Regional Skills Training Pty Ltd is committed to maintaining the privacy and confidentiality of personnel and student records.
We comply with the Privacy Act 1988 including the 13 Australian Privacy Principles (APPs) as outlined in the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
Personal information is managed in an open and transparent way. This is evident in the implementation of practices, procedures and systems we outline in this policy, that ensure our compliance with the APPs and any binding registered APP code, and provides suitable procedures for personnel to be able to deal with related inquiries and complaints that may be received from time to time.
The following sections of this policy outline how we manage personal information.
3. Australian Privacy Principle 1 – Open and transparent management of personal information
3.1. Purposes for information collection, retention, use and disclosure
We collect, hold and process personal information about our students and potential students, employees, contractors and other people who come into contact with us (you or your).
There is a range of purposes for RST collecting, using and retaining information including:
- Providing training and services to clients
- Marketing and promoting our services and courses
- Managing employees and contractors
- Conducting internal business functions and activities
- Government reporting for statistical, administrative, regulatory and research purposes
- Requirements of stakeholders.
As a government registered training organisation, regulated by the Australian Skills Quality Authority, RST is required to collect, hold, use and disclose a wide range of personal and sensitive information on participants in nationally recognised training programs. This information requirement is outlined in the National Vocational Education and Training Regulator Act 2011 and associated legislative instruments. In particular, the legislative instruments:
- Student Identifiers Act 2014
- Standards for Registered Training Organisations (RTOs) 2015
- Data Provision Requirements 2012.
RST is also bound by various State Government Acts requiring similar information collection, use and disclosure (particularly Education Act(s), Vocational Education and Training Act(s) and Traineeship and Apprenticeships Act(s) relevant to state jurisdictions of our operations).
In accordance with these legislative requirements, RST delivers services through a range of Commonwealth and State Government funding contract agreement arrangements, which also include various information collection and disclosure requirements.
RST discloses information held on inpiduals for valid purposes to a range of entities including:
- Governments (Commonwealth, State or Local);
- Australian Apprenticeships Centres
- Employers (and their representatives), Job Network Providers, Schools, Guardians
- Service providers such as credit agencies and background check providers.
3.2. Kinds of personal information we collect and hold
The following types of personal information are generally collected, depending on the need for service delivery:
‘Personal information’ includes a broad range of information, or an opinion, that could identify an inpidual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances.
The following types of personal information are collected, depending on the need for service delivery:
- Name, signature, address, phone number and date of birth
- Photographs and proof of Identity
- Contact details
- Demographic Information
- Schooling and Educational Information
- Unique Student Identifier (USI)
- Account billing information
- Employment details
- Course progress and achievement information.
‘Sensitive Information’ refers to data about your racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, trade union membership or associations, sexual orientation or practices, criminal record, health or genetic information and some aspects of biometric information.
The following types of sensitive information are collected depending on the need for service delivery:
- Identity details
- Employee details and HR information
- Language and Cultural persity
- Indigenous status
- Disability status and other inpidual needs
- Medical Information
- Complaints and grievance information.
Where RST collects personal information of more vulnerable segment of the community (such as children), additional practices and procedures are also followed. Please refer to RST’s Child Safety Policy for further information.
3.3. How personal information is collected
RST’s usual approach to collecting personal information is to collect any required information directly from the inpiduals concerned. This may include the use of forms (such as enrolment forms or service delivery records) and the use of web-based systems (such as online enquiry forms, web portals or internal operating systems).
RST does receive solicited and unsolicited information from third party sources in undertaking service delivery activities. This may include information from such entities as:
- • Governments (Commonwealth, State or Local)
- • Australian Apprenticeships Centres
- • Employers (and their representatives), Job Network Providers, Schools, Guardians
- • Service providers such as credit agencies and background check providers.
3.4. How personal information is held
RST’s usual approach to holding personal information includes robust storage and security measures at all times. Information on collection is:
- As soon as practical converted to electronic means
- Stored in secure, password protected systems, such as financial system, learning management system and student management system
- Monitored for appropriate authorised use at all times.
