Privacy Policy

Last updated: 15th April 2020

Introduction & Scope:

It’s important to us that we explain how we collect, store, and handle Personal Information provided by you and our policies around keeping your data safe. You can read the whole policy below, you can jump to the section you need, or you can download a PDF copy.

We may need to update this policy from time to time. Where a change is significant, we’ll make sure we let you know—usually by sending you an email.

Purpose of the Policy

As an Australian Company, we are committed to complying with the Australian Privacy Act 1988 and its associated regulations, principles, and amendments. By using our website, resources, or services, or contacting us, you acknowledge that you understand and agree to the terms and conditions of this Privacy Policy.

Who are ‘we’?

This privacy policy is enacted by Orchard Downs Pty. Ltd. trading as School Research Evaluation & Measurement Services (SREAMS). When we say SPAplatform, we, our, or us, we’re talking about our organisation, SREAMS, who produce three software modules (SPAstandard, SPAtracker, & SPAmarkbook). Our Service may refer to the SPAplatform Service or auxiliary services SREAMS provide such as Professional Development, technical support, and research services.


You, Your school, and your students

When we say you or your, we mean both you and any school, office, or department you’re authorised to represent. When we say students, we mean one or more students whom you have chosen to enter data for within our SPAplatform services.

What is the purpose of our software services?

SPAplatform is an online Service which allows schools to store, record, and analyse student assessment data (both formative and standardised testing results). The analysis of the data allows schools to track, monitor, and build profiles of progression on both individual students and/or cohorts of students at a class or whole school level.

The software delivers the following benefits:

  • Instant research based statistical analysis of student performance
  • Enables school staff to track and monitor the effectiveness of teaching programs
  • Supports teachers in academic reporting, curriculum planning, and the development of individualised and class planning
  • Enables staff and leadership to monitor staff performance
  • Helps allocate school resources based on what the data suggests are high priorities

SREAMS: What services do we provide?

School Research Evaluation & Measurement Services provides a number of services, including the following:

  • Professional Development opportunities to both schools and universities
  • Research and contact projects for education departments, offices, authorities, and bodies
  • Data measurement services for schools, education departments, offices, authorities, and bodies
  • Providing the development and management of the SPAplatform

Who should be given access to the SPAplatform?

It is up to the SPAplatform subscriber to choose who is authorised to access the SPAplatform service. Usually our advice to subscribers is that a combination of principals, assistant principals, the leadership team, and data coordinators may have access to upload, download, delete, and view data within the service. Teachers will usually only be able to view data within the service. Students and parents should not be provided with a login to the service. Occasionally they will be able to view an individual student data set only while in the physical company of an authorised staff member for private discussion of their/their child’s performance.

Who does this Privacy Policy apply to?

This Privacy policy applies to:

  • subscribers of the SPAplatform Service and your employees who are users of the SPAplatform service
  • your students, whom you will be collecting and storing data about within our SPAplatform software
  • potential subscribers to our services
  • attendees of our professional development workshops
  • participants and schools involved in research studies conducted by SREAMS
  • Collection, Use, and Disclosure of Data:

    The purpose for which we collect Personal Information is to provide you with the best Service experience possible and for our internal business purposes that form part of normal business practices. Some provision of Personal Information is optional. However, if you do not provide us with certain types of Personal Information, you may be unable to enjoy the full functionality of the Service.

    If you’re someone who doesn’t have a relationship with us, but believe that a SPAplatform subscriber or user has entered your personal data into our websites or services, you’ll need to contact that SPAplatform subscriber for any questions you have about your personal data (including where you want to access, correct, amend, or request that the user delete your personal data).

    What information do we collect?

    In most cases, Personal Information we collect may include, but is not limited to, your email address, name, phone number, postal address, work premises or organisation, job title, and in some instances, dietary requirements (for catering purposes).

    Log Data

    We collect information that your browser sends whenever you visit our Service ("Log Data"). This Log Data may include information such as your computer's Internet Protocol ("IP") address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages, and other statistics.

    Targeted advertising

    We occasionally use marketing services to advertise on third-party sites to you. We, and these third-party vendors, use cookies to inform, optimize, and serve ads based on your past visits to our Service or interests. Some services (such as Google) enable you to opt-out of advertising analytics for displayed advertising and customize the displayed network ads by visiting their settings page.

    Research & Consultancy Services Projects

    When engaged in a research & consultancy services project, we will notify the organisers and the participants of other Personal Information and more general information we intend to collect at the beginning of the project.

