The general type of information we may collect and store, includes personal information about:

• staff at participating schools;
• students from participating schools and their parents;
• applicants, staff, contractors; and
• Other people who are involved in the running of the ANVDC

In general, the personal information we collect and store includes the name of the person and the school with which they are associated.

It may include contact details, job role, WWCC, educational level (for students), date of birth and other matters which are relevant for the purpose for which they were collected.

We provide schools with the opportunity to participate in a national virtual debating competition. For this purpose, we collect information about the school, teachers and students who wish to participate. The type of information collected is required to successfully include the school and students in the competition. Masters Academy does not disclose this information to third parties, except expressly for the purpose of completing certificates, trophies and the facilitation of prizes.

We will generally collect personal information:

• from you directly when you provide your details to us;
• from you indirectly through emails, meetings, participation in debates, telephone conversations and your use of our services;
• from participating schools when it is necessary for us to have this information to fulfil the requirements of the competition; and
• from students and parents for the purposes of completing the competition
• Information collected by Masters Academy is only accessible to relevant staff members and protected by an appropriate permissions and privileges system.

We take all reasonable steps to protect the security of personal information. Our staff are required to protect the confidentiality of personal information and the privacy of individuals.

We also take reasonable steps to protect personal information held by us from misuse and loss and from unauthorised access, modification and disclosure. This includes restricting access to electronic records and the use of physical security for hard copy records.

When we no longer require your personal information, we will take reasonable steps to destroy it.

Why we collect, store, use and disclose personal information

In general, we collect, store, use and disclose personal information as is necessary:

• to conduct our affairs;
• to provide advice and assistance to schools, students and parents;
• to assist in the conduct of the competition;
• to promote debating;
• in relation to personal information of students for the purpose of providing feedback, certificates and trophies; and
• to comply with our legal obligations.
• To whom we disclose personal information

We may disclose personal information, including sensitive information to:

• schools;
• government departments and education authorities;
• courts, tribunals and regulatory authorities; and
• people who assist us in providing our services.
• Disclosure of information overseas

We may in limited circumstances, send personal information overseas, such as when we engage overseas schools, consultants or adjudicators to assist us in particular projects who need access to that information or where they are themselves, participants.

You may seek access to and correct your personal information by contacting our Competition Manager on +61 2 9136 2482. We will require you to verify your identity and specify what information you seek. We may refuse to provide your personal information if we believe this appropriate and such refusal is authorised under the Australian Privacy Principle.

According to the provisions of the Australian Privacy Act 1988, under certain circumstances, where personal information is concerned, data breaches must be reported to both affected individuals and the Office of the Australian Information Commissioner (OAIC), and may need to be reported to other relevant authorities including financial services providers, law enforcement bodies, professional associations and regulatory bodies.

All data breaches will be managed according to the CIRP, which contains a flowchart to assist with assessing data breaches. In addition, the steps detailed below should be taken with respect to applicable data breaches.

Such data breaches may occur as the result of malicious action, human error or a failure in information handling or security systems. In the case of any cyber security incidents where the following eligible data breaches occur:

• a device, or paper record, containing a person's personal information is lost or stolen
• a database containing personal information is accessed by malicious actors or persons not authorised to access the information
• personal information is mistakenly provided to the wrong person

The breach must be contained according to the provisions of the CIRP, assessed and reported if it is likely to cause harm to the person.

Such harm is defined as including the risk of financial fraud, identity theft, personal harm or intimidation and negative impacts to a person’s reputation. Suspected data breaches should be assessed to see if there is potential for harm to any individuals as a result of the breach and whether such potential harm can be remediated. If possible the lost information should be recovered before it can be accessed or changed.

The affected person or organisation must be consulted and included in decisions concerning the prevention of harmful consequences. If there are other possible steps that can be taken to make the possibility of serious harm no longer likely, then these should be undertaken and if the risk of harm is deemed to have been addressed, then there is no need to report the breach.

If serious harm cannot be prevented, then the breach should be reported to the OAIC.

Following such a breach, the incident will be reviewed as for any other cyber security incident according to the provisions of the CIRP. Information on data breaches, and the steps to take in response, is covered by Masters Academy training provided to all staff.

If you have any questions that are privacy-related or wish to complain about a breach of the Australian Privacy Principle or the handling of your information, you may also contact our Competition Manager. We may ask you to lodge your complaint in writing. Any complaint will be investigated by the Competition Manager and you will be notified of the making of a decision in relation to the complaint as soon as possible and in any event within 30 days.

If we are unable to satisfactorily resolve your concerns about our handling of your personal information, you can contact:

Australian Information Commission

GPO Box 5218

SYDNEY NSW 2001

This policy may be reviewed and revised from time to time to take into account changes in our practices and changes in legislative requirements.