Only authorised personnel are provided with login information to each system, with system access limited to only those relevant to their specific role. Multi-factor authentication, virus protection, backup procedures and ongoing access monitoring procedures are in place where appropriate.
3.5. Retention and Destruction of Information
RST retains and destroys documents according to legislative requirements and our Record Management Policy.
Specifically, for our RTO records, in the event of our organisation ceasing to operate the required personal information on record for inpiduals undertaking nationally recognised training with us would be transferred to the Australian Skills Quality Authority, as required by law.
3.6. Accessing and seeking correction of personal information
RST confirms all inpiduals have a right to request access to their personal information held and to request its correction at any time. To request access to personal records, inpiduals are to make contact with the CEO via email: email@example.com outlining what information they are seeking to access.
A number of third parties, other than the inpidual, may request access to an inpidual’s personal information. Such third parties may include employers, parents or guardians, schools, Australian Apprenticeships Centres, Governments (Commonwealth, State or Local) and various other stakeholders.
In all cases where access is requested, RST will ensure that:
- Parties requesting access to personal information are robustly identified and vetted
- Where legally possible, the inpidual to whom the information relates will be contacted to confirm consent (if consent not previously provided for the matter)
- Only appropriately authorised parties, for valid purposes, will be provided access to the information.
3.7. Complaints about a breach of the APPs or a binding registered APP code
If an inpidual feels that RST may have breached one of the APPs, they are encouraged to lodge a formal complaint using RST’s Complaints and Appeals Policy and Procedure which is available at www.rst.edu.au.
3.8. Likely overseas disclosures
RST confirms that inpiduals’ personal information is unlikely to be disclosed to overseas recipients.
- Referenced within our Student Information Book noting that a copy of the policy is available on request;
- Noted within the text or instructions at all information collection points (such as informing inpiduals during a telephone call of how the policy may be accessed, in cases where information collection is occurring); and
- Available for distribution free of charge on request, as soon as possible after the request is received, including in any particular format requested by the inpidual as is reasonably practical.
- On an ongoing basis, as suggestions or issues are raised and addressed, or as government required changes are identified
- Through our internal audit processes on at least an annual basis
- As a part of any external audit of our operations that may be conducted by various government agencies as a part of our registration as an RTO or in normal business activities
- As a component of each and every complaint investigation process where the compliant is related to a privacy matter.
4. Australian Privacy Principle 2 – Anonymity and pseudonymity
RST provides inpiduals with the option of not identifying themselves, or of using a pseudonym, when dealing with us in relation to a particular matter, whenever practical. This includes providing options for anonymous dealings in cases of general course enquiries or other situations in which an inpiduals’ information is not required to complete a request.
Inpiduals may deal with us by using a name, term or descriptor that is different to the inpidual’s actual name wherever possible. This includes using generic email addresses that does not contain an inpidual’s actual name, or generic user names when inpiduals may access a public component of our website or enquiry forms.
RST only stores and links pseudonyms to inpidual personal information in cases where this is required for service delivery (such as system login information) or once the inpidual’s consent has been received.
Individuals are advised of their opportunity to deal anonymously or by pseudonym with us where these options are possible via the inclusion of this policy on our website at: www.rst.edu.au .
RST must require and confirm identification of students in delivering training services to inpiduals for nationally recognised course programs. We are authorised by Australian law to deal only with inpiduals who have appropriately identified themselves. That is, it is a Condition of Registration for all RTOs under the National Vocational Education and Training Regulator Act 2011 that we identify inpiduals and their specific inpidual needs on commencement of service delivery, and collect and disclose Australian Vocational Education and Training Management of Information Statistical Standard (AVETMISS) data on all inpiduals enrolled in nationally recognised training programs. Other legal requirements, as noted earlier in this policy, also require considerable identification arrangements.
There are other occasions within our service delivery where an inpidual may not have the option of dealing anonymously or by pseudonym, as identification is practically required for us to effectively support an inpidual’s request or need.
