Privacy Management Plan
Acknowledgement: The Office of the Board of Studies acknowledges the use of IPC privacy management plan provided by the Information and Privacy Commission New South Wales in the development of this policy.
- About the Board of Studies
- Why we have a Privacy Management Plan
- About the privacy laws
- How to access and amend personal and health information
- Reviews, complaints and investigations
- Staff, contractors and visitors
- Promoting the plan
- Contact details
This plan explains how the Office of the Board of Studies manages personal and health information.
About the Board of Studies
Who are we?
The Board of Studies (BOS) is a statutory body established under the Education Act 1990. The Board of Studies has the following responsibilities:
- develop curriculum and curriculum support materials for all schools from Kindergarten to Year 12
- develop and conduct examinations leading to the award of the School Certificate (until 2011) and Higher School Certificate
- award eligible students who leave school prior to completing the Higher School Certificate with a Record of School Achievement (RoSA) s (from 2012)
- test administration authority for the National Assessment Program – Literacy and Numeracy (NAPLAN) (from 2012)
- advise the Minister for Education on applications from non-government schools seeking to operate in New South Wales
- approve school providers of courses for students from overseas
- accredit non-government schools to present candidates for the School Certificate (until 2011), Record of School Achievement (from 2012) and Higher School Certificate.
The Office of the Board of Studies (OBOS) is a department under the Public Sector Employment and Management Act 2002. OBOS has the following responsibilities:
- provide professional and administrative support and services to the Board
- encompass the Australian Music Examinations Board New South Wales and the Aboriginal Education Consultative Group
- administer the home schooling program under delegation from the Minister for Education.
The Board of Studies and the Office of the Board of Studies are portfolio responsibilities of the Minister for Education.
The branches of the OBOS and their key functions are described in the Board’s Annual Reports. The latest Annual Report is available on the Board’s website (www.boardofstudies.nsw.edu.au/about/annual-report.html).
Why we have a Privacy Management Plan
The OBOS has a privacy management plan because we want our stakeholders and staff to know how the OBOS manage personal information. In addition, the OBOS is required to have a plan under s33 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
This plan explains how the OBOS manages personal information in line with the PPIP Act and health information under the Health Records and Information Privacy Act 2002 (NSW) (HRIP Act).
This plan shows how the OBOS will manage personal or health information when our stakeholders give it to us. It also explains who a person can contact when they have questions about personal or health information the OBOS holds, and what they can do if they think the OBOS may have breached the PPIP Act or the HRIP Act.
The OBOS also uses this plan to train our staff about how to deal with personal and health information. This helps to ensure that the OBOS complies with the PPIP Act and the HRIP Act.
What this plan covers
Section 33(2) of the PPIP Act sets out the requirements of this plan. This plan must include:
- information about how the OBOS develops policies and practices in line with the PPIP Act and the HRIP Act
- how the OBOS trains staff in these policies and practices
- our internal review procedures
- anything else that OBOS considers relevant to the plan in relation to privacy and the personal and health information we hold.
When will we review this plan?
The OBOS will review this plan every 12 months, or earlier if any legislative, administrative or systemic changes affect how the OBOS needs to manage personal and health information.
What personal information does the Board of Studies collect?
The OBOS deals with personal and health information as follows:
Financial – financial information – timely payment of salaries for the examination Presiding Officers and Supervisors, examination markers and seasonal clerical staff involved in the Higher School Certificate program.
Human resources – personnel records (Office staff) – are maintained by the Human Resources Unit in both paper file and electronic format. The information recorded in these files includes: name, address and next of kin details, bank account details, tax file number, EEO information (provision of which is voluntary). All personal information is collected from employees, or, where provided by another organisation, for entitlement purposes, has been authorised by the officer.
School, student records – 60% of student records are submitted online by schools, thus negating the need to retain paper records within the Office for those students. Schools submitting information online retain the paper records. All data is held on the Office’s exam system in electronic form. Information held includes name, home address and telephone numbers, date of birth, school attended, and ethnicity and disability data. From 2013, HSC students will also be required to provide a photograph. Assessment data and examination mark data are added to the record.
Data in relation to HSC, Year 11, School Certificate (up to 2011 only) and RoSA candidates is retained indefinitely.
