AERO takes privacy seriously. This policy outlines how we handle personal information and how you can contact us.
Download AERO Privacy policy PDF, 277.35 KB

On this page:

1. Purpose

This policy outlines how the Australian Education Research Organisation (AERO) collects and manages personal information belonging to its staff and stakeholders, in compliance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles. This policy may need to be amended over time and updated versions will be published on AERO’s website.

2. Scope

Who this policy applies to

This policy applies to all people from whom AERO collects personal information (as defined in the Privacy Act) if they:

  • participate in a research project
  • contribute to activities other than research, such as helping AERO understand the effectiveness of its resources, featuring in practice-based photos or videos, contributing ideas to inform future research and giving feedback
  • collaborate with AERO to conduct research or activities other than research
  • make an enquiry of, or contact, AERO
  • register and/or attend an event run by AERO
  • apply for a job or work at AERO
  • provide services to AERO
  • visit AERO’s website
  • join AERO’s mailing lists
  • connect with AERO via social media.

3. Context

How AERO's work relates to personal information

AERO deals with personal information to fulfil its purpose and meet its obligations. AERO:

  • collects, produces and uses a variety of personal information to fulfil its functions and activities. These functions and activities include employment, engagement and collaboration with education stakeholders, as well as generating and presenting high-quality evidence to enhance education outcomes for all Australian children and young people.
  • is required to comply with the Privacy Act and, in some cases, corresponding state and territory-based privacy legislation relevant to work being undertaken by AERO staff and those appointed to carry out work in collaboration with or on AERO’s behalf.
  • acknowledges principles for Indigenous Data Sovereignty and the rights of First Nations Peoples to govern the collection, application and ownership of their data and information relating to them.
  • is committed to protecting the personal information it collects, stores, uses, manages and discloses, and this policy supports that commitment.

4. Policy statement

4.1 How AERO collects personal information

Where AERO collects and uses personal information, it will only do so:

  • in a non-intrusive, lawful and fair way
  • in a way that: respects First Nations self-determination and leadership, contributes to impact and value that is of clear benefit for First Nations Peoples and enables sustainability and accountability for the present and future needs of First Nations Peoples and communities.
  • to fulfill organisational function and activities where that personal information is reasonably necessary
  • where collection or use is required or authorised by law (such as where informed and voluntary consent has been provided)

Please note that AERO will seek consent for the collection and use of personal information if human research ethics entities or education authorities require AERO to do so.

Where lawful and practical to do so, AERO will provide the option of anonymity or use of a pseudonym if individuals do not wish to be identifiable.

AERO may collect personal information:

  • in person or over the telephone (e.g., through interviews, focus groups, classroom observations, yarning and collective storytelling)
  • in writing (e.g., corresponding with AERO, filling out a survey, providing consent or entering into a legal agreement with AERO)
  • by audio-visual means (e.g., via a video call or if AERO records audio or video of an in-person, online or telephone interaction, or video of teaching practices in action)
  • by taking photographs (e.g., at AERO events or during research or activities other than research)
  • through AERO’s website and social networking services (e.g., if connecting with AERO via LinkedIn or filling out a form via AERO’s website)
  • via digital communications that are accessed by those who have subscribed to a mailing list (e.g., AERO newsletters)
  • when minutes or notes are documented (e.g., as part of meetings, events, webinars, collaborative discussions and stakeholder engagement)
  • when documents have been submitted either directly or through a trusted third-party platform (e.g., job applications, human research ethics applications/forms or researchers outside of AERO responding to a call for proposals)
  • from third parties (e.g., referee reports for job applicants) or publicly available information
  • as part of permission to access data from a publicly available source or trusted third party, such as the Australian Curriculum, Assessment and Reporting Authority, the Australian Bureau of Statistics or another entity that has legal and ethical authority to share and grant access to previously collected datasets.

Where practical to do so, personal information will be collected directly from individuals. To ensure informed and voluntary consent for the collection and use of this information, AERO will, where practical to do so:

  • provide sufficient detail to individuals so they can make an informed decision about consent
  • clearly communicate that consent and participation are voluntary
  • genuinely engage with First Nations Peoples, communities and groups, including forming agreements, approaching consent in a culturally and linguistically appropriate way, and respecting free, prior and informed consent of communities, groups and individuals
  • maintain records that verify the currency and nature of consent
  • verify appropriate consent procedures were undertaken in circumstances where data was previously collected by another entity
  • respect individual capacity to understand and communicate consent.

