Purpose

The purpose of this policy and procedure is to ensure that RTO is committed to managing personal information in an open and understandable way. This policy and procedure provide guidance on how RTO adheres to the requirements of the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

Objectives

The objective of this policy and procedure is to ensure that RTO;

Comply with all work practices as per the 13 Australian Privacy Principles (APPs) (previously the National Privacy Principles (NPPs) and Privacy Act 1988 (Commonwealth)
Ensures that information collected from students and staff is managed and kept confidentially
Information is used for its intended purpose and not provided to third parties except with the provider’s authorization or as required by law or the regulator

Scope

This policy and procedure is applicable on the following stakeholders:

RTO Staff
RTO Students

Terms and definitions

Personal Information refers to any information provided in writing or verbally that is provided with the expectation that by giving that information it will be handled confidentially.

RTO complies with the Information Privacy Principles set out in the Privacy Act 1988 in relation to the collection of information relating to all students.

RTO will allow a student to apply for and receive a copy of the VET personal information that the provider holds in relation to that student.

Privacy Act 1988 is an Australian law dealing with privacy. Section 14 of the Act stipulates a number of privacy rights known as the Information Privacy Principles (IPPs).

Registered provider is a registered training organisation (RTO)

General Processes

As a component of our risk management practices, RTO has conducted a Privacy Impact Assessment for all operations. Mitigation actions from this risk assessment have been implemented for the management of privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction and de-identification.

Australian Privacy Principle 1 – Open and transparent management of personal information

Purposes of information collection, retention, use and disclosure.

RTO maintains a record of personal data from all individuals who engage in any form of business activity. RTO must acquire, preserve, use and disclose information from our clients and stakeholders for a series of purposes, including but not limited to:

Presenting services to clients
Managing employee and contractor teams
Promoting products and services
Conducting internal business tasks and functions
Requirements of stakeholders

RTO is required to acquire, preserve, use and disclose a comprehensive scope of personal and sensitive information on engaged individuals in nationally recognised training programs. This information requirement is summarised in the National Vocational Education and Training Regulator Act 2011 and associated legislative instruments.The legislative instruments;

Standards for Registered Training Organisations 2015 and
Data Provision Requirements 2012.

It is recognised that RTO is also bound by several State Government Acts involving similar information collection, use and disclosure (particularly Education Act(s), Vocational Education & Training Act(s) and Traineeship and Apprenticeships Act(s) relevant to state jurisdictions of RTO operations).

It is further noted that, aligned with these legislative requirements, which also incorporate several information collection and disclosure requirements. Individuals are informed that due to these legal requirements, RTO discloses information stored on individuals for valid purposes to a series of entities including;

Governments (Commonwealth, State or Local)
Australian Apprenticeship Support Network
Employers (and their representatives), Employment Service Providers, Schools, Guardians
Service providers such as credit agencies and background check providers

Types of personal information collected and held

The following types of personal information are commonly collected, depending on the need for service delivery:

Contact details
Employment details
Educational background
Demographic Information
Course progress and achievement information;
Tax file number in keeping with the TFN guideline
Financial billing information

The following types of confidential information may also be collected and held:

Identity details and documentation
Employee details and HR information
Complaint or issue information
Disability status and other individual needs
Indigenous disclosure
Background checks (such as National Criminal Checks or Working with Children checks).

Where RTO obtains personal data of a more vulnerablesection of the community (for example, children), additional practices and procedures are also adhered to. Please refer to RTO’s Working with Children Policy and Procedures for more information.

How personal information is collected

RTO’s common approach to collecting personal information is to gather any necessary information directly from the individuals involved. This may incorporate the use of forms (such as registration forms, enrolment forms or service delivery records) and the use of web-based systems (such as online enquiry forms, web portals or internal operating systems).