Disclosure of examination candidate details and results are released to:
- the student
- the school principal
- the Department of Education and Communities
- the Catholic Education Office (results of affiliated schools)
- Universities Admissions Centre
- Technical Committee on Scaling
- The Association of Independent Schools (results of affiliated schools).
Replacement certificates – candidates are able to apply for a replacement certificate at any time on a fee-for-service basis. Data such as personal details and credit card information in relation to the replacement of credentials is retained until the authorised destruction date.
Up until 2012, students undertaking some language exams are also required to provide a photograph for identification purposes. These photos are on Schools Online and are used by the Presiding Officer for language examinations. As noted above, all students will be required to provide an electronic photograph at time of entry from 2013.
Photographs of students are also made available to Presiding Officers by schools for the identification of students during HSC written exams. These are returned to the school at the end of this period each year.
Personnel records (casual staff) – including seasonal clerical staff, examination markers, presiding officers and supervisors and committee members, name and address details, bank account details and tax file numbers. The applicants provide all information. Applications for membership on committees or as examiners/markers require the endorsement of the School Principal/Director. Applicants are aware of this requirement, and that the Office will not accept the application without such endorsement. The original application form is retained, as is an electronic record.
Images of staff and visitors to the OBOS premise – Overt closed circuit television (CCTV) is installed in the public areas at the Board of Studies. The cameras are visible and the public is notified of the use of CCTV through prominent signage. The cameras record 24 hours a day 7 days a week. A monitor displaying images from the cameras is located in the control room. The cameras were installed in compliance with the code of practice for the Use of Overt Video Surveillance in the Workplace.
School and home schooling – maintains records of details of applicants and children registered for home schooling, including address details and, if relevant, details of court orders and medical information; maintains details of the qualifications and experience of teaching staff of non-government schools; maintains student details such as home address, guardian and visa details for students from overseas undertaking courses with approved school providers; maintains details of complainants about non-government schools, registration systems, approved school providers and home schoolers.
How do we manage personal information?
Information is maintained in electronic and hard copy and maintained according to the ISO 27001 Information Security Management Standard. Security and confidentiality of all information are maintained, and hard copy files are held in compactuses and cabinets that are locked. Access to information is limited to particular staff members. All records are captured electronically into the official record-keeping system and hard copies are maintained. Security of information is in accordance with the Board of Studies Security of Electronic Information Systems Policy.
About the privacy laws
This section contains a general summary of how the OBOS must manage personal and health information under the PPIP Act, the HRIP Act and other relevant laws. For more information, please refer directly to the relevant law or visit/contact the Information and Privacy Commission.
The PPIP Act and Personal Information
The PPIP Act sets out how we must manage personal information.
About personal information:
Personal information is defined in s4 of the PPIP Act and is essentially any information or opinions about a person where that person’s identity is apparent or can be reasonably ascertained. Personal information can include a person’s name, address, family life, sexual preference, financial information, fingerprints and photos.
There are some kinds of information that are not personal information, eg information about someone who has been dead for more than 30 years, information about someone that is contained in a publicly available publication, or information or an opinion about a person’s suitability for employment as a public sector official. Health information is generally excluded here as it is covered by the HRIP Act.
Information Protection Principles (IPPs)
Part 2, Division 1 of the PPIP Act contains 12 IPPs with which the OBOS must comply. Here is an overview of them as they apply to us:
Principle 1 – Lawful
Only collect personal information for a lawful purpose, which is directly related to the Office’s activities and necessary for that purpose
Principle 2 – Direct
Only collect personal information directly from the person concerned, unless it is unreasonable or impracticable to do so
Principle 3 – Open
Inform the person why you are collecting personal information, what you will do with it and who else might see it. Tell the person how they can view and correct their personal information and any consequences that may apply if they decide not to provide their information to you.
Principle 4 – Relevant
Ensure that the personal information is relevant, accurate, not excessive and up-to-date and that the collection does not unreasonably intrude into the personal affairs of the individual.
Principle 5 – Secure
Store personal information securely; keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.
Access and accuracy
Principle 6 – Transparent
Explain to the person what personal information about them is being stored, why it is being used and any rights they have to access it.
Principle 7 – Accessible
Allow people to access their personal information without unreasonable delay or expense.
Principle 8 – Correct
Allow people to update, correct or amend their personal information where necessary.
Principle 9 – Accurate
Make sure that the personal information is relevant and accurate before using it.