Where it is not practical to collect personal information directly from the relevant individuals, AERO may collect and use information about them from someone else if:

  • it is unreasonable or not feasible to collect information directly from them
  • the source of information is a trusted third party who has authority to provide the personal information to AERO
  • appropriate privacy and consent measures were in place when the information was originally collected.

Where individuals are under the age of 18 years, it is necessary to determine their capacity to understand and communicate consent on a case-by-case basis. As a case-by-case assessment isn’t always possible (e.g., researchers don’t have in-person contact with children and young people due to interacting online, or won’t have the opportunity to interact with every individual child and young person) AERO will, where practical to do so:

  • seek consent from parents/guardians for those under the age of 18 years.
  • create opportunities for children and young people to provide assent to complement consent granted by their parent(s) or guardian(s).
  • encourage the involvement of children and young people in the consent process by asking parents or guardians to discuss matters directly with them before giving consent on their behalf.

4.2 Types of personal information AERO collects and uses

The kinds of personal information AERO collects, uses and produces will vary based on the reason for engagement between AERO and individuals, the nature of the work – be that research or activities other than research - and AERO’s objectives. For security purposes, de-identification techniques might be applied to personal information that has been collected, before it is used. The kinds of personal information AERO collects and uses includes:

  • basic contact and identity information (e.g., name, address, email, phone number and signature)
  • demographic information (e.g., age, gender and date of birth)
  • perspectives on, and experiences of, education and related themes (e.g., practices, outcomes, needs and learning)
  • details about schools and early childhood education and care (ECEC) services, including location
  • educational outcomes and indicators such as NAPLAN, exam or assessment scores and year of student completion of these
  • student and school identification numbers
  • documents containing strategies, plans and evaluation results
  • level of engagement with and completion of professional learning
  • employment-related details (e.g., role accountabilities, work experience, referee names, salary and job satisfaction).

At times AERO collects and analyses ‘sensitive information’ (as that term is defined in the Privacy Act) if it is relevant for AERO’s research. AERO will ask for an individual’s consent before collecting and using their sensitive information, unless permitted to do so without consent, or otherwise legally required to collect that information. Sensitive information that AERO collects and uses can include:

  • health information (such as disability status or information about wellbeing)
  • Aboriginal and/or Torres Strait Islander status
  • language background, which could indicate racial or ethnic origin.

AERO will de-identify any research findings based on sensitive data or as required by research approval authorities. This may include, for example, aggregate results that represent an entire group of people and therefore do not reveal the identity of the individuals in the group, or map which information belongs to which individual. In certain circumstances, sensitive information is only used to control and remove any effect these characteristics might have on findings and, as such, they are not analysed.

Research, engagement and contact

AERO collects and uses personal information of people it has engaged with, people who have contacted AERO and people who have taken part in its research or activities other than research. Records that AERO maintains contain appropriate information about consent granted, related conditions and the purpose of engagement and/or contact.

Employment

AERO collects and uses personal information, such as name, contact details, qualifications and résumés, as part of job applications and employment. It also collects and uses employment-related personal information, such as: details for taxation, banking and superannuation, and salary and wages purposes; hours of work; and information about skills, training, performance and conduct.

As per AERO’s Code of Conduct, all employees are given notice through their contracts of employment that surveillance may take place while they are at work through camera, computer or tracking surveillance.

Procurement, legal and finance

AERO collects and holds personal information as part of its procurement, legal and financial processes. This includes the names and contact details of tenderers, research collaborators and contracting parties, as well as financial information required for procurement purposes.

Newsletters and other organisational communications

When people sign up to receive AERO’s newsletter or they request that AERO communicates with them, their names and email addresses are collected and stored for these purposes. To help AERO understand its audience, in some cases the name of the school or service with whom a person is affiliated and their role in the education sector might also be collected.

Website and social media platforms

Log information and cookies

AERO’s website collects information about its visitors and their activity on the website. Some of this information is collected via cookies.

Social media

AERO uses social networking sites, including LinkedIn, Facebook and X (formerly Twitter) to engage with the public.

AERO may collect users' personal information if they engage with AERO on these services. The information will only be used to help AERO achieve its objectives.

4.3 How AERO discloses personal information and maintains its quality

AERO may disclose personal information to trusted third parties and service providers to assist AERO with its functions and activities. These functions and activities include: data collection, processing and analysis; information technology (IT) services and support; operational reporting (e.g., to the Australian Tax Office); website maintenance and development; printing; record archiving; sending newsletters; market research; and research-related services (e.g. transcribing audio files). AERO may also disclose personal information with contractors and service providers engaged to help conduct and share its research.

