Child & Student Data Privacy and Safety Policy

Purpose

School Information Systems & Technologies (SiSat) is committed to creating and maintaining a child-safe and student-safe organisation and digital platform, where the personal information of children, students, and young people is protected, secure, and handled responsibly.

This policy outlines SiSat’s approach to safeguarding child and student information across all SiSat software platforms, portals, and services. It demonstrates our commitment to meeting our obligations under Ministerial Order 1359, the Child Wellbeing and Safety Act 2005, and the Victorian Child Safe Standards, as they apply to digital environments and student data management.

Scope

This policy applies to:

• All SiSat employees, contractors, consultants, and volunteers, whether or not they work directly with children, students, or student information.
• All physical and online SiSat environments, including hosted systems, cloud platforms, portals, and third-party service environments used to deliver SiSat services.
• All access to, storage of, and interaction with child and student data across SiSat systems, whether during or outside standard work hours.

This policy should be read in conjunction with SiSat’s related policies, including but not limited to:

• Privacy Policy
• Child Safety Code of Conduct
• Information Security Policy
• Incident Response and Reporting Procedures

SiSat Statement of Commitment to Child Safety

School Information Systems & Technologies is a child-safe organisation. We are committed to protecting the privacy, safety, and wellbeing of all children, students, young people, and their families by ensuring that student information is only accessible to authorised persons and authorised systems.

SiSat platforms are provided exclusively to Australian-based schools. All SiSat data is hosted on servers located within Australia. No student or child data is stored offshore, and no offshore technical support is used. All support personnel are Australian-based and subject to appropriate background screening.

We have zero tolerance for unauthorised access, misuse, or abuse of child or student information. SiSat takes proactive steps to identify, assess, and mitigate risks associated with access to student data, and actively monitors its systems to prevent unauthorised or inappropriate use.

Any suspected or confirmed child or student data safety incident is treated seriously and responded to promptly and thoroughly. Where required, this may include notification to clients, regulators, or law enforcement agencies.

Equity, Inclusion, and Protection of At-Risk Students

SiSat gives particular consideration to the safety and privacy needs of children and students who may be at greater risk of harm, including but not limited to:

• Aboriginal and Torres Strait Islander students
• Students from culturally and linguistically diverse backgrounds
• International students
• Students with disabilities
• Children and young people unable to live at home, including those under protection orders
• Children and young people who identify as lesbian, gay, bisexual, transgender, gender diverse, intersex, or queer (LGBTIQ+)

SiSat actively monitors its systems to ensure they are not used to target, discriminate against, or harm students based on these or any other characteristics. Racism, harassment, vilification, or discriminatory misuse of SiSat systems is not tolerated. Any identified instances are addressed with appropriate consequences and may involve law enforcement agencies where required by law.

Roles and Responsibilities

The protection of child and student information is a shared responsibility between School Information Systems & Technologies (SiSat) and its client schools. Clear delineation of responsibilities supports safe system use, regulatory compliance, and effective incident response.

SiSat Responsibilities

School Information Systems & Technologies is responsible for:

• Providing a secure, Australian-hosted software platform for the management of school information.
• Implementing and maintaining appropriate technical and organisational security controls, including:
  • Role-based access controls
  • System monitoring and logging
  • Secure authentication and session management
• Ensuring that all SiSat staff, contractors, and volunteers with system access are appropriately screened, inducted, and trained in child safety and data protection obligations.
• Maintaining documented child safety, privacy, and information security policies.
• Monitoring platform use to identify unauthorised access, misuse, or security risks.
• Responding promptly to suspected or confirmed child or student data safety incidents, including notification and escalation where required.
• Cooperating with schools, regulatory bodies, and law enforcement agencies in accordance with legal obligations.

School Responsibilities

Client schools are responsible for:

• Managing their internal user accounts, including:
  • Creating, modifying, and disabling user access
  • Assigning appropriate roles and permissions
• Ensuring that only authorised staff, contractors, and third parties are granted access to SiSat systems.
• Ensuring users comply with school policies, professional conduct requirements, and applicable child safety obligations.
• Maintaining appropriate local procedures for:
  • Staff induction and training
  • Acceptable use of digital systems
  • Responding to suspected misuse of student information
• Promptly notifying SiSat of any suspected or actual unauthorised access, misuse, or data security concerns involving SiSat systems.
• Ensuring compliance with Department of Education and Training (DET) policies and other regulatory obligations applicable to their school.