Principle 10 – Limited
Only use personal information if the person has given their consent or if they were informed at the time of collection.
Principle 11 – Restricted
Only disclose personal information with a person’s consent or if the person was told at the time that it would be disclosed. Personal information can be used without a person’s consent in order to deal with a serious and imminent threat to any person’s health or safety.
Principle 12 – Safeguarded
An agency cannot disclose sensitive personal information without a person’s consent; for example, information about ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities or trade union membership. It can only disclose sensitive information without consent in order to deal with a serious and imminent threat to any person’s health or safety.
Exemptions to the IPPs
If a public sector agency believes that the information protection principles are unworkable in a particular circumstance, it can either make a Privacy Code of Practice or seek an exemption from, or modification to, the principle from the Privacy Commissioner.
Privacy Codes of Practice allow an agency to modify one or more of the information protection principles. Codes of Practice can be made in relation to one of three things:
- a particular type of personal information (s29(5)(a))
- a particular organisation or type of organisation (s29(5)(b))
- a type of activity (s29(5)(c)).
A Privacy Code of Practice can change or delete any of the information protection principles but it cannot change or delete any of the exceptions to the principles, nor can it increase the level of privacy protection above that of the information protection principles.
Offences can be found in s62–66 of the PPIP Act. It is an offence for the OBOS to:
- intentionally disclose or use personal information accessed in doing our jobs for an authorised purpose
- offer to supply personal information that has been disclosed unlawfully
- hinder the Privacy Commissioner or a member of staff from doing their job.
The HRIP Act and Health Information
The HRIP Act sets out how the OBOS must manage health information.
About health information:
Health information is a more specific type of personal information and is defined in s6 of the HRIP Act. Health information can include information about a person’s physical or mental health such as a psychological report, blood tests or an X-ray, or even information about a person’s medical appointment. It can also include some personal information that is collected to provide a health service, such as a name and contact number on a medical record.
Health Privacy Principles (HPPs)
Schedule 1 to the HRIP Act contains 15 HPPs that we must comply with. Here is an overview of them as they apply to us:
Principle 1 – Lawful
An agency or organisation can only collect your health information for a lawful purpose. It must also be directly related to the agency or organisation’s activities and necessary for that purpose.
Principle 2 – Relevant
An agency or organisation must ensure that your health information is relevant, accurate, up-to-date and not excessive. The collection should not unreasonably intrude into your personal affairs.
Principle 3 – Direct
An agency or organisation must collect your health information directly from you, unless it is unreasonable or impracticable to do so.
Principle 4 – Open
An agency or organisation must inform you of why your health information is being collected, what will be done with it and who else might access it. You must also be told how you can access and correct your health information and any consequences if you decide not to provide it.
Principle 5 – Secure
An agency or organisation must store your personal information securely, keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorised access, use or disclosure.
Access and accuracy
Principle 6 – Transparent
An agency or organisation must provide you with details regarding the health information they are storing, why they are storing it and what rights you have to access it.
Principle 7 – Accessible
An agency or organisation must allow you to access your health information without unreasonable delay or expense.
Principle 8 – Correct
An agency or organisation must allow you to update, correct or amend your health information where necessary.
Principle 9 – Accurate
An agency or organisation must make sure that your health information is relevant and accurate before using it.
Principle 10 – Limited
An agency or organisation can only use your health information for the purpose for which it was collected, or a directly related purpose that you would expect (unless one of the exemptions in HPP 10 applies). Otherwise separate consent is required.
Principle 11 – Restricted
An agency or organisation can only disclose your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 11 applies). Otherwise separate consent is required.
Identifiers and anonymity
Principle 12 – Not identified
An agency or organisation can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.
Principle 13 – Anonymous
You are entitled to receive health services anonymously, where this is lawful and practicable.
Transferrals and linkage
Principle 14 – Controlled
Your health information can only be transferred outside New South Wales in accordance with HPP 14.
Principle 15 – Authorised
Your health information can only be included in a system to link health records across more than one agency or organisation if you have consented.
Exemptions to the HPPs
Exemptions are located mainly in Schedule 1 to the HRIP Act, and may allow the OBOS not to comply with the HPPs in certain situations.
Health privacy codes of practice and public interest directions can modify the HPPs for any NSW public sector agency. All of these are available on the Privacy Commissioner’s website.