RTO does receive solicited and unsolicited information from third party sources in commencing service delivery activities. This may include information from such entities as;

Governments (Commonwealth, State or Local)
Australian Apprenticeship Support Network
Employers (and their representatives), Employment Service Providers, Schools, Guardian
Service providers such as credit agencies and background check providers

How personal information is held

RTO’s standard approach to retaining personal information involves reliable storage and security measures. Information on collection is:

As soon as practical converted to electronic means;
Saved in secure, password protected systems, such as financial system, learning management system and student management system; and
Examined for appropriate authorised use.

Only authorised personnel are granted with login information to each system, with system access restricted to only those related to their specialised role. RTO ICT systems are accommodated internally with rigid internal security to physical server locations and server systems access. Virus protection, backup procedures and ongoing access monitoring systems are in place.

Destroying paper-based records occurs when practicable in every manner, utilising secure shredding and destruction services across all RTO sites.

Individual information maintained across systems is linked through an RTO allocated identification number.

Retention and Destruction of Information

RTO preserves a Retention and Disposal Schedule documenting the periods for which personal data records are preserved.

Specifically, for RTO records, in the occurrence of the organisation ceasing to operate the mandatory personal information on record for individuals engaging in nationally recognised training will be transferred to the Australian Skills Quality Authority, as mandated by law.

RTO cooperates with the VET regulator in the retention, archiving, retrieval and transfer of records.

Accessing and seeking correction of personal information

RTO establishes all individuals have a right to seek access to their personal information stored and to request its amendment at any time. To request access to personal records, individuals are to contact the CEO.

Many third parties, excluding the individual, may request access to an individual’s personal information. Such third parties may consist of employers, parents or guardians, schools, Australian Apprenticeships Centres, Governments (Commonwealth, State or Local) and other stakeholders.

In all cases where access is requested, RTO will confirm that:

Parties requesting access to personal information are identified and evaluated;
Where legally feasible, the individual (whom the information relates to) will be contacted to provide consent (if consent not previously provided for the matter); and
Only appropriately authorised parties, for lawful purposes, will be granted access to the information.
Complaints about a violation of the APPs or a binding registered APP code

If a partysuspects that RTO may have violated one of the APPs or a binding registered APP he/ she may refer to Privacy Complaints Procedure below for additional information.

Making our APP Privacy Policy available

RTO offers our APP Privacy Policy available free of charge, with all information being publicly available from the Privacy link on our website at www.rto.edu.au/. This website information is composedto be available as per web publishing accessibility guidelines, to guarantee access is available to individuals with special needs.

In addition, this APP Privacy Policy is:

Noticeably displayed at each RTO’s site;
Included within our Student Handbook;
Recognised within the text or instructions at all information collection details (such as informing individuals during a telephone call of how the policy may be accessed, in cases where information collection is occurring); and
Available for distribution free of charge on request, as soon as possible after the request is received, including in any format requested by the individual as is reasonably practicable.

If, in the unlikely event the APP Privacy Policy is not able to be supplied in a format requested by an individual, we will clarify the circumstances around this issue with the requester and seek to make sure that an alternative appropriate approach is offered.

Review and Update of this APP Privacy Policy

RTO revises this APP Privacy Policy:

On an ongoing basis, as suggestions or issues are introduced and addressed, or as government required changes are identified;
Through the conduct of internal audit processes and the monitoring of operationson minimum a yearly basis;
As a part of any external audit of our operations that may be conducted by various government agencies as a part of our registration as an RTO or in normal business activities; and
As a component of each complaint investigation process where the complaint is related to a privacy matter.

Where this policy is revised, changes to the policy are broadly communicated to stakeholders via internal communications, meetings, training and documentation, and externally through publishing of the policy on RTO’s website and other related documentation (such as our Student Handbook) for clients.

Australian Privacy Principle 2 – Anonymity and pseudonym

RTO presents individuals with the option of not naming themselves, or of using a pseudonym, when dealing with RTO in relation to a matter, where practical. This involves providing alternatives for anonymous dealings in cases of general course enquiries or other situations in which an individual’s’ information is not compulsory to carry out a request.