    Data schools may store on their students within the SPAplatform

    Personal Information

    Essential Information

    (For effective use of the software service)

    • First Name
    • Last Name
    • Student’s Year Level
    • Unique Identifiers

    Optional Information

    (Some of which is often considered highly beneficial to data analysis by the school)

    • Middle Name
    • Preferred Name
    • Classes assigned to the student
    • Other ‘tags’ of interest for analysis (E.g. school campus, learning support provided)

    Sensitive Information

    Essential Information

    (For effective use of the software service)

    • Gender (M, F, Undisclosed)
    • Birthdate

    Optional Information

    (Some of which is often considered highly beneficial to data analysis by the school)

    • Funded Disability
    • English as Another Language status
    • Student photo

    Assessment Data

    Optional Information

    (Some of which is often considered highly beneficial to data analysis by the school)

    • VCAA NAPLAN Data
    • Other standardised test results
    • Formative assessment results and observations

    Our use of cookies

    Cookies are files containing small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a web site and are stored on your computer's hard drive.

    We (or a third party providing services to us) use "cookies" to collect information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service. If you are not sure whether your browser has the capability to refuse/acknowledge when a cookie is being sent, you should check with the software manufacturer, your company's technology help desk, or your internet service provider.

    We send a session cookie to your computer when you log in to your SPAplatform account. This type of cookie allows you to visit multiple pages on the platform during a single session without needing to re-enter your password on each page. Once you log out or close your browser, this cookie expires.

    We also use longer-lasting cookies for other purposes such as to display your content and account information. Only we have access to the information stored in these cookies. Users always have the option of disabling cookies via their browser preferences. If you disable cookies on your browser, please note that some parts of the Service may not function as effectively or may be considerably slower.

    Why do we collect this data?

    First and foremost, we use your personal data to operate our websites and provide you with any services you’ve requested and to manage our relationship with you. We also use your personal data for other purposes, which may include the following:

    To communicate with you. This may include:

    • providing you with information you’ve requested from us (like training or education materials) or information we are required to send to you
    • operational communications, like changes to our websites and services, security updates, or assistance with using our websites and services
    • marketing communications (about our services or other products or services we think you might be interested in)
    • asking you for feedback or to take part in any research we are conducting (which we may engage a third party to assist with).

    To support you: This may include assisting with the resolution of technical support issues or other issues relating to the websites or services, whether by email, phone, in person, or otherwise.

    To enhance our websites and services and develop new ones: For example, by tracking and monitoring your use of websites and services so we can keep improving, or by carrying out technical analysis of our websites and services so that we can optimise your user experience and provide you with more efficient tools.

    To protect: So that we can detect and prevent any fraudulent or malicious activity and make sure that everyone is using our websites and services fairly and in accordance with our terms of use.

    To market to you: In addition to sending you marketing communications, we may also use your personal data to display targeted advertising to you online—through our own websites and services or through third-party websites and their platforms.

    How we collect your data?

    When you visit our websites or engage our services, we collect personal data. The ways we collect it can be broadly categorised into the following:

    Information you provide to us directly: When you visit or use some parts of our websites and/or services, we might ask you to provide personal data to us.

    Information we collect automatically: We collect some information about you automatically when you visit our websites or use our services, like your IP address and device type. We also collect information when you navigate through our websites and services, including what pages you looked at and what links you clicked on.

    Information we get from third parties: Occasionally, we might collect personal data about you from other sources, such as publicly available materials or from trusted third parties like our marketing and research partners.

    When will we share your data?

    There will be times when we need to share your personal data. We may disclose your personal data to:

    • Our employees responsible for maintaining our Service or providing technical support to you
    • third-party service providers and partners who assist and enable us to support delivery of or provide functionality on the website or services, including without limitation: web hosting providers, IT systems, and network administrators
    • third-party service providers who assist and enable us to manage our business including without limitation: professional development booking services, marketing services such as mail houses or email campaign companies, debt collectors and professional advisors such as solicitors, business advisors, and consultants
    • regulators, law enforcement bodies, government agencies, courts, or other third parties where we think it’s necessary to comply with applicable laws or regulations, or to exercise, establish, or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure
    • an actual or potential buyer (and its agents and advisors) in connection with an actual or proposed purchase, merger, or acquisition of any part of our business
    • other people where we have your consent.

    Data storage & data transfers (international data transfers)

    Please note, when storing student data you upload to our services, we will only ever use data hosting server providers who locate their servers within Australia. When we store student data on our servers, it may be transferred to and processed in states (or countries, if your school is outside of Australia) other than where you live. Our data hosting provider’s servers are currently located in NSW, Australia.

    Please be aware, in some circumstances third-party providers we use to

    manage our business relationship with you

    may have servers located outside Australia. Examples of such services are: providers of professional development booking services, marketing services such as mail houses or email campaign companies, debt collectors and professional advisors such as solicitors, business advisors and consultants. No student data is provided to these types of third-party providers.

    Business Transaction

    In the event that we sell or buy businesses or their assets, or engage in transfers, acquisitions, mergers, restructurings, changes of control, and other similar transactions, customer or user information is generally one of the transferable business assets. Thus, your Personal Information may be subject to such a transfer. In the unlikely event of insolvency, Personal Information may be transferred to a trustee or debtor in possession and then to a subsequent purchaser.

