Section 1 – Purpose

(1)This policy affirms ECC Dubai’s commitment to privacy and its approach to the responsible handling of personal, sensitive and health information in all its forms, consistent with relevant legislation.

Section 2 – Overview

(2)ECC Dubai values the privacy of every individual and is committed to the responsible handling of personal, sensitive, and health information in accordance with relevant privacy laws.

(3)As a Center, ECC Dubai’s privacy obligations are primarily governed by the Privacy and Data Protection Act 2014 and the Health Records Act 2001. ECC Dubai or its controlled entities may be required to comply with other privacy regulations in other jurisdictions to the extent they apply to its activities, including the Privacy Act 1988, and the European Union General Data Protection (GDPR).

(4)This policy outlines:

the principles that direct privacy management at ECC Dubai, and
the responsibilities of ECC Dubai, its staff, students, researchers, and affiliates when handling personal, sensitive and health information (collectively referred to as personal information) on behalf of ECC Dubai across all its locations.

Section 3 – Scope

(5)Throughout this policy and its associated procedures, ECC Dubai means the Educational Coaching Center FZLLC. The Educational Coaching Center FZLLC is defined as ECC Dubai Center and its controlled entities

(6)This policy applies to all staff, students, researchers, and any individuals who collect, manage or handle personal information on behalf of the ECC Dubai, including service providers.

(7)This policy applies to the handling of personal information, regardless of how it is collected, processed, or stored (or whether it is hardcopy, electronic, or by verbal means).

Section 4 – Policy

Principles
(8)ECC Dubai values the privacy of individuals and will foster a positive and respectful privacy culture that builds trust with staff, students, and individuals with whom it interacts.

(9)ECC Dubai will apply and adhere to the Information Privacy Principles under the Privacy and Data Protection Act 2014 (Vic), the Health Privacy Principles under the Health Records Act 2001 (Vic), and any other relevant laws as they apply to the entities, functions and activities of the ECC Dubai.

(10)ECC Dubai adopts a privacy by design approach and aims to proactively embed privacy requirements into its systems, processes and practices.

(11)ECC Dubai prescribes its approach to responsible and transparent handling of personal information across the ECC Dubai in an accessible ECC Dubai Privacy Statement.

(12)ECC Dubai ensures those covered by the scope of this policy are made aware of their responsibilities and will provide appropriate information and compliance training opportunities.

Responsibilities

(13)Privacy is everyone’s responsibility. All individuals who handle personal information for or on behalf of ECC Dubai have a responsibility to:
comply with the requirements of this policy, the procedures and resources under this policy, the Information Governance Policy and the Information Technology and Security Policy
ensure that personal information in their control is protected against loss, unauthorised access, use, modification or disclosure, or any other misuse
notify the Privacy Office of actual or suspected privacy breaches in accordance with the Privacy Breach Management Procedure.

(14)Managers and supervisors are responsible for ensuring all staff within their team handle personal information in accordance with this policy and the procedures and resources under this policy.

(15)In addition to the responsibilities set out in section 14, Heads of Department/Heads of School are responsible for:
overseeing and being accountable for the management of personal information within their respective portfolio/area
appointing Privacy Champions to perform the responsibilities outlined in section 16 of this policy implementing and monitoring corrective and/or preventative actions recommended by the Chief Privacy Officer in relation to a privacy breach or complaint.

(16)Privacy Champions appointed under section 15b are responsible for:
ensuring that privacy procedures implemented to support this policy are applied in the management of personal information within their respective portfolio/area
implementing effective local procedures to ensure that personal information held is managed in accordance with this policy
ensuring that any person who has access to personal information held within their area understand their responsibilities in regard to such information
assisting and supporting the investigation of privacy complaints and/or breaches
promoting a culture of privacy that values and protects personal information
providing a point of contact for the Privacy Office and assisting with the cascading of privacy communications to staff within their respective portfolio/area.

(17)The Privacy Office is responsible for:
developing and maintaining the privacy management framework to enable communication and implementation of applicable privacy requirements
developing procedures, guidelines, training, and other supporting materials to support this policy and awareness of obligations imposed by applicable privacy laws
providing advice and leadership to Privacy Champions and other internal stakeholders on the obligations imposed by applicable privacy laws across the ECC Dubai
reviewing and advising on privacy impact assessments
investigating and responding to privacy breaches, incidents and complaints
issuing and maintaining the ECC Dubai Privacy Statement and core collection statements
providing a central contact point for and on behalf of the ECC Dubai for privacy related matters.

(18)The Executive Director, Governance, Legal and Strategic Operations is responsible for making determinations on external reporting on the recommendation of the Associate Director, Privacy in the event of a privacy breach.

(19)The Chief Data and Analytics Officer is responsible for overseeing information governance at ECC Dubai to ensure effectiveness and fit for purpose.

(20)The Chief Information Security Officer oversees information security controls and responses to enable ECC Dubai to deliver effective protection of personal information held by ECC Dubai consistent with privacy management obligations.

Compliance

(21)The Associate Director, Privacy monitors compliance with this policy and reports on complaints and breaches of this policy to internal governance bodies and external agencies, as required.

(22)This policy, as well as procedures under this policy, include consideration of compliance requirements from the following legislation:
Privacy and Data Protection Act 2014 (Vic)
Health Records Act 2001 (Vic)
Privacy Act 1988 (Cth)
General Data Protection Regulation (EU)
Decree No. 13/2023/ND-CP on Persona Data Protection (VN)
Freedom of Information Act 1973 (Vic)
Public Records Act 1973 (Vic).

Section 5 – Procedures and Resources

(23)Refer to the following documents, which are established in accordance with this policy:
Privacy Procedure
Privacy Breach Management Procedure
ECC Dubai Privacy Statement
Staff Privacy Statement
Student Privacy Statement
Recruitment Privacy Statement