1. Purpose

The Institution takes proactive steps to establish and maintain internal practices, procedures and systems that ensure it upholds its privacy responsibilities in accordance with the Privacy Act 1988. The Privacy Policy outlines the Institution’s approach to managing personal information and safeguarding a person’s privacy in accordance with those obligations in an open and transparent way. In addition, the Institution is subject to the European Union’s General Data Protection Regulation (GDPR).

This policy should be read in conjunction with the Records Management and Personal Information Procedures.

2. Scope

This policy applies to the management of all personal information collected and held by the Institution for a variety of business purposes. It applies to (but is not limited to) all prospective and enrolled students, employees, visitors and employees handling personal information.

3. Definitions

See Glossary of Terms.

4. Policy statements

Collection of personal information
4.1 The Institution only collects personal information that is reasonably necessary for, or directly related to, one or more of its functions or activities. It only collects personal information that is necessary to conduct its business as an institute of higher education.

4.2 The Institution collects personal information only by lawful and fair means.

4.3 Personal information is collected directly from the person concerned unless he/she provides consent or the collection is required or permitted by law. This allows the Institution to ensure that appropriate consent is provided and that information collected is accurate, up to date and complete.

4.4 The Institution ensures that individuals are appropriately notified where personal information is collected.

4.5 The Institution collects personal information from students for the following purposes:

  • for admission, enrolment and academic progress in a course of study;
  • diversity and equity purposes including disability support and reasonable adjustments;
  • advice on access to support services;
  • complaints and appeals processes;
  • investigation of general misconduct or alleged breaches of the Student Code of Conduct and/or academic integrity;
  • administration matters, including transactions relating to payments and fees;
  • verification of graduation certification;
  • safety and security including the monitoring of IT activity and security cameras;
  • for quality improvement of, for example, educational offerings, the student experience, or support services;
  • any legislative or regulatory obligations;
  • for marketing purposes.

4.6 The Institution collects personal information from employees and visitors for the following purposes:

  • to administer pay and entitlements;
  • managing performance;
  • to provide access to facilities and services;
  • visa and immigration purposes;
  • taxation purposes;
  • work health and safety matters;
  • disability, rehabilitation and compensation matters;
  • security;
  • public health emergencies e.g. COVID 19 management;
  • event management.

4.7 The Institution collects and holds various personal information including:

a. full name, date of birth, gender, contact details, postal/billing address, tax file number, passport details, bank account number, driver’s licence number, emergency contacts, details of next of kin, photos;
b. all applications, including admission, advanced standing, reasonable adjustments, review of assessments, complaints and appeals, employment;
c. information relating to enrolment, including changes to enrolment status, course transfers, study loads;
d. assessment results, academic transcripts, testamurs;
e. breaches of codes of conduct or investigations including penalties;
f. health information for example collected for reasonable adjustment requests as a result of a disability or general public health requirements.
Additional information may be collected during a course of study, employment and dealings with the Institution.

4.8 The Institution collects personal information through various methods including emails, online forms, student/learning management systems, direct communication with employees, security cameras, audio and video recordings of classes and events.

4.9 A privacy notice is provided to individuals before information is collected. A privacy notice may be provided in a variety of ways including:

  • online forms
  • via a consent or other form;
  • on a web page;
  • in terms and conditions for an app, information system or service;
  • in a local privacy policy.

4.10 The Institution may collect personal information and other data from a person through the use of a Cookie or other automated means and may include a person’s server address, domain name, IP address, the date and time of the visit, the pages accessed and documents downloaded; the previous site visited and the type of browser used. A person may disallow Cookies through customised web browser settings.

4.11 Some of the Institution’s activities and processes require personal information to be collected from a third party. Where this is required, privacy notices and collection of consent (where relevant) are incorporated into those activities and processes.

4.12 External sites that are linked to or from the Institution’s website are generally not under the Institution’s control or responsibility. If a person decides to access linked third-party websites, they are encouraged to review their privacy policy, terms of use and content.

4.13 A person has the option of remaining anonymous or using a pseudonym in their dealings with the Institution where it is lawful and practicable (for example, when making an enquiry). Generally, it is not practicable or lawful for the Institution to deal with individuals anonymously or pseudonymously on an ongoing basis.

