Intellischool Pty Ltd (ACN 640 801 841) (“we”, “us”, and “our”) is committed to privacy protection and understands the importance of keeping personal information private and secure. This policy explains how and why we collect, use, hold and disclose your personal information, when provided to us or collected by us, offline or online, including through our Services, our websites (intellischool.co, albitros.com, dextyr.com, and others), our platforms and our associated apps (Albitros and Dextyr) (the “Sites”).
We will treat all personal information in accordance with any and all obligations that are binding upon us under the Privacy Act 1988 (Cth) (“Privacy Act”) and Australian Privacy Principles (“APPs”).
We collect information about you that is reasonably necessary for us to carry out our Service of data storage, aggregation, integration and analytics provided through our platforms and designed specifically for education datasets and related services (“Services”). As part of the provision of our Services, we may receive or disclose personal information to educational institution partners that you attend or are associated with (“Educational Institution”).
The precise information that we collect and hold may relate to an attendee at an Educational Institution (“Attendee”) or members of an Attendee’s family (“Family”). We also collect information about staff, volunteers, consultants or other members of the public engaging with an Education Institution.
In this policy, “You” refers to any Attendee, Family or other person whose personal information we collect, hold, use or disclose, or may also include staff, volunteers, consultants or other members of the public engaging with an Education Institution.
We collect personal information about children and young people under the age of 18 in order to deliver our Services. We collect personal information about children and young people only with the written consent of a parent or guardian or another authorised person.
What is personal information?
Personal information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion may be personal information regardless of whether it is true.
What personal information do we collect and hold?
In order to provide our Services, it is necessary for us to collect personal information from or about an Attendee and their Family. This information helps an Educational Institution and their respective staff (including but not limited to employees, contractors, consultants and board members) to operate and provide their respective services. Information collected, in relation to an Attendee or their Family, may include:
- personal details including name, date of birth, gender, current school and/or future Educational Institution, educational grade, parental relationships and other pertinent information;
- personal details of Family members living in an Attendee’s household including name, date of birth, gender, contact details, and economic/personal relationships to the Attendee;
- identity verification information of an Attendee;
- information about how an Attendee interacts with an Educational Institution;
- Standardised testing results (including but not limited to NAPLAN, ACER PAT, PISA, and others);
- Attendee and Family household financial information;
- employment and occupational information;
- arrangements with parties outside an Attendee’s household, including custody and child support arrangements;
- information provided to us through customer surveys;
- your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour; and
- details of Services we have provided to an Attendee or Family.
We may collect these types of personal information directly from you or from third parties such as Educational Institutions, software providers, other student information or learning management system providers.
Sensitive personal information
In the process of providing our Services, we are likely to receive your sensitive information either from you, Educational Institutions or from third parties. This may include (for instance) certain health information about an Attendee or Family, or details about an Attendee’s racial or ethnic origin. We will ensure that it is stored securely. Sensitive information is given a higher level of protection under the Privacy Act and APP, which requires us to acquire your consent to use and disclose such information. That consent may be provided to us by the Educational Institutions or our third-party providers. Provided you consent, either directly to us or to our third-party providers, your sensitive information may only be used and disclosed for purposes relating to the primary purpose for which the sensitive information was collected. Sensitive information may also be used or disclosed if required or authorised by law.
Site use information
We may also collect information about how you access, use and interact with our Sites. We do this by using a range of tools such as Google Analytics and Sentry.io. This information may include:
- the location from which you have come to the Site and the pages you have visited; and
- technical data, which may include IP address, the types of devices you are using to access the Site, device attributes, browser type, language and operating system.
Why do we collect, hold and use your personal information?
We collect, hold and use your personal information so that we can:
- provide our Services;
- contact and communicate with you;
- enable you to access and use our Services;
- assist Educational Institutions in the administration, reporting, processing and management of the services provided by those Educational Institutions;
- carry out data verification;
- conduct analytics, market research and business development, including to operate and improve our Sites, associated applications and associated social media platforms;
- use the personal information (excluding sensitive information) for advertising and marketing to our primary contacts at an Educational Institution, including to send promotional information about our products and services and information about third parties that we may consider to be of interest to Educational Institutions;
- undertake internal record keeping and administration, invoicing and billing (where applicable);
- comply with our legal obligations and assist government and law enforcement agencies or regulators;
- aggregate deidentified personal information in order to assist us to:
- better understand how users engage with our Sites;
- provide our users with further information regarding the uses and benefits of our Sites;
- enhance learning, teaching and business outcomes, including by creating useful data insights from aggregated data and allowing our users to benchmark data against aggregated data;
- if you have applied for employment with us; to consider your employment application.
We also collect sensitive information when we are authorised to do so for the purposes of preventing or lessening a serious threat to life, health or safety, human resource management, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other bodies.
How do we collect your personal information?
We will collect the majority of your personal information directly from Educational Institutions or from you directly. However, we may also collect information from third parties such as standardised testing providers, credential verification providers, online education service providers and government bodies.
How do we store and hold personal information?
We store information about you in computer systems and databases operated by us with bank-grade security.