Offences can be found in s68–70 of the HRIP Act. It is an offence for the OBOS to:
- intentionally disclose or use health information accessed in doing our jobs for anything else other than what we are authorised to
- offer to supply health information that has been disclosed unlawfully
- attempt to persuade a person from making or pursuing a request for health information, a complaint to the Privacy Commissioner or an internal review under the PPIP Act.
Other laws that affect how we comply with the IPPS and HPPS
This section contains information about the main laws that affect how the OBOS complies with the IPPs and HPPs.
- Education Act 1990 and regulations
- Government Information (Public Access) Act 2009 (GIPA Act)
- Crimes Act 1900
- ICAC Act 1988
- Public Interest Disclosures Act 1994
- State Records Act 1998 and regulations.
The following policies and procedures support compliance with the Act:
- NSW Government Personnel Handbook issued by the Public Service Commission;
- Privacy Code of Practice for the NSW Public Sector Workforce Profile, Department of Premier and Cabinet;
- State Records Authority of NSW, Government Recordkeeping Manual;
- Office of the Board of Studies Code of Conduct and Ethics – This code of conduct establishes standards of professional behaviour expected of staff of the Office. The code was developed to assist all officers in clarifying their professional and ethical responsibilities in executing their duties, thereby encouraging public confidence in the work of the Board and its Office.
- Use of Office Communications Devices Policy –This policy statement sets out the principles underpinning the use of Office communication devices. The policy covers the responsibilities of all staff in relation to economy, personal use, record keeping, security and privacy, and unlawful use.
- Records Management Policy – This policy provides a basis for the effective management of the records generated by the Office, which in turn are assets of New South Wales. The policy is designed to inform staff about their responsibilities in relation to the creation, control, management, preservation and disposal of official records in all mediums.
- Security of Electronic Information Systems Policy – The Office holds a considerable amount of data in its various computer systems, much of which is confidential and sensitive. This Policy, and its accompanying procedures and materials, address all aspects of security relating to the Office’s systems. It sets out the principles held by the Office regarding security, identifies responsibilities of staff, and outlines the Office’s procedures in a wide range of areas.
How to access and amend personal and health information
People have the right to access personal and health information the OBOS holds about them.
The OBOS encourages people wanting to access or amend their own personal or health information to contact the staff member or team managing their information. The OBOS aims to respond to informal requests within 5 working days and will tell the person how long the request is likely to take, particularly if it may take longer than first expected.
People also have a right to make a formal application to access or amend personal or health information. A person does not need to ask informally before making a formal application, and a person can make a formal application if they have already asked informally.
A person can make a formal application to the Privacy Contact Officer by email, fax or post. The application should:
- include the person’s name and contact details (postal address, telephone number and email address if applicable)
- state whether the person is making the application under the PPIP Act (personal information) or the HRIP Act (health information)
- explain what personal or health information the person wants to access or amend
- explain how the person wants to access or amend it.
The OBOS aims to respond in writing to formal applications within 20 working days. The OBOS will contact the person to advise how long the request is likely to take, particularly if it may take longer than expected.
If a person thinks the OBOS is taking an unreasonable amount of time to respond to an application, they have the right to seek an internal review. Before seeking an internal review, the OBOS encourages people to contact our office to ask for an update or timeframe.
Reviews, complaints and investigations
What do I do if I believe my privacy has been breached?
If an individual has a complaint about the conduct of the OBOS or a member of its staff in relation to the collection, storage, use or disclosure of personal or health information, a written request should be sent to the Office so that an internal review can be undertaken.
Under section 53 (3) of the Privacy and Personal Information Protection Act, an application for an internal review must:
- be in writing
- be addressed to the Office of the Board of Studies
- specify an address in Australia to which a notice can be sent
- be lodged with the Office within six (6) months (or such later date as the Office may allow) from the time the applicant first became aware of the conduct the subject of the application, and
- comply with such other requirements as may be prescribed by the regulations to the Act.
What does an internal review involve?
An application for an internal review will be dealt with by the Director, Regulatory and Management Services. The Director will not have been substantially involved in the matter that is the subject of the application.
The review will be completed as soon as is reasonably practicable in the circumstances and within sixty (60) days from the day on which the application was received.
As a result of the review the Office may:
- take no further action on the matter; or
- make a formal apology to the applicant; and/or
- take such remedial action as thought appropriate; and/or provide undertakings that the conduct will not occur again; and/or
- Implement administrative measures to ensure that the conduct will not occur again.
