Purpose and scope:
The purpose of this policy is to outline the organisation’s requirements with respect to maintaining the privacy and confidentiality of employees, students and other stakeholders for whom records are held or private/confidential information is known.
This policy applies in particular to staff involved in the management and administration of employee and/or student records and, more broadly, to all employees and former employees of the organisation and to all VET practitioners and contractors engaged by the organisation in any capacity insofar as they may become aware of private or confidential information concerning any employee, student or other stakeholders of the organisation.
This policy is not restricted to the workplace or to work hours and applies to all private and confidential information, however, it may be collected or stored, whether electronically or in hard copy. The obligations contained within this policy extend to maintaining the privacy and confidentiality of individuals in perpetuity.
This policy should be read in conjunction with the following Commonwealth and State legislation:
- Standards for Registered Training Organisations (2015)
- Privacy Act (1988) incorporating Australian Privacy Principles (2014)
- Privacy Regulation (2013)
- Privacy and Personal Information Protection Act 1998 (NSW)
- Information Privacy Act 2009 (QLD)
- Right to Information Act 2009 (QLD
The organisation is required to collect information from employees and contractors in connection with the provision and maintenance of employment and to meet legislative requirements. Information is collected for purposes such as remuneration, confirmation of relevant qualifications and experience, performance appraisal, the conduct of mandatory checks and for purposes of administration and communication.
The organisation is required to collect information from students and industry stakeholders in connection with the provision of training and education services and to meet legislative requirements. Information is collected for purposes such as registration of enrolment, confirmation of identity and/or credentials, course administration, programme evaluation, the provision of support and subscription services (where permission is obtained) and for general correspondence.
In this context, the following types of information may be collected:
- personal information, such as an individual’s name, address, contact details, date of birth, nationality, family details and other information that may be regarded as personal under the Privacy Act;
- financial information, such as any bank or credit card details used to transact with us and other information that allows us to transact with the individual and/or provide them with our services;
- statistical information, such as information about an individual’s online preferences, course purchases, experiences and opinions of training and services received and other relevant statistical information;
- information an individual sends us.
The organisation may also use third party services to communicate with an individual, to facilitate transactions and/or to store personal information.
The organisation will ensure that only information that is relevant to its operations or to the meeting of its legal, regulatory or contractual obligations is collected and that the personal information it is required to hold is accurate, complete and up-to-date insofar as that may be possible. Subscription services are to be offered on an opt-in basis.
Information retention and security:
Personal information may be maintained in either hard copy or electronic form depending on the purpose for which it is kept. In either case, information will be retained only for as long as it remains relevant or until disposal is permitted under applicable legislation, regulation or training contract.
Some information, such as enrolment histories, may be regarded as perpetually relevant where this is likely to be advantageous to the individual or where evaluation and removal would be inappropriate and/or deleterious.
The organisation will take all reasonable precautions to protect the personal information it holds from unauthorised access, accidental disclosure, loss, modification or misuse and will ensure that such information is destroyed or de-identified when it is no longer required or securely archived where it must be retained.
The organisation will not be responsible for the privacy or security practices of any third party, including third parties that it is permitted to disclose an individual’s personal information to. The collection and use of an individual’s information by such third parties may be subject to the privacy and security policies of those parties. The organisation will not be liable for any loss, damage or claim arising out of the use of personal information by a third party where that information was provided in accordance with this policy and/or with applicable laws, regulations, training contracts or standard industry practices.
Disclosure of information:
Personal information collected by the organisation in relation to any individual will not be disclosed to third parties without their consent except in the following circumstances:
- where the organisation is legally or contractually obliged to do so
- where to do so is regarded as industry best practice by relevant authorities
- where written authorisation is supplied by the individual
- in the case of emergency, in which case information may be released to mitigate or prevent a serious and imminent threat to an individual’s health, safety or welfare or that of the public.
- where an individual becomes incompetent to manage his/her affairs, on the authority of a power of attorney or of a parent or legal guardian in the case of a minor.
Additionally, students using qualifications gained through the organisation to obtain credit on a course of study elsewhere will be deemed to have authorised the transmission of information verifying the claim provided that a formal written request is made by the RTO concerned.
Prior to enrolment in a course of study, prospective students must be made aware of, and consent to, the disclosure of their personal information where this likely to occur under relevant legislation, regulation, training contract or recommended practice. Forms used for this purpose must provide examples of the personal information that may be disclosed, to whom this information may be forwarded and the purposes for which it may be used.
Where the organisation must exercise judgement prior to the release of an individual’s personal information, such as during an emergency or when an individual is deemed incompetent to manage his/her affairs, then permission must first be sought and obtained from the Principal or Consumer Protection Officer unless to do so would cause unreasonable delay.
Access to records:
Individuals are entitled to access relevant personal records held by the organisation. This may include retained correspondence, competency evidence, completed forms or other relevant items provided that access is requested in writing, that the request is entirely appropriate, that proof of identity is supplied, that records are viewed under supervision, that the privacy of others is not compromised and that records are not altered or removed.
All persons with access to or involved in the processing of private or confidential information, either in connection with the organisation itself or with any of its employees, contractors, students or visitors, are responsible for protecting the integrity and confidentiality of that information in accordance with this policy and with relevant legislation.