Information Privacy Policy
PrintDocument ID: 131 Information Privacy Policy
Revision no: 6, October 2021
Purpose
- Community College Gippsland (CCG) is committed to complying with State and Commonwealth privacy legislation and acts.
- The purpose of this policy is to provide guidance on the positive management of personal and/or confidential information; and to protect staff, students, volunteers and stakeholders from unauthorised or accidental disclosure of confidential information.
- ECG College will be referred to as CCG (exception clause 5) for the purpose of this Policy.
Policy
- CCG respects the privacy of all staff, students, volunteers and stakeholders and is committed to protecting any personal information provided in the course of business. All confidential information related to the business of CCG and of its staff, students and clients must be protected from disclosure to any outside party, unless authorised by the Chief Executive Officer.
- ECG College is a registered Information Sharing Entity (ISE’s) under the Child Information Sharing Scheme (CISS). The CISS allows designated ECG College to share information with other ISE’s to support the safety and wellbeing of children, young people and families. Under the CISS, student information will only be shared when the individuals situation meets the prescribed threshold of being “At Risk”.
- CCG will not collect sensitive information about an individual without consent unless the following exceptions apply:
- Collection is required by law, which includes the common law duty of care;
- Adhering to Victorian Government Public Health Orders and Ministerial Directions;
- It is unreasonable or impracticable to obtain the individual’s consent to the collection and the collection is necessary to prevent or lessen a serious threat to the life or health of any individual; and
- Other specific circumstances exist relating to collection of health information
- CCG employees and volunteers are provided with the Information Privacy Principles Policy and supported with information regarding the importance of confidentiality.
- The unauthorised use or disclosure of personal and or confidential information will be regarded as serious misconduct and may, following investigation, be subject to disciplinary action up to and including dismissal.
- Any access to staff personal information and employment records shall be granted to the CEO, Directors, Finance Staff, approved auditors for auditing purposes. Limited access is permitted for the Education & Training Managers and Managers for their direct staff only.
- Under government legislation, all details must be made available upon written request from the relevant authority (ie Centrelink, Child Support, ATO).
- All records are kept in a “cloud” based data base, which sometimes need to be accessed by the data base company when CCG’s access to the cloud has a technical issue that must be resolved.
- Students/parents/guardian/carers may access their individual records by following the Student Access to Records Policy, however access may not always be granted and the Director/Manager/Principal will provide a written response for why the access was the declined.
- CCG manages personal information in an open and transparent way. This is through the implementation of practices, procedures and system outlined in this policy. This supports compliance with the Australian Privacy Principles (APP’s).
Victorian Government Public Health Orders and Ministerial Directions
- CCG adheres to all government directions for collecting, storing, retaining and destroying personal information collected from staff, volunteers and students. The information collected will be used for the sole purpose of CCG implementing emergency management strategies for the pandemic event.
- All health information collected is strictly confidential and will not be disclosed among colleagues unless there is a legitimate and compelling reason to do so.
Breach of data
- CCG will implement the 131-2 Breach of Data Response Procedure immediately in any event where data privacy may have been breached.
Australian Privacy Principles
Australian Privacy Principle 1 – Open and transparent management of personal information
Purposes for information collection, retention, use and disclosure
- CCG retains records of personal information about all individuals with whom CCG undertakes any form of business activity. CCG must collect, hold, use and disclose information from clients and stakeholders for a range of purposes, including but not limited to:
- Providing services to clients;
- Managing recruitment of new and current employees, volunteers and contractor teams;
- Promoting products and services;
- Conducting internal business functions and activities; and
- Requirements of external departments and organisations
- CCG is a trisector education provider who is a Registered Training Organisation (RTO), Learn Local and Independent School. CCG is required to collect, hold, use and disclose a wide range of personal and sensitive information on individuals involved in training and educational programs. This information requirement is outlined in the National Vocational Education and Training Regulator Act 2011 and associated legislative instruments including:
- Student Identifiers Act 2014;
- Australian Qualifications Training Framework;
- Data Provision Requirements 2012; and
- National VET Data Policy
- Minimum Standards for School Registration
- Vet Provider Guidelines
- Child Safe Standards and CISS
- Victorian Government Public Health Orders and Ministerial Directions
- CCG is also bound by various State Government Acts requiring similar information collection, use and disclosure (particularly Education Act(s), Vocational Education & Training Act(s) and Traineeship & Apprenticeships Act(s) relevant to state jurisdictions of CCG operations).
