RollCall

DPA — Australia

Last Updated: March 2026
Back to Data Processing Agreement

1. Applicability

This Australia-specific addendum supplements the global Data Processing Agreement and applies where the Controller is an Australian educational institution or where Personal Data of Australian residents is processed. This addendum addresses obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

2. Australian Privacy Principles Compliance

RollCall commits to processing Personal Data in accordance with the Australian Privacy Principles, including:

  • APP 1 (Open and transparent management): Maintaining a clearly expressed and up-to-date privacy policy
  • APP 3 (Collection): Collecting only Personal Data that is reasonably necessary for our functions
  • APP 6 (Use or disclosure): Using Personal Data only for the primary purpose of collection or a related secondary purpose
  • APP 8 (Cross-border disclosure): Ensuring overseas recipients comply with the APPs
  • APP 11 (Security): Taking reasonable steps to protect Personal Data from misuse, interference, and loss

3. Notifiable Data Breaches Scheme

RollCall will assist the Controller in complying with Part IIIC of the Privacy Act 1988 (Notifiable Data Breaches scheme). Where RollCall becomes aware of a data breach that is likely to result in serious harm to affected individuals, RollCall shall:

  • Notify the Controller within 72 hours of becoming aware of the breach
  • Provide sufficient information for the Controller to assess whether notification to the Office of the Australian Information Commissioner (OAIC) is required
  • Assist the Controller in preparing notifications to the OAIC and affected individuals
  • Take immediate steps to contain the breach and mitigate harm

4. Data Storage Location

Personal Data of Australian data subjects is stored in the AWS Asia Pacific (Sydney) region (ap-southeast-2). RollCall does not transfer Australian Personal Data outside of Australia except as specifically authorised by the Controller or as necessary for the operation of sub-processors listed in the global DPA, in compliance with APP 8.

5. Children's Data

RollCall acknowledges the heightened sensitivity of children's data under Australian law. We implement additional safeguards including:

  • Strict access controls limiting who can view student information
  • No use of student data for marketing, profiling, or commercial purposes
  • Immediate deletion of student records upon school request or service termination
  • Compliance with state and territory education department requirements

6. State and Territory Requirements

RollCall is aware that Australian states and territories may have additional privacy and data handling requirements for educational institutions. We work with individual schools to ensure compliance with jurisdiction-specific requirements, including but not limited to:

  • Victorian Government information security requirements
  • NSW Department of Education data governance frameworks
  • Queensland Government Information Security Classification Framework (QGISCF)

7. Governing Law

This addendum is governed by the laws of the State of Victoria, Australia. The parties submit to the exclusive jurisdiction of the courts of Victoria for any disputes arising under this addendum.

8. Contact

For enquiries regarding this DPA addendum, contact the RollCall Privacy Officer:

Email: privacy@rollcall.com.au
Phone: 1300 821 116
Address: 1/146-148 Thistlethwaite Street, South Melbourne VIC 3205, Australia