Individuals may communicate with us by using a name, phrase or descriptor that is different to the individual’s real name where possible. This includes using nonspecific email address that does not contain an individual’s real name, or generic user names when individuals may access a public component of our website or enquiry forms.

RTO only collects and links pseudonyms to individual personal information in cases where this is needed for service delivery (such as system login information) or once the individual’s consent has been obtained.

Individuals are informed of their opportunity to deal anonymously or by pseudonym with us where these alternatives are feasible.

Requiring identification

RTO call for and confirm identification however in-service delivery to individuals for nationally recognised course programs. We are permitted under Australian law to deal only with people who have correctlyidentified themselves. That is, it is a Condition of Registration for all RTOs under the National Vocational Education and Training Regulator Act 2011 that we recognise individuals and their specific individual requirements on onset of service delivery, andgatherand disclose Australian Vocational Education and Training Management of Information Statistical Standard (AVETMISS) data on all individuals registered in nationally recognised training programs. Additional legal requirements, as noted earlier in this policy, also involve considerable identification arrangements.

There are also other occasions also within our service delivery where an individual may not have the option of dealing anonymously or by pseudonym, as identification is practicallyneeded for us to effectively support an individual’s request or need.

Australian Privacy Principle 3 — Collection of solicited personal information

RTOacquires personal information that is reasonably required for our business activities.

We only gather sensitive information in events where the individual consents to the sensitive information being collected, except in cases where we are required to collect this information by law, such as outlined earlier in this policy.

All information weacquire is collected through lawful and fair processes.

Solicited information is collected directly from the individual affected, unless it is unreasonable or impracticable for that information to only be collected in this way.

Australian Privacy Principle 4 – Dealing with unsolicited personal information

RTO may occasionally receive unsolicited personal information. Where this occurs a quick review of the information will be performed to determine whether it could have been collected using other business activities. Where this is the case, we may retain, employ and disclose the information appropriately as per the practices summarised in this policy.

Where we could not have acquired this information (by law or for a valid business purpose) we destroy or de-identify the information without delay (unless it would be unlawful to do so).

Australian Privacy Principle 5 – Notification of the collection of personal information

Whenever RTOgathers personal information about an individual, we take practical measures to notify the individual of the details of the data collection or otherwise confirm the individual is aware of those matters. This notification occurs at or prior to collection, or as soon as possibleafterwards.

Our notifications to individuals on data collection include:

RTO’s identity and contact details, including the position title, telephone number and email address of a contact who manages enquiries and requests regarding privacy matters;
The facts and conditions of collection such as the date, time, place and method of collection, and whether the data was acquiredfrom a third party, including the name of that party;
If the collection is required or authorised by law, including the name of the Australian law or other legal agreement requiring the collection;
Theobjective of collection, including any primary and secondary purposes;
The consequences for the individual if all or some personal information is notgathered;
Other organisations or persons to which the information is usually disclosed, includingthe names of those parties;
Whether we are likely to disclose the personal information to overseas beneficiaries, and if so, the names of the recipients and the countries in which such recipients are located.
A link to this APP Privacy Policy on our website ordescribe how it may be accessed; and
Advice that this APP Privacy Policy includes information about how the individual may access and seek amendment of the personal information held by us; and how to make a complaint about a violation of the APPs, or any registered APP code, and how we will managea complaint.

Where realistic, RTOmakes sure that the individual verifies their understanding of these finer details, such as through signed declarations, website form acceptance of details or in person through questioning.

Collection from third parties

Where RTOgathers personal information from another organisation, we:

Verify whether the other organisation has provided the appropriate notice above to the individual; or
Whether the individual was otherwise mindful of these details at the time of collection; and
If this has not occurred, we will carry out this notice to make sure the individual is entirely informed of the data collection.
Australian Privacy Principle 6 – Use or disclosure of personal information

RTO only uses or discloses personal information itretains about an individual for the specific primary reasons for which the information was gathered, or secondary purposes in cases where:

An individual agreed to a secondary use or disclosure;
An individual would practically expect the secondary use or disclosure, and that is directly connected to the primary objective of collection; or
Using or disclosing the information is commanded and authorised by law.