Shared Responsibilities

Both SiSat and its client schools share responsibility for:

• Promoting a culture of child safety and student data protection
• Supporting inclusive and respectful use of digital systems
• Identifying and responding to risks related to child and student information
• Cooperating in investigations, audits, and continuous improvement activities

Individual Responsibilities and Reporting Obligations

Child and student data safety is a shared responsibility. Every person involved in SiSat has a role in maintaining the safety, security, and integrity of student information.

All staff, contractors, and volunteers are expected to promptly raise concerns or suspicions regarding unauthorised access to child or student information, in accordance with SiSat’s reporting and escalation procedures.

Staff, Contractors, and Volunteers – Responsibilities

All SiSat staff, contractors, and volunteers must:

• Participate in child safety induction and ongoing training provided by SiSat and/or relevant government authorities.
• Comply with SiSat’s Child Safety Code of Conduct at all times.
• Identify and report child safety or data security concerns in accordance with SiSat’s responding and reporting procedures.
• Respect the rights, dignity, and voices of children and students.
• Apply inclusive practices that recognise and respond to the diverse needs of students.

Suitability and Screening of Personnel

SiSat applies robust child-safe recruitment, induction, training, and supervision practices to ensure that all personnel are suitable to work with systems that handle child and student information.

When engaging staff, contractors, or volunteers, SiSat will:

• Verify and record a valid Working with Children Check (WWCC) or equivalent background screening.
• Collect and record proof of identity and relevant qualifications.
• Assess prior experience working with children or with systems containing sensitive or confidential information.
• Obtain references addressing suitability for the role and access to sensitive systems.

All newly appointed personnel must complete SiSat’s child safety induction program, which includes:

• This Child & Student Data Privacy and Safety Policy
• The Child Safety Code of Conduct
• Reporting and responding obligations in the event of suspected or actual unauthorised access to student information

Data Privacy, Security, and Access Control

SiSat collects, uses, stores, and discloses information about children, students, and their families in accordance with applicable privacy legislation and regulatory requirements.

Details regarding data handling practices are outlined in SiSat’s Privacy Policy.

SiSat recognises that effective record access control and information security management are critical components of child and student safety. Access to student records is strictly controlled and managed in line with:

• Department of Education and Training (DET) policies and guidelines
• Industry best-practice information security standards

Data Security Incidents and Breach Response

School Information Systems & Technologies (SiSat) maintains procedures to respond to suspected or actual data security incidents involving child or student information in a timely, coordinated, and responsible manner.

A data security incident may include, but is not limited to:

• Unauthorised access to child or student information
• Accidental or malicious disclosure of student data
• Compromise of user credentials or system access controls
• System misuse that may pose a risk to child or student safety

Incident Response Principles

In the event of a suspected or confirmed incident, SiSat will:

• Take immediate steps to contain and mitigate the incident.
• Assess the nature and extent of the incident, including potential risks to children and students.
• Preserve relevant system logs and records to support investigation.
• Cooperate with affected client schools to support their obligations.
• Notify relevant authorities, regulators, or law enforcement agencies where required by law.
• Review the incident to identify root causes and implement corrective actions.

Notification and Communication

Where an incident involves, or is likely to involve, unauthorised access to child or student information, SiSat will:

• Notify affected client schools as soon as practicable.
• Provide relevant information to assist schools in meeting their own reporting and regulatory obligations.
• Communicate transparently while maintaining confidentiality and data integrity.

Notification decisions will be made in accordance with applicable privacy legislation and regulatory guidance.

Post-Incident Review

Following any significant data security incident, SiSat will:

• Conduct a post-incident review to evaluate the effectiveness of controls and response actions.
• Update policies, procedures, or technical safeguards where required.
• Implement additional measures to reduce the likelihood of recurrence.

Continuous Improvement and Review

SiSat is committed to the continuous improvement of its child and student safety practices.

We will:

• Review this policy at least every 12 months, or following any significant child or student data safety incident.
• Analyse complaints, concerns, and incidents to strengthen policies, procedures, and controls.
• Act transparently and cooperate with the Department of Education, regulators, and law enforcement agencies where required by law.

Appendix A – Alignment with Ministerial Order 1359 (Victoria)

This appendix outlines how School Information Systems & Technologies (SiSat) meets its obligations under Ministerial Order 1359, as they apply to digital systems, software platforms, and the management of child and student information.