- CCG also delivers services through a range of Commonwealth and State Government funding contract agreement arrangements, which also include various information collection and disclosure requirements.
- CCG discloses information held on individuals for valid purposes to a range of entities including:
- Governments (Commonwealth, State or Local);
- Australian Apprenticeships Centres;
- Employers (and their representatives), Job Network Providers, Schools, Guardians; and
- Service providers and background check providers.
Kinds of personal information collected and held
- The following types of personal information are generally collected, depending on the need for service delivery:
- Contact details, next of kin, date of birth, gender, language background and previous school;
- Parent/carer/guardian education, occupation and background
- Medical information
- Educational background and previous school reports and notes
- Counselling reports
- Any court orders
- Demographic information
- Banking details and financial billing information and
- Course progress and achievement information
- The following types of sensitive information may also be collected and held:
- Identity details;
- Employee details & HR information;
- Complaint or issue information;
- Disability status & other individual needs;
- Indigenous status;
- Health information to and
- Background checks (such as National Criminal Checks or Working with Children checks).
- Where CCG collects personal information from students who are deemed children, additional strict practices requiring parent/carer/guardian consent are implemented.
How personal information is collected
- CCG collects any required personal information directly from the individuals concerned through individual interview processes. This includes the use of forms (such as enrolment forms) and through web based systems with the online course enquiry and application forms and internal operating systems.
- CCG receives solicited and unsolicited information from third party sources in undertaking service delivery activities. This may include information from such entities as:
- Governments (Commonwealth, State or Local);
- Australian Apprenticeships Centres;
- Employers (and their representatives), Job Network Providers, Schools, Parent/Carer/Guardians;
- Service providers such as credit agencies and background check providers.
How personal information is held
- CCG’s has robust storage and security measures in place for holding personal information, these measures include:
- Electronic files are stored in secure, password protected systems, such as the human resource management system HR3 and Sage financial system, Axcelerate and Compass student management systems.
- Hard copy documents are stored in locked rooms and locked filing cabinets with restricted personnel access.
- Only authorised personnel are provided with login information to each system and allocated with system access limited to only those relevant to their specific role.
- Individual information held across systems is linked through an internal allocated identification number for each individual.
Retention and destruction of Information
- CCG maintains a Retention and Disposal Schedule documenting the periods for which RTO and School student file information records are kept and disposed of.
- CCG monitors and follows directions from the government on collection, retention and destruction of personal and health information specific to the pandemic or emergency event.
- Destruction of paper based records occurs as soon as legally practicable in every matter, through the use of secure shredding and destruction services.
- Electronic records are deleted as soon as legally practicable from CCG’s systems.
- In the event of the organisation ceasing to operate the required personal information on record for individuals undertaking nationally recognised training in the RTO and the VCAL curriculum in the school would be transferred to the Victorian Registration Qualification Authority, as required by law.
Accessing and seeking correction of personal information
- CCG confirms all individuals have a right to request access to their personal information held and to request its correction at any time. In order to request access to personal records, individuals are to make contact with the Director, Manager or the School Principal and direction will be provided with the Student Access to Records Policy and Procedure available on request.
- A number of third parties, other than the individual, may request access to an individual’s personal information. Such third parties may include employers, parents/carers/guardians, schools, Australian Apprenticeships Centres, Governments (Commonwealth, State or Local) and various other stakeholders.
