Privacy Policy

This Privacy Policy sets out our commitment to protecting the privacy of personal information provided to us, or otherwise collected by us, offline or online.

EduBI Analytics Pty Ltd (ACN 659 748 277) (“we”, “us”, and “our”) is committed to privacy protection and understands the importance of keeping personal information private and secure. This policy explains how and why we collect, use, hold and disclose your personal information, when provided to us or collected by us, offline or online, including through our Services, our websites (edubi.com.au, and others), our platforms and our associated apps (the “Sites”).

We will treat all personal information in accordance with any and all obligations that are binding upon us under the Privacy Act 1988 (Cth) (“Privacy Act”) and Australian Privacy Principles (“APPs”).

We collect information about you that is reasonably necessary for us to carry out our Service of data storage, aggregation, integration and analytics provided through our platforms and designed specifically for education datasets and related services (“Services”). As part of the provision of our Services, we may receive or disclose personal information to the educational institution partners that you attend, will/have attended or are associated with (“Educational Institution”).

The precise information that we collect and hold may relate to an attendee at an Educational Institution (“Attendee”) or members of an Attendee’s family (“Family”). We may also collect information about staff, volunteers, debtors, creditors, consultants or other members (“Other Members”) of the public engaging with an Education Institution.

In this policy, “You” refers to any Attendee, Family or other person whose personal information we collect, hold, use or disclose, or may also include staff, volunteers, debtors, creditors, consultants or other members of the public engaging with an Education Institution.

Please read this Privacy Policy carefully. If we receive your personal information while providing our services, you understand and/or have been informed that we will collect, hold, use and disclose your personal information in accordance with this Privacy Policy, and you consent, whether directly or through or partners, to us collecting, holding, using and disclosing your personal information in accordance with this policy.

We collect personal information about children and young people under the age of 18 to deliver our Services. We collect personal information about children and young people only with the permission of the Educational Institution.

What is personal information?

Personal information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion may be personal information regardless of whether it is true.

What personal information do we collect and hold?

To provide our Services, it is necessary for us to collect personal information from or about an Attendee and their Family. This information helps an Educational Institution and their respective staff (including but not limited to employees, contractors, consultants and board members) to operate and provide their respective services. Information collected, in relation to an Attendee or their Family, may include:

• Personal details including name, date of birth, gender, current school and/or future Educational Institution, educational grade, parental relationships and other pertinent information;
• Personal details of Family members living in an Attendee’s household including name, date of birth, gender, contact details, and economic/personal relationships to the Attendee;
• Personal details of Other Members;
• Identity verification information of an Attendee;
• Information about how an Attendee interacts with an Educational Institution;
• Standardised testing results (including but not limited to NAPLAN, ACER PAT, PISA, and others);
• Attendee and Family household financial information;
• Financial information of Other Members;
• Employment and occupational information;
• Arrangements with parties outside an Attendee’s household, including custody and child support arrangements;
• Information provided to us through via survey platforms;
• Your browser session and geo-location data, device and network information, statistics on page views and sessions, acquisition sources, search queries and/or browsing behaviour; and
• Details of Services we have provided to an Attendee or Family.

We may collect these types of personal information directly from you or from third parties such as Educational Institutions, software providers, other student information, testing or learning management system providers.

Sensitive personal information

In the process of providing our Services, we are likely to receive your sensitive information from Educational Institutions or from third parties. This may include (for instance) certain health information about an Attendee or Family, or details about an Attendee’s racial or ethnic origin. We will ensure that it is stored securely. Sensitive information is given a higher level of protection under the Privacy Act and APP, which requires us to acquire your consent to use and disclose such information. That consent may be provided to us by the Educational Institutions or our third-party providers. Provided you consent, either directly to us or to our third-party providers, your sensitive information may only be used and disclosed for purposes relating to the primary purpose for which the sensitive information was collected. Sensitive information may also be used or disclosed if required or authorised by law.

Site use information

We may also collect information about how you access, use and interact with our Sites. We do this by using a range of tools such as Google Analytics and Microsoft Azure technologies. This information may include:

• The location from which you have come to the Site and the pages you have visited; and
• Technical data, which may include IP address, the types of devices you are using to access the Site, device attributes, browser type, language and operating system.

Why do we collect, hold and use your personal information?

We collect, hold and use your personal information so that we can:

• Provide our Services;
• Contact and communicate with you;
• Enable you to access and use our Services;
• Assist Educational Institutions in the administration, reporting, processing and management of the services provided by those Educational Institutions;
• Carry out data verification;
• Conduct analytics, market research and business development, including to operate and improve our Sites, associated applications and associated social media platforms;
• Use the personal information (excluding sensitive information) of customers and potential customers for advertising and marketing purposes. This will be restricted to primary contacts at Educational Institutions, where we may send promotional information about our products and services and information about third parties that we may consider to be of interest to Educational Institutions, subject to each individuals right to opt-out of such communication;
• Undertake internal record keeping and administration, invoicing and billing (where applicable);
• Comply with our legal obligations and assist government and law enforcement agencies or regulators;
• Aggregate deidentified personal information to assist us to:
• better understand how users engage with our Sites;
• provide our users with further information regarding the uses and benefits of our Sites;
• Enhance learning, teaching and business outcomes, including by creating useful data insights from aggregated data and allowing our users to benchmark data against aggregated data;
• If you have applied for employment with us; to consider your employment application.
• We also collect sensitive information when we are authorised to do so for the purposes of preventing or lessening a serious threat to life, health or safety, human resource management, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other bodies.

How do we collect your personal information?