We take appropriate technical and organisational measures (including physical and electronic security) to safeguard personal information from loss, misuse, unauthorised access, modification or disclosure. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. Specific measures that we use include:
- restricting access to personal information where practicable;
- implementing two-factor authentication on all accounts by default;
- using industry-standard encryption to protect data in transit and at rest;
- building and maintaining a secure (private) network with no direct access between the internet and systems processing your data;
- using pseudonymisation techniques such as hashing email addresses or device IDs that we associate with you to reduce the risks when processing that data;
- conducting regular scans and penetration tests of our applications and networks to identify (and address) any potential vulnerabilities;
- demanding equivalent security and confidentiality measures from any third parties with which we do business;
- requiring all employees to comply with internal information security policies and keep information secure;
- requiring all employees to complete training about information security; and
- monitoring and regularly reviewing our practise against our own policies and against industry best practice.
Who do we disclose your personal information to, and why?
We may disclose your personal information to Educational Institutions and any affiliates of that Educational Institutions that require such information. The disclosures of your personal information to Educational Institutions are undertaken to provide the Educational Institution with the relevant data to allow that Educational Institution to provide its services.
We do not disclose personal information about anyone under the age of 18 unless we have seen or obtained the prior written consent of a parent, career or guardian, or we are legally permitted or required to do so.
We may also disclose personal information to third parties that perform services that are necessary for us to effectively provide our Services. This includes:
- our IT service providers, data storage, webhosting and server providers, security vendors and maintenance or problem-solving providers;
- our professional advisers, including our accountants, auditors and lawyers;
- government and regulatory authorities and other organisations, if required or authorised by law;
- persons for whom you may have expressly consented to the disclosure;
- anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred; and
- your authorised representatives or legal advisers (when requested by you to do so).
Do we disclose personal information to overseas recipients?
We may disclose your personal information to recipients which are located outside Australia. Some examples of overseas disclosure include:
- to our email and marketing service providers (located in the United States of America and the European Union);
- anyone else to whom you authorise us to disclose it.
We will take reasonable steps to ensure these service providers do not breach the Australian Privacy Principles.
A data breach occurs when personal or sensitive information, in any format, held by an entity is lost or subject to unauthorised access, modification, disclosure or other misuse or interference. The Notifiable Data Breaches (“NDB”) scheme under Part IIIC of the Australia Privacy Act 1988 establishes requirements for entities in responding to data breaches.
The NDB scheme requires the responsible entity to notify particular individuals and the Office of the Australian Information Commissioner (“OAIC”) if an ‘eligible data breach’ occurs. A data breach is ‘eligible’ if the breach is likely to result in serious harm (psychological, emotional, physical, reputational or other forms of harm) to any of the individuals to whom the information relates. A breach may be exempt from being defined as ‘eligible’ if the entity takes remedial actions prior to any serious harm occurring.
In the event of a data breach occurring, we will control the process of responding to the breach in accordance with the Privacy Amendment (Notifiable Data Breaches) Act 2017.
Your rights under the EU GDPR
We have processes in place to deal with Data Subject Rights (as that term is defined under the GDPR) requests. Our actions and responsibilities will depend on whether we are the controller or processor of the personal data at issue. Depending on our role as either a controller or processor, the process for enabling Data Subject Rights may differ, and are always subject to applicable law.
Under the European Union (EU) General Data Protection Regulation (GDPR), as a data subject you have the right to:
- access your data;
- have your data deleted or corrected where it is inaccurate;
- object to your data being processed and to restrict processing;
- withdraw consent to having your data processed;
- have your data provided in a standard format so that it can be transferred elsewhere; and
- not be subject to a decision based solely on automated processing.
Access to and correction of your personal information
You may access or request correction of the personal information that we hold about you by contacting us. Our contact details are set out below.
We will respond to your requests to access or correct personal information in a reasonable time and will take all reasonable steps to ensure that the personal information we hold about you remains accurate, and up to date. However, once data is transmitted through to any Educational Institution you recognise that we are limited in our ability to change, control or otherwise update such information. Should you wish to do so, you should contact the respective Educational Institution and request that they update or correct any personal information that you believe should be updated.
In some circumstances which are prescribed by the Privacy Act, such as where to do so might put a person at risk of harm or have an unreasonable impact on the privacy of others, we may decline access to personal information.
If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, you should contact us. Our contact details are set out below.
We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation and any subsequent internal investigation.
If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (www.oaic.gov.au) for guidance on alternative courses of action which may be available.
If you have any questions, comments, requests or concerns, please contact our Privacy Officer at:
Intellischool Privacy Officer
Mail: PO Box 2266, Ringwood North VIC 3134
Changes to this policy
From time to time, we may change our policy on how we handle personal information or the types of personal information which we hold. Any changes to our policy will be published on our Sites.
You may obtain a copy of our current policy from our Sites or by contacting us at the contact details above.
If you require any further information about the Privacy Act and the Australian Privacy Principles, you can visit the Federal Privacy Commissioner’s website (see www.privacy.gov.au).