1. About our Privacy Policy
Thanks for visiting our Privacy Policy (Policy), we are St Leo’s College (the College, we, our, us and other similar terms). We are committed to providing quality services to you and this Policy outlines our ongoing obligations in respect of how we manage your Personal Information.
When we talk about Personal Information, we mean information or an opinion about an identifiable individual (not a company) including prospective residents, current residents, alumni, job applicants, staff members, volunteers, contractors, service providers and any other individual who interacts with the College, whether or not that information or opinion is true or in a material form (Personal Information).
2. Disclaimer
While your privacy is important to us, nothing in this Policy constitutes a voluntary opt-in to any privacy laws, anywhere in the world, which we are not statutorily bound to comply with.
3. Collection of Personal Information
3.1 How the College collects Personal Information
We collect Personal Information in the ordinary course of our business, which is the provision of residential college accommodation and related services, including but not limited to academic support, scholarships, welfare and wellbeing programs, counselling, cultural and sporting activities, catering and social event services and community engagement initiatives. Personal Information is collected when you:
(a) apply for accommodation or related services;
(b) contact or correspond with us via email, telephone or via our website;
(c) complete and submit online or paper forms provided by us;
(d) enter our College premises;
(e) engage in face-to-face meetings and interviews with our staff;
(f) subscribe to our publications, newsletters, magazines or complete surveys;
(g) participate in programs, activities or events organised by us; or
(h) seek support in relation to our services.
Information will be collected directly from you unless you authorise another person, such as a parent or guardian, to provide the information.
We may also collect information from third parties who support a prospective or current resident’s application such as medical professionals or references from schools, the University of Queensland or other residential colleges.
3.2 What Personal Information is collected?
The types of Personal Information we collect include your name, address, telephone number, email, payment details, your social media details when you follow us on our social media platforms, images and/or videos captured during your visit to our College premises or events, CCTV footage and access logs, and any additional information you provide to us.
If you are a prospective or current resident, we also collect your date of birth, QTAC code, student number, personal interests, the personal information of your emergency contact, parent or guardian and your Medicare number and related health insurance details.
We only collect sensitive information by obtaining your consent to the collection and where it is reasonably necessary for the purposes of providing our services. Given the nature of our services, if you are a prospective or current resident of the College, this may include information about your health, illnesses/conditions, allergies, disabilities, medication, medical history, gender, biometric information, religious affiliation or other sensitive details.
Where you contact us on behalf of your employer, the information you provide often contains information about your employment, position and employers contact details. In those circumstances certain employment information is collected.
3.3 Employee Records exemption
According to section 7B (3) of the Privacy Act 1988 (Cth), the handling of employee records as defined in section 6(1) of the Privacy Act 1988 (Cth) (Employee Record) by an employer in relation to current or former employment relationships is exempt from the Australian Privacy Principles (APPs) where the employer’s act or practice is directly related to:
(a) either a current or former employment relationship between the employer and the individual; and
(b) an Employee Record held by the employer relating to the individual.
As a result, this Policy does not apply to the College’s treatment of Employee Records, where the treatment is directly related to a current or former employment relationship between the College and employee.
4. How the College uses Personal Information
4.1 Why we collect Personal Information
We collect your Personal Information for the primary purpose of providing accommodation and related services to residents. We may also use your Personal Information for secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use or disclosure.
Examples of when we may use your Personal Information include:
(a) informing you about our services;
(b) providing you with our services;
(c) improving and promoting our services and College facilities;
(d) curating publications and marketing material;
(e) organising and informing you about our academic, religious, sporting, cultural, fundraising and other social activities, programs, events or opportunities;
(f) managing the daily administration needs of the College including processing applications and payments, managing schedules, coordinating staff, handling resident records, overseeing College facilities and administering internal processes and policies;
(g) ensuring your safety, wellbeing and security;
(h) contacting parents or guardians in an emergency affecting a resident or, with the resident’s consent, regarding fee payments;
(i) seeking donations;
(j) if you are a job applicant, staff member or contractor, administering your employment or contractor agreement;
(k) dealing with requests, enquiries or complaints regarding our services; and
(l) carrying out any activity in connection with a legal, governmental or regulatory requirement imposed on us or in connection with legal proceedings, crime or fraud prevention, detection or prosecution.