We will collect most of your personal information directly from Educational Institutions or from you directly. However, we may also collect information from third parties such as standardised testing providers, credential verification providers, online education service providers and government bodies.

How do we store and hold personal information?

We store information about you in computer systems and databases operated by us or the Educational Institution.

We take appropriate technical and organisational measures (including physical and electronic security) to safeguard personal information from loss, misuse, unauthorised access, modification or disclosure. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. Specific measures that we use include:

• Restricting access to personal information where practicable;
• Implementing two-factor authentication on all accounts by default;
• Using industry-standard encryption to protect data in transit and at rest;
• Building and maintaining a secure (private) network with no direct access between the internet and systems processing your data;
• Using pseudonymisation techniques such as hashing email addresses, de-identifying names to reduce the risks when processing that data;
• Demanding equivalent security and confidentiality measures from any third parties with which we do business;
• Requiring all employees and contractors to comply with internal information security policies and keep information secure;
• Monitoring and regularly reviewing our practice against our own policies and against industry best practice.

We cannot guarantee the security of any information that is transmitted to or by us over the internet. The transmission and exchange of information is carried out at your own risk. Although we take measures to safeguard against unauthorised disclosures of information, we cannot assure you that the personal information we collect will not be disclosed in a manner that is inconsistent with this Privacy Policy.

Who do we disclose your personal information to, and why?

We may disclose your personal information to Educational Institutions to provide our services to them. The handling of the information by an Educational Institution will be guided by that Educational Institution’s privacy policy and practices in accordance with the Privacy Act or applicable State. Territory or other jurisdictional legislation and is outside the scope of this Privacy Policy.

We may also disclose personal information to third parties that perform services that are necessary for us to effectively provide our Services. This includes:

• Our IT service providers, data storage, webhosting and server providers, security vendors and maintenance or problem-solving providers;
• Our professional advisers, including our accountants, auditors and lawyers;
• Government and regulatory authorities and other organisations, if required or authorised by law;
• Persons for whom you may have expressly consented to the disclosure;
• Anyone to whom our business or assets (or any part of them) are, or may (in good faith) be, transferred; and
• Your authorised representatives or legal advisers (when requested by you to do so).

Where do we store data?
Where we provide services to host our products in the cloud, we store data in data centres in your respective region, all of which comply with ISO 27001, ISO 9001, ISO 27018 and IRAP.

Where do we transfer data?

Your data will be stored and processed within your nominated region and we will not copy your data outside of your nominated region without your prior explicit written permission. For example, data hosted in Australia is not copied outside of Australia, data hosted in the USA is not copied outside of in the USA and data hosted in Europe remains in Europe.

Data breaches

A data breach occurs when personal or sensitive information, in any format, held by an entity is lost or subject to unauthorised access, modification, disclosure or other misuse or interference. The Notifiable Data Breaches (“NDB”) scheme under Part IIIC of the Australia Privacy Act 1988 establishes requirements for entities in responding to data breaches.

The NDB scheme requires the responsible entity to notify particular individuals and the Office of the Australian Information Commissioner (“OAIC”) if an ‘eligible data breach’ occurs. A data breach is ‘eligible’ if the breach is likely to result in serious harm (psychological, emotional, physical, reputational or other forms of harm) to any of the individuals to whom the information relates. A breach may be exempt from being defined as ‘eligible’ if the entity takes remedial actions prior to any serious harm occurring.

In the event of a data breach occurring, we will control the process of responding to the breach in accordance with the Privacy Amendment (Notifiable Data Breaches) Act 2017.

Your rights under the EU GDPR

We have processes in place to deal with Data Subject Rights (as that term is defined under the GDPR) requests. Our actions and responsibilities will depend on whether we are the controller or processor of the personal data at issue. Depending on our role as either a controller or processor, the process for enabling Data Subject Rights may differ, and are always subject to applicable law.

Under the European Union (EU) General Data Protection Regulation (GDPR), as a data subject you have the right to:

• Access your data;
• Have your data deleted or corrected where it is inaccurate;
• Object to your data being processed and to restrict processing;
• Withdraw consent to having your data processed;
• Have your data provided in a standard format so that it can be transferred elsewhere; and
• Not be subject to a decision based solely on automated processing.
• Access to and correction of your personal information

You may access or request correction of the personal information that we hold about you by contacting us. Our contact details are set out below.

We will respond to your requests to access or correct personal information in a reasonable time and will take all reasonable steps to ensure that the personal information we hold about you remains accurate, and up to date. However, once data is transmitted through to any Educational Institution you recognise that we are limited in our ability to change, control or otherwise update such information. Should you wish to do so, you should contact the respective Educational Institution and request that they update or correct any personal information that you believe should be updated.

In some circumstances which are prescribed by the Privacy Act, such as where to do so might put a person at risk of harm or have an unreasonable impact on the privacy of others, we may decline access to personal information.

Complaints

If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, you should contact us. Our contact details are set out below.

We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation and any subsequent internal investigation.

If you remain unsatisfied with the way in which we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (www.oaic.gov.au) for guidance on alternative courses of action which may be available.

Contact details

If you have any questions, comments, requests or concerns, please contact our Privacy Officer at:

EduBI Analytics Privacy Officer

Email: [email protected]

Mail: PO Box 626, Kellyville NSW 2155

Changes to this policy

From time to time, we may change our policy on how we handle personal information or the types of personal information which we hold. Any changes to our policy will be published on our Sites.

You may obtain a copy of our current policy from our Sites or by contacting us at the contact details above.

If you require any further information about the Privacy Act and the Australian Privacy Principles, you can visit the Federal Privacy Commissioner’s website (see www.privacy.gov.au).