Where AERO receives data from Commonwealth, state and territory governments or education authorities for secondary analysis, it may share its findings with those entities.

AERO will only disclose information about an individual with their consent or if:

  • it will be used for a purpose directly related to its original collection and there is no reason for AERO to believe that the individual concerned would object to its disclosure
  • the individual is aware, or reasonably likely to be aware, that the disclosure would occur
  • there are reasonable grounds to believe disclosure is needed to prevent or lessen a serious or imminent threat to an individual’s life or health
  • the individual gave consent for disclosure when another entity initially collected the data
  • it is authorised or required by or under law.

AERO takes reasonable steps to protect personal information from being disclosed outside of permitted activities. AERO will not disclose the sensitive information of an individual without their consent unless it is authorised or required by or under law.

When using data for research, AERO may aggregate, analyse it, combine it with other datasets or de-identify it. These activities are carried out to protect the privacy and confidentiality of individuals and entities, as well as to support the primary purpose for which it was collected – to meet AERO’s research objectives and gain insights about Australian education. Further information about other types of disclosures is given below.

Publication and dissemination

To benefit the education community, AERO publishes and disseminates research and information from activities other than research. AERO does so on its website and through research-related forums (e.g., conferences and workshops with practitioners). This could be in the form of articles, reports, papers, presentations, visualisations and other resources. Generally, whatever is published and disseminated will be presented in such a way that individuals cannot be identified. On some occasions, AERO may identify people, locations, or specific schools or services. However, AERO will only do this when relevant parties (e.g., individuals, organisations and authorities) have consented.

Overseas disclosure

AERO does not routinely disclose data or information to overseas recipients. Where feasible, AERO engages with providers that store data in servers located in Australia. Where necessary, personal information may be disclosed to third-party providers in countries such as the United Kingdom (UK), the United States (US) and New Zealand. AERO will only disclose personal information to overseas recipients where reasonable steps have been taken to ensure the recipient agrees not to breach the Australian Privacy Principles.

Additionally, from time-to-time AERO staff may be working overseas and require access to information that is stored in Australia. This work is carried out on Australian servers and access requires multi-factor authentication.

Third parties

AERO engages third-party providers that operate software and platforms that contribute to secure, efficient and sustainable operations. These software and platforms support functions such as newsletter distribution, survey data collection, video conferencing, data analysis, employment and financial records.

Before engaging with these providers, AERO, in conjunction with its IT provider, undertakes an assessment. This assessment includes review of legal terms and conditions, privacy measures, storage location and security measures.

Records and data quality

AERO has a number of measures intended to ensure that the personal information it holds is accurate, up-to-date, complete and relevant. These include:

  • maintaining a data register, which provides clear reference for staff on matters such as security classification, history and timelines for disposal
  • asking staff to keep information up-to-date in the employment system
  • documenting consent through organisation-wide templates that consistently address all legislative, regulatory and education requirements
  • staff using organisation-wide processes that facilitate accurate records and reporting
  • monitoring data collection to safeguard its integrity
  • coding data carefully and rigorously to ensure privacy and confidentiality while maintaining accuracy.

Please contact AERO using the contact information in section 6 if you would like to:

  • know what, if any, personal information AERO holds about you
  • seek correction of any personal information AERO holds about you
  • opt out of receiving communications from AERO.

If you request access to your personal information or ask AERO to correct or update information about you, AERO may need to verify your identity. In some cases, there may be a valid reason for AERO to deny your request to access or correct your information. If AERO does this, AERO will notify you of the reason within 30 working days.

Current and former employees may request their employment records via [email protected]. Digital versions of those records would be available within 3 business days, or a paper-based copy sent via post within 14 days.

4.4 How AERO stores, retains and secures personal information

Storage and retention

The personal information AERO collects is stored and managed on systems licensed to AERO. Unless indicated otherwise, personal information and associated records are stored in secure cloud-based systems located within Australia.

AERO keeps personal information for the amount of time needed to fulfil the purpose it was collected for. Once the information is no longer needed, AERO takes reasonable steps to dispose of it securely. This may involve destroying or de-identifying data and datasets. Where applicable under agreements, it may also involve transferring custody of the data back to its original owner.