Holding personal information
4.14 Personal information is held securely in line with the Records Management and Personal Information Procedures.

4.15 The Institution uses physical security, password protection and other measures to ensure that all personal information is protected from misuse, interference and loss; and from unauthorised access, modification and disclosure.

Access to personal information
4.16 A person is entitled to know whether information is held about them, what information is held about them how they can access that information.

4.17 A person can access the personal information held by the Institution upon request as per the Records Management and Personal Information Procedures. Access to personal information is granted only when the identity of the person has been confirmed. A person does not need to provide a reason to request their personal information.

4.18 The Institution reserves the right to refuse access to personal information in circumstances that, for example, giving access has an unreasonable impact on another person’s privacy, it may prejudice an investigation of misconduct or the request is unlawful. In such cases, the Institution provides reasons for any refusal to give access to personal information and how the person can appeal the decision.

Accuracy and correction of personal information
4.19 The Institution takes reasonable steps to ensure that the personal information it holds is accurate, up-to-date, complete and relevant.

4.20 The Institution may correct personal information upon request in writing by the person. The Institution takes into account the purpose for which the personal information was collected.

4.21 The Institution reserves the right to correct personal information in circumstances that, for example, the change conflicts with legislation or insufficient evidence has been provided to support the change. In such cases, the Institution provides reasons for any refusal to correct personal information and how the person can appeal the decision.

Use and disclosure of personal information
4.22 The Institution only uses personal information for:

  • a purpose for which it was collected;
  • for a directly related purpose;
  • where a person has provided consent;
  • where required or permitted by law;
  • in the event of an emergency situation;
  • for administrative processes including internal quality improvement processes and planning activities (de-identified data only), handling of complaints and investigations.

4.23 The Institution does not disclose personal information unless:

  • the person has given written consent to the disclosure;
  • the Institution has reasonable belief that the disclosure is necessary to prevent or lessen a serious threat to the life, health or safety of a person or to the public health and safety;
  • the person is reasonably likely to be aware, or made aware that information of that kind is usually passed to that person or organisation;
  • the disclosure is required or authorised by law.

4.24 The Institution may be required to disclose personal information to Australian government agencies or related authorities such as the Department of Home Affairs, Department of Education, Skills and Employment, Australian Tax Office, Tuition Protection Service, Federal and NSW Police, etc.

4.25 The Institution may disclose personal information to third parties in the course of a student’s course (for example an industry partner for a placement, study tours, etc.) or an employee’s employment. Only necessary personal information for the specific purpose is disclosed.

4.26 The Institution may enter into agreements with third parties which include provisions to ensure compliance with privacy laws.

4.27 For students under 18, information regarding attendance, progress and general well-being may be provided in order to keep parents and/or guardians adequately informed.

Retention and disposal of personal information
4.28 Records and personal information are retained in accordance with the timeframes outlined in the Records Management and Personal Information Procedures.

4.29 The Institution takes reasonable steps to destroy or de-identify personal information in a secure manner once it is no longer needed.

4.30 Employees members are not permitted to amend or dispose of records containing personal information without prior approval from delegated authorities outlined in the Records Management and Personal Information Procedures.

Data breaches
4.31 The Institution notifies affected individuals and the Australian Information Commissioner in the event of a data breach that is likely to result in serious harm to any of the person to whom the information relates.

4.32 A person who is dissatisfied with the management of their personal information may lodge a complaint in accordance with the Complaints and Appeals Policy and Complaints and Appeals Procedures.

5. Roles and responsibilities

5.1 The President and Managing Director is the owner of this policy and is responsible for issuing regular communication on the importance of safeguarding personal information and acting as the Institution’s privacy officer.

5.2 The Board of Directors receives reports about the effectiveness of processes for the management of personal information and the integrity of the systems on which it is stored.

5.3 The responsibilities outlined in the Records Management and Personal Information Procedures monitor employee access and permissions relating to personal information.

6. Related documents

Complaints and Appeals Policy
Complaints and Appeals Procedures
Records Management and Personal Information Procedures
Records Management Policy

Approved by Board of Directors 15 June 2021 (updated 19 March 2024)