or a threat to any individual due to family violence
- when required or authorised by law
- when required under the Children and Community Services Act 2004
- to investigate or report suspected unlawful activity, or when reasonably necessary for a specified law enforcement purpose, including the prevention or investigation of a criminal offence or seriously improper conduct, by or on behalf of a law enforcement agency
- as de-identified information, for research or school statistics purposes, or to inform departmental policy and strategy
- to establish or respond to a legal claim
- in the transfer of students’ records between public schools
- on receipt of a notice of transfer with parental consent from a non-government school (information on transfers between schools is available in the Enrolment in public schools policy and procedures).
1.4 Protection of personal information
The Department will take all reasonable steps to protect information from misuse, loss, unauthorised access, modification and disclosure. Management of electronic and paper records are consistent with the Department’s Records Management policy and procedures, Recordkeeping plan (staff only), Cyber Security policy and the State Records Act 2000 and State Records Commission Standards.
Unless unlawful to do so, when personal information is no longer required it is destroyed or permanently de-identified, in compliance with the Retention and Disposal schedule (staff only).
1.5 Access and correction of personal information
All individuals, or their authorised representative(s), have a right to request access to or correction of personal information that the Department holds about them, providing access to this information or record does not pose a risk to the safety of a child or children.
For further information on access to personal information, please see: Freedom of Information, Access to Information (staff only) and Freedom of information requests (staff only).
1.6 Automated decision-making
If the Department engages in any automated decision-making process that involves the personal information of an individual, an assessment will be conducted in line with the relevant legislation and the Department’s values, policies and procedures.
1.7 Complaints and breach of privacy
Complaints specifically about the Department’s, including schools’, handling of personal information are managed in line with the Department’s Complaints and Notifications Policy.
The Department will manage the prevention, containment, remediation and investigation when a breach of information occurs in line with the Information Breach policy and procedures.
Privacy and Responsible Information Sharing Framework