4.2 Direct marketing
Where you provide us with consent to do so (e.g. if you have subscribed to our email lists or have indicated that you are interested in receiving information or services from us), we may send you marketing communications by email about relevant information or services that we feel may be of interest to you.
You can opt-out of such communications if you would prefer not to receive them in the future by using the “unsubscribe” facility provided in the communication itself.
4.3 Surveys or market research
We (or an appointed third party) may also conduct surveys or market research and may seek other information from you on a periodic basis. These surveys will provide us with information that allows improvement in the type, quality and the manner in which our services are offered to you. You can opt out of participating in such surveys or market research using the “unsubscribe” facility provided in the communication itself.
5. Cookies and browser analytics
5.1 What are cookies
Cookies are small text files that are placed on your computer by the websites you visit. They are processed and stored by your web browser. When you visit a website or engage with a business through social media, certain information is collected by cookies. This is generally anonymous information and it does not reveal your identity. In and of themselves, cookies are harmless and serve crucial functions. They are widely used in order to make websites work more efficiently and improve the user experience, as well as to provide information about the use of a website.
5.2 Why we use cookies
By storing and using information about your use of our website, including preferences and habits, we are able to make your visit to our website more productive. For example, some cookies remember your language or preferences so that you do not have to repeatedly make these choices.
5.3 We use the following types of cookies:
(a) Required cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that pass information from one web page to another and to use online forms.
(b) Analytical cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are able to find what they are looking for easily. We also use third party cookies, such as those provided via the Google Analytics service. The information passed back to such third party providers is anonymous.
(c) Marketing cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you and remember your preferences. These cookies also record your visit to our website, the pages you have visited and the links you have followed such as Youtube links. We may use this information to make our website and communications sent to you more relevant to your interests.
5.4 How can I remove cookies
Your web browser can choose whether or not to accept cookies. Most web browser software is initially set up to accept them. If you do not want your browser to use cookies, you can manage and control their use through your browser, including removing cookies by deleting them from your “browser history” (cache) when you leave the site. However, if you choose to reject cookies some parts of our website may not work properly.
6. Data retention and security
6.1 Security mechanisms we employ
Generally, we store your Personal Information using secure servers protected from unauthorised access, modification and disclosure. However, like most businesses, we hold some information on our staff’s computers (such as emails from you) and where necessary as hard copy files (such as printed invoices and resident records).
Subject to 7.2 (Offshore Transfers), our records and systems are located in Australia and are managed by us and our service providers. Personal Information that we store or transmit is protected by security and access controls, including locked storage of paper records, username and password authentication for computerised records, multi-factor authentication, and data encryption (such as SSL) where appropriate.
In our dealings with third party service providers, we take care to work with subcontractors and service providers who we believe maintain an acceptable standard of data security compliance.
6.2 How long we keep your Personal Information
We retain your Personal Information for as long as is necessary to provide our services to you, as required for our internal business operations, and to comply with our legal obligations.
If we hold Personal Information about you, and we do not need that information for any purpose, we will take reasonable steps to destroy or de-identify that information, in accordance with the APPs and the European Union General Data Protection Regulation (GDPR), unless we are prevented from doing so by law.
Under Australian law, financial records, such as those relating to financial transactions, must be retained for 5 years after the transactions associated with those records are completed.
If you no longer want us to use your Personal Information, you can request that we erase it. Where possible we will do so in accordance with the APPs and GDPR. However, where you request the erasure of your Personal Information we will retain information from deleted accounts as necessary for our legitimate business interests, to comply with the law, prevent fraud, collect fees, resolve disputes, troubleshoot problems, assist with investigations or requests by government, a court of law, or law enforcement authorities, enforce the terms of service and take other actions permitted by law. Any information we retain will be handled in accordance with this Policy.