When AERO publishes its work, it does so through a Creative Commons Attribution 4.0 International Licence (CC BY 4.0 licence). This means AERO’s publications are freely available, and third parties are allowed to copy, share, or adapt those publications without needing to seek AERO’s permission as long as they attribute AERO’s original work and indicate if any changes have been made to that. Personal information could appear in AERO’s publications if consent for this has been provided as applicable.

If an individual withdraws their consent for AERO to use their personal information, AERO will make every effort to delete or remove the information; however, it may not be possible or practical to do this in all situations. For example, if the information has been published (hard copy or online), and downloaded or distributed by others, AERO has no control over further use and disclosure.

Additional information about AERO’s storage and retention practices is available in AERO’s Data and Information Management Policy.

Security

AERO and its IT provider take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

Privacy and notifiable data breaches

In the event of a possible data breach, AERO will follow the Notifiable Data Breach (NDB) scheme and any other reporting obligations that exist for specific categories of information. Additional information regarding NDB scheme is available in AERO’s Data and Information Management Policy.

5. Roles, responsibilities and delegations

AERO staff and those who AERO employs to carry out work in collaboration with or on AERO’s behalf (e.g., contractors, consultants and research collaborators) have an obligation to be aware of and implement privacy principles and practices underpinned by:

  • this policy
  • legislation
  • national research ethics standards
  • requirements of education authorities.

AERO may revise this policy from time to time to take account of legislative and regulatory reform, and changes to AERO’s operations and practices.

To support these roles and responsibilities, AERO:

  • makes the AERO Privacy Policy publicly available through its website
  • provides privacy-related training to its staff
  • maintains a privacy management plan
  • uses organisation-wide participation and information consent templates
  • coordinates requests for information access, information correction and complaints via [email protected]

6. Contact AERO

If you have any questions or comments about AERO’s privacy practices, would like to communicate about personal information AERO might hold about you, or would like to make a complaint about a possible breach of the Australian Privacy Principles, please contact AERO by:

AERO will do its best to address and resolve any issues raised and will aim to provide a response or an update on progress within 30 days. To fully understand the nature of complaints and outcomes that are being sought, AERO asks that these are communicated in writing.

If you are not satisfied with AERO’s response, you may take your complaint to the Office of the Australian Information Commissioner.

Definitions

TermDefinition
BreachAn act or practice that contravenes or is inconsistent with relevant legislation and/or standards, and no exception for that exists. In the context of this policy, it involves unauthorised access or disclosure of data and information that AERO holds.
De-identified The absence of any personal information that would make an individual reasonably identifiable or re-identifiable.
Disclosure Permitted access to data or information is provided to an individual or organisation other than the entity that originally collected it (e.g., data sharing) or the individual to whom that data or information belongs.
Indigenous data

Any data which was obtained from, or relates to, an Aboriginal or Torres Strait Islander person or community and relates to:

  • their personal information
  • that person’s personal cultural information, or
  • communally owned Indigenous Cultural and Intellectual Property (ICIP).
Indigenous Data SovereigntyThe rights of Aboriginal and Torres Strait Islander people to govern the collection, application and ownership of their data and information relating to them, including their ICIP.
Personal information

As per the Privacy Act (1988), any ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.’

Personal information includes any data and information that could reasonably identify an individual. For example, an individual’s name, signature, contact details (e.g., postal or email address and phone number), employment details, date of birth, disability status, photographs, student identification number, school name and location, opinions and perspectives.

Information does not have to contain an individual’s name to be personal information. Certain combinations of information may mean that a person is ‘reasonably identifiable’.

In certain circumstances, information is not categorised as personal. This includes information about an individual who has been deceased for more than 30 years or information about a person that is publicly available.

Sensitive informationAs per the Privacy Act, this includes personal information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, or criminal record.

Abbreviations

AbbreviationFull name
AEROAustralian Education Research Organisation
ICIPIndigenous Cultural and Intellectual Property
NDBNotifiable data breach

Associated documents

  • Privacy Act 1988
  • Australian Privacy Principles
  • Australian Code for the Responsible Conduct of Research
  • National Statement on Ethical Conduct in Human Research (2023)
  • Australian Institute of Aboriginal and Torres Strait Islander Studies (AIATSIS) Code of Ethics for Aboriginal and Torres Strait Islander Research (2020)
  • United Nations Declaration on the Rights of Indigenous Peoples
  • AERO Data and Information Management Policy
  • AERO Code of Conduct 
  • AERO Code for the Responsible Conduct of Research and Evaluation
  • AERO Research Complaints, Breaches, and Investigation Procedure
  • AERO’s Members’ Contribution Agreement