Requirement to compose a written note of use or disclosure for this secondary purpose

If RTO uses or discloses personal data in accordance with an ‘enforcement related activity’ we will create a written recordof the use or disclosure, including the following details:

The date of the use or disclosure;
Details of the personal data that was used or disclosed;
The enforcement bodyregulating the enforcement related activity;
If the organisation employed the information, and how the datawas employed by the organisation;
The root for our reasonable belief that we werecompelled to disclose the information.

Australian Privacy Principle 7 – Direct marketing

RTO does not apply or disclose the personal information that itretainsabout an individual for the objective of direct marketing, unless:

The personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing; or
The personal information has been collected from a third party, or from the individual directly, but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing; and
Wepresent a simple method for the individual to request not to receive direct marketing communications (also known as ‘opting out’).

On each of our direct marketing communications, RTO provides anoteworthy statement that the individual may wish to opt out of future communications, and the processto do so. An individual may also request at any stage not to use orreveal their personal data for direct marketing, or to facilitate direct marketing by other organisations. We observe with any request by an individual straightaway and undertake any required actions without charge.

We also, on request, advise an individual of our supplier of their personal information used or disclosed for direct marketing unless it is unwarranted or impracticable to do so.

Australian Privacy Principle 8 – Cross-border disclosure of personal information

Before RTOreveals personal information about an individual to any overseas recipient, we undertake reasonable steps to guarantee that the recipient does not violate any privacy matters in relation to that information.

Australian Privacy Principle 9 – Adoption, use or disclosure of government related identifiers

RTO does not adopt, exercise or disclose a government related identifier linked to an individual except:

In situations necessitated by Australian law or additional legal requirements;
Where reasonably necessary to authenticate the identity of the individual;
Where reasonably necessary to follow obligations to an agency or a State or Territory authority; or
As prescribed by regulations.

Australian Privacy Principle 10 – Quality of personal information

RTO takes reasonable steps to guarantee that the personal information it gathers is appropriate, current and complete. We also take reasonable steps to certifythat the personal information we use or disclose is, having regard to the purpose of the use or disclosure,appropriate, current, complete and accurate. This is imperative where:

When we initially acquire the personal information; and
When we use or disclose personal information.

We take measures to ensure personal information is factually accurate and truthful. In cases of an opinion, we ensure informationtake into account competing facts and views and composes an informed assessment, making it clear that it is an opinion. Information is confirmed current at the point in time to which the personal information relates.

Quality performance indicators established to maintain these requirements include:

Internal systems and procedures to review, examine, identify and improve poor quality personal information (including training staff in these practices, procedures and systems);
Protocols that validate that personal information is collected and documented in a consistent format, from a primary material source when feasible;
Making sure updated or new personal information is punctually added to appropriate existing records;
Providing individuals with a simple method to evaluate and revise their information on a regular basis through the online portal;
Prompting individuals to review and refresh their personal information at important service delivery points (such as completion) when we engage with the individual;
Contacting individuals to authenticate the quality of personal information where appropriate when it is about to applied or disclosed, especially if there has been a prolonged period since acquiring the data; and
Verifying that a third party, from whom personal data is obtained, has implemented appropriate data quality systems and procedures.

Australian Privacy Principle 11 — Security of personal information

RTO takes effective measures to assess whether we can holdthe personal information we possess, and also to guarantee the security of the personal information we retain. This includes practical steps to protect the information from exploitation, interference and loss, as well as unauthorised access, changes or disclosure.

Personal information is destroyed once the information is no longer required for any use for which the information may be legally used or disclosed.

Access to RTO offices and work areas is restricted to our employees only – visitors to our premises must be approved by relevant authorised personnel and are always accompanied. Regarding any information in a paper-based format, we preserve storage of records in an appropriately secure place to which only authorised individuals have access.

