PRISM Assessment

Privacy Policy

Quick links

1. Overview

This Privacy Policy explains how {{ORG_NAME}} (operating as PRISM Assessment, a service of Beacon Star and St Andrew's Anglican College, Queensland) collects, uses, stores, and protects personal information when you or your child participates in the PRISM Assessment.

We are committed to protecting your privacy and complying with Australian Privacy Law, Queensland state law, US federal and state privacy laws, and European privacy regulations.

If you are under 18: Your parent or legal guardian must consent before you take the assessment. This policy applies to both you and your parent.

Our details:

  • Data Controller: {{ORG_NAME}}
  • Privacy Officer: {{PRIVACY_OFFICER_EMAIL}}
  • Postal Address: {{POSTAL_ADDRESS}}

2. What we collect

We collect only the information necessary to run the assessment, issue results, and comply with the law.

2.1 Information from your parent (or from you, if you are 18+)

  • First name (only), used to confirm the right child is taking the assessment.
  • Email address, to send results, respond to data requests, and verify consent.
  • Age band (under 13, 13โ€“17, or 18+), to apply the correct legal rules and show age-appropriate content.
  • Typed name attestation, your parent signs the consent form with their full name to confirm they agree.
  • Date and timestamp of consent.
  • IP address hash (not the raw address), for security purposes only.
  • User-Agent hash (browser/device type, not identifiable), for security purposes only.
  • If parental verification is used: Phone number, used only to send a one-time verification code. We do not store the code or use the number for anything else.

2.2 Information you provide during the assessment

  • Your responses to the PRISM assessment items (roughly 40 multiple-choice leadership questions).
  • Your age band at the time you submit.
  • Timestamp of submission.
  • IP address hash and User-Agent hash (same as above).

What we do NOT collect

  • Your last name (unless you volunteer it).
  • Your date of birth (we only record age band).
  • Your school name or location (not required to run the assessment).
  • Video, audio, or camera data.
  • Location data beyond what IP hashes can infer.
  • Health, financial, or sensitive information.

3. Why we collect it

3.1 Legal basis under Australian Privacy Law

We collect and use your information to:

  1. Verify parental consent (if you are under 18). This is mandatory under the Privacy Act 1988 (Cth) and Qld Information Privacy Act 2009 before we can assess minors.
  2. Run the assessment. To present questions, record your answers, and compute your PRISM scores (Power, Risk, Identity, Speed, Messaging).
  3. Generate your results. To create your personalized PRISM profile, narrative summary, and PDF report.
  4. Send your results. To email results to your parent (and to you, if you are 13+ and opt in).
  5. Honour your rights. To respond to requests to access, correct, erase, or port your data within statutory timeframes.
  6. Protect the system. To detect and prevent fraud, abuse, or unauthorized access.
  7. Comply with law. To respond to lawful requests from regulators (e.g. OAIC, ICO), educational authorities, or courts.
  8. Audit and accountability. To keep a hash-chained audit log proving what happened and when, in case of dispute or breach.

We do not use your data for marketing, profiling, or automated decision-making that affects your legal rights.

3.2 Lawful basis under GDPR (if you are in the EU/UK)

If you are a student in the EU or UK, we rely on:

  • Explicit consent (from your parent, if under 16) or from you (if 16+), you can withdraw it anytime.
  • Legitimate interest (fraud prevention, system security).
  • Legal obligation (compliance with education law, child safeguarding obligations, data protection law itself).

4. How we store and protect it

4.1 Where it lives

All data is stored in Supabase Postgres, hosted in the Sydney region (ap-southeast-2), owned and operated by Supabase (US company, but data residency is Australian). We have chosen Sydney residency specifically to avoid unnecessary cross-border transfer of assessment responses and consent records.

4.2 How it's protected

  • Encryption at rest: Database is encrypted at rest.
  • Encryption in transit: All data in motion uses TLS 1.2+.
  • Access control: Database uses Row Level Security (RLS). Only you, your parent, or authorized staff can see your data. The system never grants access to unauthorized users.
  • Audit log: Every read, write, or deletion is logged in a hash-chained append-only log. Tampering is detectable.
  • IP and User-Agent hashing: We store only SHA-256 hashes of IP addresses and browser identifiers, not the raw values. This prevents casual re-identification while preserving the ability to flag suspicious patterns.