5. Australian Privacy Principle 3 — Collection of solicited personal information
RST only collects personal information that is reasonably necessary for our business activities.
We only collect sensitive information in cases where the inpidual consents to the sensitive information being collected, except in cases where we are required to collect this information by law, such as outlined earlier in this policy.
All information we collect is collected only by lawful and fair means.
We only collect solicited information directly from the inpidual concerned, unless it is unreasonable or impracticable for the personal information to only be collected in this manner.
6. Australian Privacy Principle 4 – Dealing with unsolicited personal information
RST may from time to time receive unsolicited personal information. Where this occurs we promptly review the information to decide whether or not we could have collected the information for the purpose of our business activities. Where this is the case, we may hold, use and disclose the information appropriately as per the practices outlined in this policy.
Where we could not have collected this information (by law or for a valid business purpose) we immediately destroy or de-identify the information (unless it would be unlawful to do so).
7. Australian Privacy Principle 5 – Notification of the collection of personal information
Whenever RST collects personal information about an inpidual, we take reasonable steps to notify the inpidual of the details of the information collection or otherwise ensure the inpidual is aware of those matters. This notification occurs at or before the time of collection, or as soon as practicable afterwards.
Our notifications to inpiduals on data collection include:
- RST’s identity and contact details, including the position title, telephone number and email address of a contact who handles enquiries and requests relating to privacy matters
- The facts and circumstances of collection such as the date, time, place and method of collection, and whether the information was collected from a third party, including the name of that party
- If the collection is required or authorised by law, including the name of the Australian law or other legal agreement requiring the collection
- The purpose of collection, including any primary and secondary purposes
- The consequences for the inpidual if all or some personal information is not collected
- Other organisations or persons to which the information is usually disclosed, including naming those parties
- Where possible, we ensure that the inpidual confirms their understanding of these details, such as through signed declarations, website form acceptance of details or in person through questioning.
Collection from third parties
Where RST collects personal information from a third party, we:
- Confirm whether the other organisation has provided the relevant notice above to the inpidual
- Whether the inpidual was otherwise aware of these details at the time of collection
- If this has not occurred, we will undertake this notice to ensure the inpidual is fully informed of the information collection.
8. Australian Privacy Principle 6 – Use or disclosure of personal information
RST only uses or discloses personal information it holds about an inpidual for the particular primary purposes for which the information was collected, or secondary purposes in cases where:
- An inpidual consented to a secondary use or disclosure
- An inpidual would reasonably expect the secondary use or disclosure, and that is directly related to the primary purpose of collection
- Using or disclosing the information is required or authorised by law.
Requirement to make a written note of use or disclosure for this secondary purpose
If RST uses or discloses personal information in accordance with an ‘enforcement related activity’ we will make a written note of the use or disclosure, including the following details:
- The date of the use or disclosure
- Details of the personal information that was used or disclosed
- The enforcement body conducting the enforcement related activity
- If the organisation used the information, how the information was used by the organisation
- The basis for our reasonable belief that we were required to disclose the information.
9. Australian Privacy Principle 7 – Direct marketing
RST does not use or disclose the personal information that it holds about an inpidual for the purpose of direct marketing, unless:
- The personal information has been collected directly from an inpidual, and the inpidual would reasonably expect their personal information to be used for the purpose of direct marketing
- The personal information has been collected from a third party, or from the inpidual directly, but the inpidual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing
- We provide a simple method for the inpidual to request not to receive direct marketing communications (also known as ‘opting out’).
On each of our direct marketing communications, RST provides a prominent statement that the inpidual may request to opt out of future communications, and how to do so. An inpidual may also request us at any stage not to use or disclose their personal information for the purpose of direct marketing. We comply with any request by an inpidual promptly and undertake any required actions for free.
RST does not provide personal information to other organisations for the purposes of direct marketing.
We also, on request, notify an inpidual of our source of their personal information used or disclosed for the purpose of direct marketing unless it is unreasonable or impracticable to do so.