- In all cases where access is requested, CCG will ensure that:
- Parties requesting access to personal information are robustly identified and vetted;
- Where legally possible, the individual to whom the information relates will be contacted (if under 17 years of age the nominated parent/carer/guardian will be contacted) to confirm consent (if consent not previously provided for the matter); and
- Only appropriately authorised parties, for valid purposes, will be provided access to the information
Complaints about a breach of the APPs or a binding registered APP code
- If an individual feels that CCG may have breached one of the APP’s they may review the 131-1 Information Privacy Complaints Procedure for further information.
Likely overseas disclosures
- CCG does not deal with overseas companies and will not provide personal information to overseas organisations.
Making the Information Privacy Policy available
- CCG’s Information Privacy Policy is available to the public on the website at www.ccg.asn.au.
- The Information Privacy Policy is also:
- Listed in the Employee Handbook, the ECG College Student Parents and the Student Handbook with links on CCG’s the website;
- Will be provided upon request in hard or softcopy to any individual
Review and update of the Information Privacy Policy
- CCG reviews this Information Privacy Policy:
- On an ongoing basis, as suggestions or issues are raised and addressed, or as government required changes are identified;
- As a part of any internal/external audit of CCG’s operations that may be conducted by various government agencies as a part of our registration as an RTO, school or in normal business activities; and
- As a component of a complaint investigation process where the compliant is related to a privacy matter.
- Where this policy is updated, changes to the policy are widely communicated to stakeholders through internal personnel communications, meetings, training and documentation, and externally through publishing of the policy CCG’s website and other relevant documentation (such as CCG’s Handbooks) for clients.
Australian Privacy Principle 2 – Anonymity and pseudonymity
- CCG provides individuals with the option of not identifying themselves, or of using a pseudonym, whenever practical. This includes providing options for anonymous dealings in cases of general course enquiries or other situations in which an individuals’ information is not required to complete a request.
- Individuals may deal with CCG by using a name, term or descriptor that is different to the individual’s actual name wherever possible. This includes using generic email addresses that does not contain an individual’s actual name, or generic user names when individuals may access a public component of our website or enquiry forms.
- CCG only stores and links pseudonyms to individual personal information in cases where this is required for service delivery with the online course enquiry system or once the individual’s consent has been received.
Requiring identification
- CCG requires confirmation of individual identification for service delivery for nationally recognised courses, pre-accredited course programs and school enrolments. CCG is authorised by Australian law to deal only with individuals who have appropriately identified themselves. Students must obtain a Unique Student Identifier number from the Government to enrol in any Vocational Education Training course, qualification or unit of competence. Other legal requirements, as noted earlier in this policy, also require considerable identification arrangements.
- There are occasions within CCG’s service delivery where an individual may not have the option of dealing anonymously or by pseudonym, as identification is practically required to effectively support an individual’s request or need.
Australian Privacy Principle 3 — Collection of solicited personal information
- CCG only collects personal information that is reasonably necessary for the business activities.
- CCG will only collect sensitive information in cases where the individual consents to the sensitive information being collected, except in cases where CCG is required to collect this information by law or direction from government departments, such as outlined earlier in this policy.
- All information collected is by lawful and fair means.
- CCG only collects solicited information directly from the individual concerned, unless it is unreasonable or impracticable for the personal information to only be collected in this manner.
Australian Privacy Principle 4 – Dealing with unsolicited personal information
- CCG may receive unsolicited personal information. In this situation, CCG will review the information to decide whether or not CCG could have collected the information for the purpose of the business activities. Where this is the case, CCG may hold, use and disclose the information appropriately as per the practices outlined in this policy.
- Where CCG could not have collected this information (by law or for a valid business purpose) CCG will immediately destroy or de-identify the information (unless it would be unlawful to do so).
Australian Privacy Principle 5 – Notification of the collection of personal information
- At the time of collection of the information CCG will advise the individual of:
- The reason for the collection of the information;
- Any law that requires the particular information to be collected;
- To whom the information may be disclosed;
- The purpose for which it will be used;
- The consequences for the individual if all or some personal information is not collected;
- Other organisations or persons to which the information is usually disclosed, including naming those parties;
- The identity and contact details, including the position title, telephone number and email address of a contact who handles enquiries and requests relating to privacy matters.