4.3 Third parties and contractors

Party Role Location Justification
Supabase Database hosting, authentication Sydney Contractually obliged; encrypted at rest; no secondary use
AWS SES Email delivery (transactional only) Sydney Contractually obliged; encrypted in transit; no secondary use
AWS SNS (optional) SMS code delivery (parental verification only) Sydney Contractually obliged; code is single-use, not stored
Cloudflare CDN, DNS, DDoS protection Global with AU edge Contractually obliged; no access to assessment data; only proxy

We do NOT use:

  • Google Sheets (data residency issue; replaced by Supabase).
  • Resend (US-based; replaced by AWS SES Sydney).
  • Any third-party analytics (Google Analytics, Mixpanel, etc.) that would link responses to cross-site profiles.
  • Any third-party AI or LLM services for processing responses.

5. How long we keep it

Different data is kept for different periods, balancing accountability with privacy:

Data Retention Reason
Assessment responses + scores 5 years (de-identified) Research aggregate; legal hold
Identifiable fields (name, email) 12 months (under-18); 24 months (adult) Balances child protection with minimization
Consent records (parental attestation, signed form) As long as the assessment exists, then 7 years Proof of consent; accountability
Audit log 7 years Accountability, breach investigation, compliance
Access keys (student links) Expires after 30 days if not used; then purged Single-use; not needed after student submits
IP/User-Agent hashes Same as identifiable fields Abuse detection, then purge

Automatic purge: On the 1st of each month, we automatically purge identifiable fields for all respondents whose retention window has elapsed. The data steward is notified.

Early deletion: You can ask us to delete your data anytime. We will comply within 30 days (or earlier if we can).

6. Cross-border transfer (international data sharing)

We are committed to keeping your data in Australia. However, some limited transfers may occur:

6.1 What stays in Australia

  • Assessment responses
  • Consent records
  • Parental attestations
  • All de-identified aggregate data

6.2 What may leave Australia

  • Support requests to Supabase: If we report a security issue to Supabase US, we may include anonymized logs (no personal identifiers). We assume this is necessary for system integrity.
  • Audit evidence to regulators: If a regulator in another country (e.g. ICO in the UK, FTC in the US) makes a lawful request, we may share evidence. This is a legal obligation, not a business choice.

We use Privacy Act Schedule 1 (APP 8.1) and GDPR Standard Contractual Clauses to document these transfers. Any transfer is disclosed in our Records of Processing Activities (available on request).

7. Your rights

7.1 Right to access

You have the right to ask us: "What personal information do you hold about me?"

We will provide a copy within 30 days (or sooner). If your request is complex, we will ask for clarification and update the timeline.

7.2 Right to correct

If any information is inaccurate (e.g. your email was spelled wrong), tell us and we will correct it.

7.3 Right to erase

You (or your parent, for you if under 18) can ask us to delete your data before the retention window ends. We will comply within 30 days, except where the law requires us to keep it (e.g. audit log for accountability).

7.4 Right to withdraw consent

You can withdraw parental consent, and we will stop processing your data and mark it for deletion. Existing results cannot be "un-sent," but no new processing will occur.

7.5 Right to data portability

You can ask for a copy of your data in a portable format (CSV, JSON). We will provide it within 30 days.

7.6 Right to object

You can object to processing for direct marketing, profiling, or automated decision-making. We do not do these, so this right is mostly moot, but you have it.

7.7 Parental rights (if you are under 18)

Your parent can exercise all of the above rights on your behalf. They can also:

  • Request to see your results (even after the assessment is complete).
  • Request to see the audit log of your session.
  • Request erasure of your identifiable data early (before the retention window ends).

8. Complaints

If you believe we have breached your privacy, you can complain to us first:

Email: {{PRIVACY_OFFICER_EMAIL}}
Write to: {{POSTAL_ADDRESS}}

We will respond within 30 days.

If we don't resolve it, you can escalate to:

8.1 Australia

Office of the Australian Information Commissioner (OAIC)
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Website: oaic.gov.au

8.2 USA (if applicable)

If you are a US resident:

  • Federal Trade Commission (FTC): For COPPA concerns (under-13). ftccomplaintassistant.gov
  • State Attorney General: Some US states (California, Colorado, Connecticut, etc.) have their own privacy offices.

If education records are involved, you may also contact the US Department of Education, Office of Family Policy Compliance (FERPA matters).

8.3 EU/UK (if applicable)

If you are in the EU or UK:

9. Changes to this policy

We may update this Privacy Policy to reflect changes in the law or our practices. We will notify you by email if there are material changes (e.g. a new third party, a longer retention period).

Current version: {{POLICY_VERSION}}
Last updated: {{POLICY_DATE}}

10. Contact us

Privacy Officer: {{PRIVACY_OFFICER_EMAIL}}
Postal Address: {{POSTAL_ADDRESS}}
Website: assessment.beacon-star.com

This Privacy Policy is DRAFT FOR LEGAL REVIEW, do not deploy without qualified legal sign-off.