The Office is required to:
- notify the NSW Privacy Commissioner of an application for an internal review
- provide reports to the Privacy Commissioner on the progress of the internal review
- inform the Privacy Commissioner of the findings of the review and of the action taken by the Office in relation to the matter.
If requested by the Office, the Privacy Commissioner may undertake the review.
How will I be informed of the outcome of an internal review?
The Office will acknowledge receipt of an internal review within five (5) working days and write to an applicant within 14 days after completing the review and advise the applicant of:
- the findings of the review and the reasons for those findings
- action proposed to be taken and the reasons for taking that action, and
- the right of the applicant to have the findings, and the Office’s proposed action, reviewed by the Administrative Decisions Tribunal in NSW.
Staff, contractors and visitors
When people apply for jobs at the OBOS they need to send us personal information such as their names, contact details and work history. Our Human Resources Unit gives this information to the convenor of the panel for that particular position (stated on the job advertisement) in electronic or physical files.
The convenor of the panel does not disclose this personal information to anyone in the OBOS except for business support. Convenors store this information securely. The convenor does not disclose the information to anyone outside the OBOS except for other panel members.
After recruitment is finalised, convenors give all personal information back to the Human Resources Unit. They retain information relating to successful applicants and eligibility lists for twelve months. Unsuccessful applications are destroyed as per General Retention and Disposal Authorities.
Successful applicants are invited to fill out various forms to commence employment with the OBOS with further personal information such as bank account details, tax file number, emergency contacts and any disabilities that may affect their work.
These forms also encourage people to provide sensitive personal information such as racial and cultural information for statistics about the wider NSW public sector. These items are voluntary.
These forms are kept with the Human Resources Unit and are used for employment purposes such as payroll and setting up personal files.
At times the OBOS collects and manages personal and health information such as:
- medical conditions and illnesses
- next of kin
- family and care arrangements
- secondary employment
- conflicts of interest.
The OBOS collects this information for various reasons such as leave management, workplace health and safety, and to operate with integrity. The OBOS does not ask for more personal information than is actually required. We advise staff when collection is voluntary or mandatory, and of any possible consequence of not providing it to the Office.
The OBOS does not disclose this information to anyone else without consent.
The OBOS may use the services of contractors to provide services to or for our office. If they will have or are likely to have access to personal information we make sure that they manage personal and health information in line with the IPPs and HPPs and information security policies.
The OBOS uses a visitor’s book to record the names of people who enter our office beyond public areas. This book is displayed in our reception area on Level 4. We collect this information for workplace health and safety purposes.
Promoting the plan
Executive and governance
The senior executive team is committed to transparency about how the OBOS complies with the PPIP Act and the HRIP Act. The senior executive team reinforces transparency and compliance with the PPIP Act and the HRIP Act by:
- endorsing the plan and making it publicly available
- reporting on privacy issues in our Annual Report in line with the Annual Reports (Departments) Act 1985 (NSW)
- confirming support for privacy compliance in the strategic plan and code of conduct
- identifying privacy issues when implementing new systems.
The OBOS makes sure that staff are aware of and understand this plan, particularly how it applies to the work they do. This plan has been written so staff can understand what their privacy obligations are, how to manage personal and health information in their work and what to do if unsure.
The OBOS makes our staff aware of their privacy obligations by:
- publishing the plan on our website
- including the plan in induction training and offering training quarterly or as required
- highlighting the plan at least once a year (eg during Privacy Awareness Week).
When staff have questions about how to manage personal and health information and this plan does not directly answer them, they should consult their manager or the Privacy Contact Officer.
This plan is a guarantee of service to our stakeholders of how the OBOS manages personal and health information. Because it is central to how we do business, the OBOS will make this plan easy to access and easy to understand for people from all kinds of backgrounds. Additionally, the OBOS is required to make this plan publicly available as open access information under the GIPA Act.
Privacy Contact Officer
c/– Senior Records and Information Officer
Mail: Board of Studies, NSW, GPO Box 5300, Sydney NSW 2001
Phone: (02) 9367 8111
Visit: Level 4, 117 Clarence Street, Sydney NSW 2000
Information and Privacy Commission NSW
Mail: GPO Box 7011, Sydney NSW 2001
Phone: 1800 472 679