Privacy Policy

  1. Purpose

The Institution takes proactive steps to establish and maintain internal practices, procedures and systems to ensure compliance with its privacy responsibilities under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs) and the Privacy and Other Legislation Amendment Bill 2024 (Cth). The Privacy Policy outlines the Institution’s approach to managing personal information and safeguarding individual privacy in an open and transparent manner in line with statutory requirements. In addition, the Institution adheres to the European Union’s General Data Protection Regulation (GDPR).

This policy should be read in conjunction with the Records Management and Personal Information Procedures.

  1. Scope

This policy applies to the management of all personal information collected by the Institution for business purposes. It applies to (but is not limited to) all prospective and enrolled students, employees, visitors and employees handling personal information.

  1. Definitions

See Glossary of Terms.

  1. Policy statements

Collecting and holding personal information

4.1 The Institution only collects personal information that is reasonably necessary for, or directly related to, its legitimate functions or activities as a higher education provider.

4.2 The Institution collects personal information only by lawful and fair means.

4.3 Personal information is collected directly from the person concerned. Where consent is provided or where required or permitted by law, the Institution may collect personal information from other sources.  This ensures that required consent is provided and that the information collected is accurate, up to date and complete.

4.4 The Institution ensures that individuals are appropriately notified where personal information is collected.

4.5 The Institution collects personal information from students for the following purposes:

  • admission, enrolment and academic progress;
  • diversity and equity support including disability services and reasonable adjustments;
  • access to student support services;
  • management of complaints and appeals;
  • investigation of misconduct or breaches of academic integrity;
  • administration of payments and fees;
  • verification of graduation and certification;
  • safety and security (e.g. IT monitoring, security cameras);
  • quality improvement (e.g. educational offerings, the student experience, or support services using deidentified data;
  • compliance with legislative and regulatory obligations;
  • marketing and promotional activities.

4.6 The Institution collects personal information from employees and visitors for the following purposes:

  • payroll and entitlements administration;
  • performance management;
  • access to facilities and services;
  • visa and immigration compliance;
  • taxation reporting;
  • work, health and safety;
  • disability, rehabilitation and compensation matters;
  • security and emergency management;
  • public health responses (e.g. COVID 19);
  • event coordination and management.

Types of personal information collected

4.7 The Institution collects and holds a range of personal information necessary for its functions and activities. This may include, but is not limited to:

  • full name, date of birth, gender, contact details (email, phone), postal and billing addresses;
  • tax file number, passport details, driver’s licence number, bank account details;
  • emergency contact information and next of kin;
  • photographs and video recordings (e.g. for ID cards, events, or security);
  • information provided in applications for admission, advanced standing, reasonable adjustments, reviews of assessment, complaints, appeals, and employment;
  • enrolment details, including course selection, study load, and changes to enrolment status;
  • assessment results, academic transcripts, and graduation documentation (e.g. testamurs)
  • records of alleged or confirmed breaches of the Student Code of Conduct or academic integrity;
  • outcomes of investigations and any penalties imposed;
  • health and medical information provided for the purpose of reasonable adjustments, disability support, or compliance with public health requirements;
  • IT system usage logs, access records, and security camera footage; and
  • audio and video recordings of classes, meetings, and events

Additional personal information may be collected during the course of a student’s enrolment, an employee’s employment, or any other interaction with the Institution.

4.8 The Institution collects personal information through a variety of methods including emails and other written correspondence, online forms and portals (e.g. learning management systems), in person or virtual communication with students or staff, security systems (including CCTV and access logs), audio and video recordings of classes, meetings events.

4.9 Where personal information is collected, the Institution provides a clear privacy notice before or at the time of collection. A privacy notice may be provided in a variety of ways including:

  • online forms
  • via a consent or other form;
  • on a web page;
  • in terms and conditions for an app, information system or service;
  • in a local privacy policy.

4.10 The Institution may collect personal information and other data through the use of Cookies or other automated means. A person may disallow Cookies through customised web browser settings.

4.11 Some of the Institution’s activities and processes require personal information to be collected from third parties. Where this is required, privacy notices and collection of informed consent (where relevant) are incorporated into those activities and processes.

4.12 External sites that are linked to or from the Institution’s website are generally not under the Institution’s control or responsibility. If a person decides to access linked third-party websites, they are encouraged to review the privacy policy, terms of use and content of those sites.

4.13 The Institution takes reasonable steps to protect personal information from misuse, interference, and loss, as well as unauthorised access, modification or disclosure. This includes implementing technical measures (e.g. password protection, encryption, secure servers) and organisational measures (e.g. access controls, staff training, governance frameworks).

4.14 The Institution holds personal information securely in line with the Records Management and Personal Information Procedures.

Children’s privacy protection

4.15 The Institution recognises the heightened importance of safeguarding the personal information of individuals under 18 years of age.

4.16 The Institution takes reasonable steps to ensure privacy notices and policy statements are:

  • clear, age-appropriate and easily understood by children and their parent(s) or legal guardians;
  • collect and use children’s personal information only for lawful and necessary purposes and seek parental or guardian consent where required.