Systematic staff training and information bulletins are performed with RTO personnel on privacy subjects, and how the APPs apply to practices and procedures. Training is also incorporated in personnel induction practices.

We perform ongoing internal audits (at least once a year and as necessary) of the adequacy and currency of security and access procedures and systems employed.

Storage and security of personal information

RTO will guarantee:

That the record is protected, by such security safeguards as it is rational in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse.
That if it is required for the record to be given to a person in association with the provision of a service to the VET Provider, everything reasonably within the authority of the VET Provider will be doneto prevent unauthorised use, misuse or disclosure of information included in the record.
RTO sets out in its Records Management policy the retention period of personal data and then its subsequent secure data destruction (secure shredding).
For data kept on electronic systems, access is regulated by protected sign on procedures for authorised administrative employees.
RTO will not use the data without undertaking reasonable measures to guarantee that, having regard to the purpose for which the information is planned to be used, the information is precise, current and complete. RTO will not use the information apart fromthe purpose to which the information is related.

Photographs

At times during attendance at RTO personnel and students may be involved and included in photographs taken either for identification or verifying events.
At times, RTO may ask to use one or more of these photographs for publicity or advertising reasons.
RTO will only use such material after the explicit written consent of the individual. This consent may be rescinded at any unspecified moment (but material already posted in the public domain may remain so).

Australian Privacy Principle 12 — Access to personal information

Where RTO retains personal information about an individual, RTO canarrange for that individual to access to the information on their demand. In processing requests, RTO:

Makes sure through confirmation of identity that the request is made by the individual involved, or by another person who is authorised to produce a request on their behalf;
Acknowledges access requests:

Within 14 calendar days, when informing our refusal to grant access, including presenting grounds for refusal in writing, and the complaint procedures accessible to the individual; or

Within 30 calendar days, by granting access to the personal information that is desired in the way it was requested, provide access without any charge.

Australian Privacy Principle 13 – Correction of personal information

RTO takes reasonable steps to correct personal information we possess, to confirm it is relevant, current, complete, genuine and not misleading, having consideration to the purpose for which it is held.

Individual Requests

On an individual’s request, RTO:

Revises and corrects personal information held; and
Alerts any third parties of amendments made to personal data, only if this information was formerly supplied to these parties.

In circumstances where RTO refuses to update personal information, RTO:

Providesa written notice to the individual, containing the reasons for rejection and the complaint procedures accessible to the individual;
Upon request by the individual whose correction request has been rejected, undertakespractical steps to link a statement with the personal information that the individual considers to be incorrect, outdated, incomplete, irrelevant or misleading;
Answers within 14 calendar days to these requests; and
Carries out all actions without charge.

Correcting at RTO’s initiative

RTOundertakes reasonable measures to amend personal information we possess in circumstances where we are satisfied that the personal dataretained is incorrect, outdated, incomplete, irrelevant or misleading. This knowledge may arise through theacquiring of updated information, in notice from third parties or through other channels.

‘Request for Records Access’ Procedure

Individuals or third parties may at any period request retrieve records held by RTO relating to their personal information. The following procedure is adhered to on individual requests for access:

A request for access is provided by the requester, with appropriate information provided to be able to:
Identify the individual affected;
Verify their identity; and
Identify the particular information that they are requesting access to.

This request may be in any format, or preferably using RTO’s Records Access or Update Request Form.

Upon receiving a request for access, RTO then:
Verifies the identity of the party requesting access;
Confirms that this party is correctly authorised to obtain the information requested;
Searches the records that we hold or control to assess whether the requested personal information is included in those records; and
Pulls together any personal dataretrieved ready for access to be provided.
Confirming identity

RTO personnel must be convinced that a request for personal information is made by the individual directly affected, or by another party who is authorised to process a request on their behalf. The bare minimum of personal information needed to determine an individual’s identity is required, which is normallythe individual’s name, date of birth, most recently known address and signature.