- Where possible, CCG ensures that the individual confirms their understanding of these details through signed declarations on the enrolment form and the website course application form acceptance of details acknowledgement.
Collection from third parties
- Where CCG collects personal information from another organisation, CCG will:
- Confirm whether the other organisation has provided the individual with the information regarding CCG`s requirement to collect personal information
- If this has not occurred, CCG will undertake this notice to ensure the individual is fully informed of the information collection.
Australian Privacy Principle 6 – Use or disclosure of personal information
- CCG only uses or discloses personal information it holds about an individual for the particular primary purposes for which the information was collected, or secondary purposes in cases where:
- An individual consented to a secondary use or disclosure;
- An individual would reasonably expect the secondary use or disclosure, and that is directly related to the primary purpose of collection;
- Using or disclosing the information is required or authorised by law; or
- Disclosure of information to essential third parties is required to substantiate the safe delivery of CCG functions or services.
Requirement to make a written note of use or disclosure for this secondary purpose
- If CCG uses or discloses personal information in accordance with an ‘enforcement related activity’ CCG will make a written note of the use or disclosure, including the following details: • The date of the use or disclosure;
- Details of the personal information that was used or disclosed;
- The enforcement body conducting the enforcement related activity;
- If the organisation used the information, how the information was used by the organisation;
- The basis for our reasonable belief that we were required to disclose the information.
Australian Privacy Principle 7 – Direct marketing
- CCG does not use or disclose the personal information that it holds about an individual for the purpose of direct marketing, unless:
- The personal information has been collected directly from an individual and the individual has signed an agreement for this purpose; or
- CCG provides a simple method for the individual to request not to receive direct marketing communications (also known as ‘opting out’) also located on the enrolment form.
- An individual may also request in writing that CCG cease to use their information for the purpose of direct marketing. CCG will implement this request immediately.
Australian Privacy Principle 8 – Cross-border disclosure of personal information
- CCG does not implement any cross-border activities or operations and does not discloses personal information about an individual to any overseas recipients. In any future operational activities if this occurred CCG will undertake to take reasonable steps to ensure that the recipient does not breach any privacy matters in relation to that information.
Australian Privacy Principle 9 – Adoption, use or disclosure of government related identifiers
- CCG does not adopt, use or disclose a government related identifier related to an individual except:
- In situations required by Australian law or other legal requirements;
- Where reasonably necessary to verify the identity of the individual;
- Where reasonably necessary to fulfil obligations to an agency or a State or Territory authority; or
- As prescribed by regulations.
Australian Privacy Principle 10 – Quality of personal information
- CCG takes reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. CCG also takes reasonable steps to ensure that the personal information we use or disclose is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant. This is particularly important where:
- When CCG initially collects the personal information; and
- When CCG uses or discloses personal information.
- CCG takes all steps possible to ensure personal information is factually correct and information is confirmed up-to-date at the point in time to which the personal information relates.
- Quality measures in place supporting these requirements include:
- Internal procedures that ensure personal information is collected and recorded in a consistent format, from a primary information source when possible;
- Ensuring updated or new personal information is promptly added to relevant existing records;
- Providing individuals with a simple means to review and update their information on an on-going basis;
- Reminding individuals to update their personal information at critical timeframes
- Contacting individuals to verify the quality of personal information where appropriate and when it is about to used or disclosed, particularly if there has been a lengthy period since collection; and
- Checking that a third party, from whom personal information is collected, has implemented appropriate data quality practices and verification processes;
Australian Privacy Principle 11 — Security of personal information
- CCG takes active measures in maintaining the security of personal information held. This includes taking all reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
- CCG will destroy or de-identify personal information held once the information is no longer needed for any purpose for which the information may be legally used or disclosed.
- All access to areas where personal information is stored in CCG offices and online systems is limited to key CCG personnel only.