10. Australian Privacy Principle 8 – Cross-border disclosure of personal information
RST does not generally disclose personal information about an about an inpidual to any overseas recipient, however if RST did, we would undertake reasonable steps to ensure that the recipient does not breach any privacy matters in relation to that information before providing the information.
11. Australian Privacy Principle 9 – Adoption, use or disclosure of government related identifiers
RST does not adopt, use or disclose a government related identifier related to an inpidual except:
- In situations required by Australian law or other legal requirements
- Where reasonably necessary to verify the identity of the inpidual
- Where reasonably necessary to fulfil obligations to an agency or a State or Territory authority
- As prescribed by regulations.
12. Australian Privacy Principle 10 – Quality of personal information
RST takes reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. We also take reasonable steps to ensure that the personal information we use or disclose is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant. This is particularly important when we:
- Initially collect the personal information
- Use or disclose personal information.
We take steps to ensure personal information is factually correct. In cases of an opinion, we ensure information takes into account competing facts and views and makes an informed assessment, providing it is clear this is an opinion. Information is confirmed up-to-date at the point in time to which the personal information relates.
Quality measures in place supporting these requirements include:
- Internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information (including training staff in these practices, procedures and systems)
- Protocols that ensure personal information is collected and recorded in a consistent format, from a primary information source when possible
- Ensuring updated or new personal information is promptly added to relevant existing records
- Reminding inpiduals to update their personal information at critical service delivery points (such as completion) when we engage with the inpidual
- Contacting inpiduals to verify the quality of personal information where appropriate when it is about to used or disclosed, particularly if there has been a lengthy period since collection
- Checking that a third party, from whom personal information is collected, has implemented appropriate data quality practices, procedures and systems.
13. Australian Privacy Principle 11 — Security of personal information
RST takes active measures to consider whether we are able to retain personal information we hold, and also to ensure the security of personal information we hold. This includes reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
We destroy or de-identify personal information held once the information is no longer needed for any purpose for which the information may be legally used or disclosed.
Access to RSToffices and work areas is limited to our personnel only – visitors to our premises must be authorised by relevant personnel and are accompanied at all times. With regard to any information in a paper-based form, we maintain storage of records in an appropriately secure place to which only authorised inpiduals have access.
Regular staff training and information bulletins are conducted with RST personnel on privacy issues, and how the APPs apply to our practices, procedures and systems. Training is also included in our personnel induction practices.
We conduct ongoing internal audits (at least annually and as needed) of the adequacy and currency of security and access practices, procedures and systems implemented.
14. Australian Privacy Principle 12 — Access to personal information
Where RST holds personal information about an inpidual, we provide that inpidual access to the information on their request. In processing requests, we:
- Ensure through confirmation of identity that the request is made by the inpidual concerned, or by another person who is authorised to make a request on their behalf
- Respond to a request for access:
- Within 14 calendar days, when notifying our refusal to give access, including providing reasons for refusal in writing, and the complaint mechanisms available to the inpidual
- Within 30 calendar days, by giving access to the personal information that is requested in the manner in which it was requested.
- Provide information access free of charge.
15. Australian Privacy Principle 13 – Correction of personal information
RST takes reasonable steps to correct personal information we hold, to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held.
On an inpidual’s request, we:
- Correct personal information held
- Notify any third parties of corrections made to personal information, if this information was previously provided to these parties.
In cases where we refuse to update personal information, we:
- Give a written notice to the inpidual, including the reasons for the refusal and the complaint mechanisms available to the inpidual
- Upon request by the inpidual whose correction request has been refused, take reasonable steps to associate a statement with the personal information that the inpidual believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading
- Respond within 14 calendar days to these requests
- Complete all actions free of charge.
Correcting at RST’s initiative
We take reasonable steps to correct personal information we hold in cases where we are satisfied that the personal information held is inaccurate, out-of-date, incomplete, irrelevant or misleading (that is, the information is faulty). This awareness may occur through collection of updated information, in notification from third parties or through other means.
16. Contact RST