When consulting the requesting party personally, identification may be viewed.

If verifying details over a telephone conversation, questions involving the individual’s name, date of birth, last known address or service details may be established before information is granted.

Once identity and access authorisation is verified, and personal information is collected, access is provided to the requester within 30 calendar days of acknowledgement of the original request.

RTO will grant access to personal information in the precise manner or format requested by the party, wherever it is practical to do so, without charge.

Where the requested format is not reasonable, RTO willcheck with the requester to make sure a format is provided that meets the requester’s requirements.

If the identity or authorisation access cannot be verified;
or there is an additionalreasonable basis why RTO is unable to deliver the personal information, refusal to provide access to records will be presented to the requester, in writing. The notification will include reason(s) for the refusal, and the complaint procedures accessible to the individual. Such notifications are given to the requester within 30 calendar days of receiving of the original request.

‘Request for Records Update’ Procedure

Parties may at any point request that their records held by RTO relating to their personal information be amended. The following procedure is adhered to on each request for records updates:

A request for records update is given by the requester, with appropriate information provided to be able to:
Identify the individual involved;
Verify their identity; and
Identify the information that they are requesting be updated on their records.

This request may be in any form, or preferably using RTO’s Records Access or Update Request Form.

Upon receiving a request for records update, RTO then:
Approves the identity of the party to whom the record concerns;
Searches the records that RTOhas or controls to assess whether the requested personal information is covered in those records; and
Assesses the information already on record, and the requested update, to decide whether the requested update should advance.
Assessing Update

RTO personnel assess the relevant personal information possessed, and the requested updated information, to ascertain which version of the information is considered correct, current, complete, appropriate and not misleading, relating to the purpose for which it is held.

This may include examining information in contrast to other records stored by RTO, or within government databases, to carry out an assessment of the accurate version of the information to be used.

Once identity and information assessment is verified, personal information is:
Updated, without charge, within 14 calendar days of receiving the original request; and
Informed any third parties of amendments made to personal information, only if this information was formerly provided to these parties.
If the identity of the individual cannot be verified, or there is another reasonable basis why RTO is incapableof updating the personal information, refusal to update records will be given to the requester in writing, without charge, within 14 calendar days.

The notification will contain the details for the refusal and the complaint procedures accessible to the party.

Upon request by the individual whose correction request has been rejected, RTO will also take reasonable steps to associate a ‘statement’ with the personal information that the individual believes it to be incorrect, outdated, inadequate, irrelevant or misleading. This statement will be applied, without charge, to all personal information relevant across RTO systems within 30 calendar days of receiving the statement request.

Privacy Complaints Procedure

If individual feels that RTO has breached its obligations in the processing, use or disclosure of their personal information, they may lodge a complaint. RTO supports individuals to review the situation with their RTO representative in the first instance, prior to processing a complaint.

The complaints handling process is as follows:

The individual should make the complaint incorporating with explicit details about the matter as possible, in writing to RTO:

CEO/CEO

RTO will examine the circumstances contained within the complaint and reply to the individual once possible, within 30 calendar days,concerning its findings and actions following this investigation.
Should after studying this response, the party is still not pleased, they may raise their complaint directly to the Information Commissioner for further investigation:

Office of the Australian Information Commissioner

www.oaic.gov.au

Phone: 1300 363 992

When examining a complaint, the OAIC will firstlytryto conciliate the complaint, before considering the application of other complaint resolution powers.

Alternatively, if the complaint correlates to a non-privacy matter, or should parties prefer to do so, a complaint may also be lodged with the ASQA complaints handing service for complaints against RTOs:

Australian Skills Quality Authority

www.asqa.gov.au

Phone: 1300 701 801

Or

Dissatisfied students with RTO’ complaints process can also contact the relevant State/Territory Training Authority, the Australian National Training Authority or the Australian Government Department of Education, Science and Training National Training Complaints Hotline on 1800 000 674.

Procedures