- CCG stores confidential records in secure areas where only authorised individuals have access.
- CCG provides training to staff on CCG’s privacy practices and procedures in the induction process and also provides information updates (when applicable) on privacy issues using the internal communication process and in staff meetings.
- CCG regularly monitors and reviews the adequacy and currency of security and access practices, procedures and systems implemented.
- CCG adheres to the National Data Breach Scheme and will implement all required procedures in the event of a breach of confidential data. (Refer to the Breach of Data Procedure)
Australian Privacy Principle 12 — Access to personal information
- CCG provides a process for individuals to access to their information on their request. In processing requests, CCG will:
- Confirm the identity of the individual when the request is made, or by another person who is authorised to make a request on their behalf;
- Respond to a request for access:
Within 14 calendar days, or if the request is denied, the individual will be provided with the reasons for refusal in writing, and the complaint mechanisms available to the individual;
Australian Privacy Principle 13 – Correction of personal information
- CCG takes reasonable steps to correct personal information held, and to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held.
Individual requests
- On an individual’s request, CCG will:
- Correct personal information held;
- Document the change; and
- Notify any third parties of corrections made to personal information, if this information was previously provided to these parties.
- In cases where CCG refuses access to personal information, CCG will:
- Give a written notice to the individual, including the reasons for the refusal and the complaint processes available to the individual;
- Take reasonable steps to associate a statement with the personal information that the individual believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading;
- Respond within 14 calendar days to these requests.
Correction of data
- CCG takes all reasonable steps to correct personal information held in cases where CCG are satisfied that the personal information held is inaccurate, out-of-date, incomplete, irrelevant or misleading (that is, the information is faulty). This awareness may occur through collection of updated information, in notification from third parties or through other means.
Scope
- This Policy applies to all personal information collected by CCG and ECG College staff, students, volunteers, CCG’s Board of Directors, prospective students, individual clients and other individuals.
- In general terms, any information is deemed to be confidential if it is not freely available in the public domain. All personal information is confidential.
Responsibilities
- Individuals are responsible for ensuring that any confidential information they produce or have access to is adequately protected and appropriately classified.
- All CCG and ECG College staff will not discuss any confidential information.
- The CEO, Directors, Managers and Principal are responsible for ensuring that employees understand their responsibility to maintain confidentiality of information at all times.
- The CEO holds ultimate responsibility for information privacy at CCG.
Procedures
- 131-1 Information Privacy Complaints Procedure
- 131-2 Data Breach Response Procedure
Relationships
Internal:
- Conflict of Interest Policy
- Staff and Student Code of Conduct and Disciplinary Policy & Procedures
- Information and Communications Technology Policy
- Records Management Policy & Procedure
- Legislative Compliance Policy
- Complaints and Appeals Policy & Procedure
- Student Access to Record Policy and Procedure External:
- Privacy Amendment (Enhancing Privacy Protection) Act 2012
- Privacy and Data Protection Act 2014 (Vic)
- PROS 02/01 General Retention and Disposal Authority for the Records for Higher and Further Education Institutions
- National Data Breach Scheme
- Australian Qualifications Training Framework Essential Conditions and Standards for Continuing Registration
- Higher Education Skills Group Standard Contract Skills First Program
- Victorian Registration and Qualifications Authority Vet Provider Guidelines
- Victorian Registration and Qualifications Authority Minimum Standards for school registration
- The Information Privacy Act 2000 (Vic.)
- The Commonwealth Privacy Act 1988
- The Higher Education Support
- Information Privacy Act 2000 (Vic) • National VET Data Policy
- Freedom of Information Act 1982
- Health Records Act 2001
- Student Identifiers Act 2014
- USI Privacy Notice
- The Electronic Transaction (Victoria) Act 2000
- The Personal Data Protection Act
- Child Safe Standards
- Child Information Sharing Scheme
- Victorian Government Public Health Orders and Ministerial Directions
Forms
- 602-1A Student Access to records form
- 421-1K Confidentiality Agreement and Conflict of Interest Form