7. Disclosure of your Personal Information
7.1 Who we share your Personal Information with?
Your Personal Information may be disclosed to:
(a) our employees, a related company and our professional advisers (lawyers, accountants, insurers, etc.);
(b) your parent or guardian, if you are a resident;
(c) emergency services, medical professionals, or next of kin, in case of emergencies;
(d) the university at which the resident is enrolled, in accordance with the regulations at that university;
(e) event organisers and third party vendors for college activities, functions, programs or events, where necessary;
(f) providers of specialist services to the College, including but not limited to photographers, academic tutors and sports coaches;
(g) regulators and government authorities in connection with our compliance procedures and obligations, including law enforcement agencies to assist in the investigation and prevention of criminal activities;
(h) a third party, in order to enforce or defend our rights, or to address financial or reputational risks;
(i) third party contractors, suppliers and service providers with whom we have a business association, including:
(i) administration service providers;
(ii) marketing service providers; and
(iii) information technology service providers, including cloud application providers.
We will not disclose your Personal Information other than in accordance with this Policy, without your consent.
7.2 Offshore transfers
We may transfer some of your Personal Information to third party contractors, service providers and suppliers with whom we have a business association. Our engagement of service providers, such as those who operate cloud services, may have international data centres and disaster recovery sites. Consequently, these providers may have access to your information offshore. We rely solely on reputable organisations for such cloud services.
8. Anonymity and use of pseudonyms
If you contact us with a general enquiry, we may interact with you anonymously or through the use of pseudonyms. However, you are required to provide true and accurate details when requesting the supply of goods or provision of services. You agree you will provide accurate information if we require it.
9. Access to Personal Information and corrections
We endeavour to only hold Personal Information that is accurate, complete and up-to-date. You have the right to make a request to access Personal Information which we hold about you and to request corrections of any errors in that data. To make an access or correction request, contact us using the contact details provided at the end of this Policy.
In order to protect your Personal Information, when you contact us, we may require identification from you before releasing the requested information or making the correction.
10. Additional rights for EU residents and citizens
For the purposes of the GDPR, we are a ‘data controller’ of Personal Information. If you’re a citizen or resident of the European Economic Area, the following rights apply to you.
You are entitled to ask us to port your Personal Information (i.e. to transfer in a structured, commonly used and machine-readable format, to you), to erase it, or restrict its processing. You also have rights to object to some processing that is based on our legitimate interests, such as profiling that we perform for the purposes of direct marketing, and, where we have asked for your consent to process your data, to withdraw this consent.
These rights are limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your Personal Information. In some instances, this means that we may retain some data even if you withdraw your consent.
Where we require your Personal Information to comply with legal or contractual obligations, then provision of such data is mandatory and if you do not provide it then we will not be able to manage our contractual relationship with you, or to meet obligations placed on us. In those cases, you must provide us with your Personal Information, otherwise the provision of requested Personal Information is optional.
If you have unresolved concerns, you also have the right to complain to data protection authorities. The relevant data protection authority will be the data protection authority in the country:
(a) of your habitual residence;
(b) of your place of work; or
(c) in which you consider the alleged infringement has occurred.
11. Communications and privacy concerns
Your privacy is important to us. If you have any complaints, concerns or questions about our handling of your Personal Information, we ask that you first contact our business manager whose contact details are listed below. Your complaint must include sufficient details, together with supporting evidence. We will investigate your complaint and reply to you in writing if you provide us with contact details and request us to do so.
Email: business.manager@stleos.uq.edu.au
Telephone: 07 3878 0603
Post: College Road, St Lucia, QLD 4067
Online: https://www.stleos.uq.edu.au/contact-st-leos/
If, after we have conducted our investigations, you are still not satisfied, then we ask you to consult with the Office of the Australian Information Commissioner:
Email: enquiries@oaic.gov.au
Telephone: 1300 363 992 (from overseas +61 2 9284 9749)
Post: GPO Box 5218
Sydney NSW 2001
12. Variations to this Policy
We will need to change this Policy from time to time in order to make sure it stays up to date with the latest legal requirements and any changes to our privacy management practices.
A copy of the latest version of this Policy will always be available on this page.
This Policy was last updated on 21 February 2025.