Anonymity
4.16 A person may choose to remain anonymous or use a pseudonym when interacting with the Institution provided it is lawful and practicable (for example, when making an enquiry). However, in most cases, ongoing engagement with the Institution requires the disclosure of identity, as anonymity and pseudonymity is typically neither lawful not practical for sustained interactions.

Access to personal information
4.17 Individuals have the right to know whether the Institution holds personal information about them, what information is held and how they can access it.

4.18 Access to personal information is granted, subject to verification of the individual’s identity. Requests are managed under the Institution’s Records Management and Personal Information Procedures. Individuals do not need to provide a reason to request their personal information.

4.19 The Institution reserves the right to refuse access to personal information in circumstances where, for example, access would unreasonably impact another person’s privacy, it may prejudice an investigation of misconduct or the request is unlawful. In such cases, the Institution provides reasons for any refusal to give access to personal information and how the person can appeal the decision.

Accuracy and correction of personal information
4.20 The Institution takes reasonable steps to ensure that the personal information it holds is accurate, up-to-date, complete and relevant.

4.21 Individuals may request corrections to their personal information in writing. The Institution takes into account the purpose for which the personal information was collected and takes appropriate steps to update or correct the record.

4.22 The Institution may refuse to correct personal if the change conflicts with applicable legislation or insufficient evidence is provided to support the correction. In such cases, the Institution provides written reasons for the refusal and outlines the process to lodge a complaint to appeal the decision.

Use, disclosure and sharing of personal information
4.23 The Institution uses personal information only in accordance with the APPs and relevant legislation. Permitted use includes:

  • the primary purpose for which it was collected;
  • a directly related secondary purpose that the individual would reasonably expect;
  • where a person has provided informed consent;
  • where required or permitted by law;
  • in the event of an emergency situation to prevent or lessen serious threats to life, health or safety;
  • for internal administrative processes such as quality improvement processes, planning, handling of complaints and investigations (using de-identified data only).

4.24 The Institution does not disclose or share personal information (including through unsecured and publicly accessible artificial intelligence tools), highly sensitive and intellectual property unless:

  • the person has given written, informed consent;
  • disclosure is necessary to prevent or lessen a serious threat to the life, health or safety;
  • the person is reasonably likely to be aware that such disclosure is standard practice;
  • the disclosure is required or authorised by law.

4.25 The Institution may be legally required to disclose personal information to government agencies or authorities such as the Department of Home Affairs, Department of Education, Skills and Employment, Australian Tax Office, Tuition Protection Service, law enforcement bodies.

4.26 The Institution may disclose personal information to third parties in the context of a student’s course (for example an industry partner for a placement, study tours, etc.) or an employee’s role. Only necessary personal information for the specific purpose is disclosed.

4.27 The Institution may enter into agreements with third parties which include provisions to ensure compliance with privacy laws.

4.28 For students under 18, information regarding attendance, progress and general well-being may be shared with parents and/or legal guardians to ensure appropriate support and oversight.

Retention and disposal of personal information
4.29 Personal information is retained in accordance with the timeframes outlined in the Records Management and Personal Information Procedures.

4.30 The Institution takes reasonable steps to securely destroy or de-identify personal information in a secure manner once it is no longer needed.

4.31 Employees are not permitted to amend or dispose of records containing personal information without prior approval from delegated authorities outlined in the Records Management and Personal Information Procedures.

Data breaches
4.32 In accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth), the Institution must notify affected individuals and the Office of the Australian Information Commissioner if it has reasonable grounds to believe that a data breach has occurred that is likely to result in serious harm. The Institution takes technical and organisational measures to mitigate risks and respond promptly

Complaints
4.33 A person who is dissatisfied with the Institution’s handling of their personal information may lodge a complaint in accordance with the Complaints and Appeals Policy and Complaints and Appeals Procedures.

  1. Roles and responsibilities

5.1 The President and Managing Director is the owner of this policy and acts as the Institution’s Privacy Officer, responsible for promoting awareness of privacy obligations and issuing regular communication on safeguarding personal information.

5.2 The Board of Directors receives reports on the effectiveness of processes for the management of personal information and the integrity of the systems used to store personal data.

5.3 The responsibilities outlined in the Records Management and Personal Information Procedures include monitoring employee access to personal information and ensuring permissions are appropriately managed and reviewed.

  1. Related documents

Complaints and Appeals Policy
Complaints and Appeals Procedures
Records Management and Personal Information Procedures
Records Management Policy

Summary of changes Approved by Approval date
Created Board of Directors 2 August 2019

 
  Board of Directors 15 June 2021

 
Comprehensive review including additions to reflect the Australian Privacy Principles (APPs) and the Privacy and Other Legislation Amendment Bill 2024 (Cth) including enhanced protection for children’s data, and transparency in computer-driven decision-making.  Board of Directors  2 December 2021