    Compliance with laws

    We may disclose Personal Information in special situations where we have reason to believe that doing so is necessary to identify, contact, or bring legal action against anyone damaging, injuring, or interfering (intentionally or unintentionally) with our rights or property, users, or anyone else who could be harmed by such activities. We will disclose your Personal Information where required to do so by law or subpoena, or if we believe that such action is necessary to comply with the law and the reasonable requests of law enforcement, or to protect the security or integrity of our Service.

    Data Security:

    How we keep your data secure

    Security is a priority for us when it comes to your personal data. We’re committed to protecting your personal data from misuse, loss, unauthorised access, or modification and have appropriate technical and organisational measures in place to make sure that happens. But remember that no method of transmission over the Internet and no method of electronic storage is 100% secure.

    For more information about security, check out our security measure practices here.

    How long we do hold your data?

    The length of time we keep your personal data depends on what it is and whether we have an ongoing business need to retain it (for example, to provide you with a Service you’ve requested or to comply with applicable legal requirements). We’ll retain your personal data for as long as we have a relationship with you and for a period of time afterwards where we have an ongoing business need to retain it, in accordance with our security measure practices here. Following that period, we’ll make sure it’s deleted or anonymised.

    Links to other sites

    Our Service may contain links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit. We have no control over, and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

    Notifiable data breaches

    A data breach is when Personal Information is accessed or disclosed without authorisation or is lost. The Privacy Act 1988 states we take actions when we become aware of a data breach.

    Within thirty (30) days of becoming aware of a data breach, we will take the following actions:

    • Contain (where possible) the data breach to prevent any further compromise of Personal Information and take remedial action to limit the impact of the breach.
    • Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
    • If remedial action is successful in making serious harm no longer likely, then no notification or statement will be made;

      However, if we have reasonable grounds to believe serious harm is likely, as soon as practicable we will notify you (and the Commissioner if required). Our notification will provide a statement to each of the individuals whose data was breached or who are at risk.

    • Review the incident and consider what actions can be taken to prevent future breaches.

    Your rights:

    How to access & correct data

    You have certain rights relating to your personal data. When it comes to marketing communications, you can ask us not to send you these at any time—just follow the unsubscribe instructions contained in the marketing communication, or make your request to

    Australian Privacy Principle 6 of the Privacy Act 1988 states you have the right to:

    • know what personal data we hold about you and to make sure it’s correct and up to date
    • request a copy of your personal data or ask us to restrict processing your personal data or delete it
    • object to our continued processing of your personal data
    • You can exercise these rights at any time by making a request to

      If you’re not happy with how we are processing your personal data, please let us know by getting in touch. We will review and investigate your complaint and try to get back to you within a reasonable time frame. You can also complain to your local data protection authority. They will be able to advise you how to submit a complaint.

      Please note that the access and correction requirements under this Privacy Policy operates alongside and do not replace other informal or legal procedures by which an individual can be provided access to, or correction of, their Personal Information, including the requirements under the Freedom of Information Act 1982.

      Students/parents who wish to discuss what data is stored on them/their child within the SPAplatform Service must contact their school principal. It is up to the school to negotiate with parents how/what student data is stored in our service. In most cases, it is up to the school to access, correct, amend, or request data be deleted, as well as arrange to produce copies of student data held within the SPAplatform service.


      In most cases, due to the nature of our services, it will generally be inappropriate for you to use a pseudonym when dealing with us. For our services which require an account, or the ability to contact you directly, you may not use a pseudonym.

      In cases where we are engaging in online web conferencing or research, it may be possible to use a pseudonym when dealing with us.

      We may not be in a position to provide you with our services if we are unable to collect, use, and disclose your Personal Information in accordance with the terms and conditions of this privacy policy.


      We’re always keen to hear from you. If you’re curious about what personal data we hold about you or you have a question or feedback for us on this notice, our websites, or services, please get in touch.

      How to contact us

      You can contact us via our Website and our Contact page 'Contact Us'

      Australian Privacy Principle 1 of the Privacy Act 1988 allows you to make a complaint about any alleged breaches of privacy. In order to lodge a complaint with us, please contact us using the details above with the following information:

      • Your name and address;
      • Details of the alleged breach of privacy; and
      • URL link to the alleged breach of privacy (if applicable).
      • Please allow us 30 days to investigate your complaint, after which we will contact you immediately to resolve the issue.

        Further assistance

        If we do not resolve your enquiry, concern, or complaint to your satisfaction, or you require more information or assistance in relation to any privacy matter, please contact the Office of the Australian Information Commission at:

        Telephone: 1300 363 992 Email: Office Address: Level 3, 175 Pitt Street, Sydney NSW 2000 Postal Address: GPO Box 5218, Sydney NSW 2001 Website: