Privacy Act 1988
All information and documentation collected by RETS on behalf of students and clients is maintained as per the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Only the Managing Director, relevant administrative staff, the relevant trainer and where necessary ASQA/Department of Industry will have access to student files. Under the traineeship scheme employers are also given access to student progression and completion. RETS gains permission for this use from trainees on the Student Application Form.
If a student file is required by another party, other than those listed above, the student must give written consent to have their file removed.
The following sections outline how RETS manages personal information as per the Australian Privacy Principles:
Australian Privacy Principle 1 – Open and transparent management of personal information
Purposes for information collection, retention, use and disclosure
RETS retains a record of personal information about all individuals with whom we undertake any form of business activity. RETS must collect, hold, use and disclose information from our clients and stakeholders for a range of purposes, including but not limited to:
• Providing services to clients;
• Managing employees and contractors;
• Promoting products and services;
• Conducting internal business functions and activities; and
• Requirements of stakeholders.
As a government registered training organisation, regulated by ASQA, RETS is required to collect, hold, use and disclose a wide range of personal and sensitive information on participants in nationally recognised training programs. This information requirement is outlined in the National Vocational Education and Training Regulator Act 2011 and associated legislative instruments. In particular, the legislative instruments:
• Student Identifiers Act 2014;
• Standards for Registered Training Organisations (RTOs) 2015; and
• Data Provision Requirements 2012.
RETS is also bound by State Government Acts requiring similar information collection, use and disclosure (particularly Education Act(s), Vocational Education & Training Act(s) and Traineeship & Apprenticeships Act(s) relevant to state jurisdictions of RETS operations).
RETS delivers services through NSW State Government funding contract agreement arrangements, which also include various information collection and disclosure requirements.
Individuals are advised that due to these legal requirements, RETS discloses information held on individuals for valid purposes to a range of entities including:
• Governments (Commonwealth, State or Local);
• Australian Apprenticeships Centres;
Kinds of personal information collected and held
The following types of personal information are generally collected, depending on the need for service delivery:
• Contact details;
• Employment details;
• Educational background;
• Demographic Information;
• Course progress and achievement information; and
• Financial billing information.
The following types of sensitive information may also be collected and held:
• Identity details;
• Employee details & HR information;
• Complaint or issue information;
• Disability status & other individual needs;
• Indigenous status; and
• Background checks (such as National Criminal Checks or Working with Children checks).
Where RETS collects personal information of more vulnerable segment of the community (such as children), additional practices and procedures are also followed. Please refer to RETS Working with Children Policy and Procedures for further information.
How personal information is collected
RETS collects any required information directly from the individuals concerned. This may include the use of forms (such as enrolment forms) and the use of web based systems (such as online forms).
How personal information is held
RETS uses robust storage and security measures at all times to retain student information. Information collected is:
• converted to electronic means as soon as practical;
• Stored securely in password protected systems, such as financial system, learning management system and student management system; and
• Monitored for appropriate authorised use at all times.
Only authorised personnel are provided with login information to each system, with system access limited to only those relevant to their specific role. RETS systems are hosted internally with robust internal security. Virus protection, backup procedures and ongoing access monitoring procedures are in place.
Destruction of paper based records occurs as required through the use of secure shredding.
Retention and Destruction of Information
Specifically, for our records, in the event of our organisation ceasing to operate the required personal information on record for individuals undertaking nationally recognised training with us would be transferred to ASQA, as required by law.
Accessing and seeking correction of personal information
RETS confirms all individuals have a right to request access to their personal information held and to request its correction at any time. In order to request access to personal records, individuals are to make contact with:
1300 850 980
A number of third parties, other than the individual, may request access to an individual’s personal information. Such third parties may include employers, parents or guardians, schools, Australian Apprenticeships Centres, Governments (Commonwealth, State or Local) and various other stakeholders.
In all cases where access is requested, RETS will ensure that:
• Parties requesting access to personal information are robustly identified and vetted;
• Where legally possible, the individual to whom the information relates will be contacted to confirm consent (if consent not previously provided for the matter); and
• Only appropriately authorised parties, for valid purposes, will be provided access to the information after consent is provided.
Australian Privacy Principle 2 – Anonymity and pseudonymity
RETS must require and confirm identification in service delivery to individuals for nationally recognised course programs. It is a Condition of Registration for all RTOs under the National VET Regulator Act 2011 that we identify individuals and their specific individual needs on commencement of service delivery, and collect and disclose Australian Vocational Education and Training Management of Information Statistical Standard (AVETMISS) data on all individuals enrolled in nationally recognised training programs. Other legal requirements, as noted earlier in this policy, also require considerable identification arrangements.
Australian Privacy Principle 3 — Collection of solicited personal information
RETS only collects personal information that is necessary for our business activities and that which is required by law under our government arrangements.
RETS only collects sensitive information in cases where the individual consents to the sensitive information being collected, except in cases where we are required to collect this information by law, such as outlined earlier in this policy.
All information RETS collect is collected only by lawful and fair means.
RETS only collects solicited information directly from the individual concerned, unless it is unreasonable or impracticable for the personal information to only be collected in this manner.
Australian Privacy Principle 4 – Dealing with unsolicited personal information
RETS may from time to time receive unsolicited personal information. Where this occurs we promptly review the information to decide whether or not we could have collected the information for the purpose of our business activities. Where this is the case, we may hold, use and disclose the information appropriately as per the practices outlined in this policy.
Where we could not have collected this information (by law or for a valid business purpose) we immediately destroy or de-identify the information (unless it would be unlawful to do so).
Australian Privacy Principle 5 – Notification of the collection of personal information
Whenever RETS collects personal information about an individual, we take reasonable steps to notify the individual of the details of the information collection or otherwise ensure the individual is aware of those matters. This notification occurs at or before the time of collection, or as soon as practicable afterwards.
Our notifications to individuals on data collection include:
• If the collection is required or authorised by law, including the name of the Australian law or other legal agreement requiring the collection;
• The purpose of collection;
• The consequences for the individual if all or some personal information is not collected;
• Other organisations or persons to which the information is usually disclosed, including naming those parties.
Where possible, we ensure that the individual confirms their understanding of these details, such as through signed declarations, or in person through questioning.
Collection from third parties
Where RETS collects personal information from another organisation, we:
1. Confirm whether the other organisation has provided the relevant notice above to the individual; or
2. Whether the individual was otherwise aware of these details at the time of collection; and
3. If this has not occurred, we will undertake this notice to ensure the individual is fully informed of the information collection.
Australian Privacy Principle 6 – Use or disclosure of personal information
RETS only uses or discloses personal information it holds about an individual for the particular primary purposes for which the information was collected, or secondary purposes in cases where:
• An individual consented to a secondary use or disclosure;
• An individual would reasonably expect the secondary use or disclosure, and that is directly related to the primary purpose of collection; or
• Using or disclosing the information is required or authorised by law.
Requirement to make a written note of use or disclosure for this secondary purpose
If RETS uses or discloses personal information in accordance with an ‘enforcement related activity’ we will make a written note of the use or disclosure, including the following details:
• The date of the use or disclosure;
• Details of the personal information that was used or disclosed;
• The enforcement body conducting the enforcement related activity;
• The basis for our reasonable belief that we were required to disclose the information.
Australian Privacy Principle 7 – Direct marketing
RETS does not use or disclose the personal information that it holds about an individual for the purpose of direct marketing, unless:
• The personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing; or
• The personal information has been collected from a third party, or from the individual directly, but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing; and
• We provide a simple method for the individual to request not to receive direct marketing communications (also known as ‘opting out’).
On each of our direct marketing communications, RETS provides a prominent statement that the individual may request to opt out of future communications, and how to do so.
Australian Privacy Principle 8 – Cross-border disclosure of personal information
In the highly unlikely event that RETS discloses personal information about an individual to any overseas recipient, we undertake take reasonable steps to ensure that the recipient does not breach any privacy matters in relation to that information.
Australian Privacy Principle 9 – Adoption, use or disclosure of government related identifiers
RETS does not adopt, use or disclose a government related identifier related to an individual except:
• In situations required by Australian law or other legal requirements;
• Where reasonably necessary to verify the identity of the individual;
• Where reasonably necessary to fulfil obligations to an agency or a State or Territory authority; or
• As prescribed by regulations.
Australian Privacy Principle 10 – Quality of personal information
RETS takes reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. RETS also takes reasonable steps to ensure that the personal information we use or disclose is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant. This is particularly important where:
• When we initially collect the personal information; and
• When we use or disclose personal information.
RETS takes steps to ensure personal information is factually correct. In cases of an opinion, we ensure information takes into account competing facts and views and makes an informed assessment, providing it is clear this is an opinion. Information is confirmed up-to-date at the point in time to which the personal information relates.
Quality measures in place supporting these requirements include:
• Internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information;
• Ensuring updated or new personal information is promptly added to relevant existing records.
Australian Privacy Principle 11 — Security of personal information
RETS takes active measures to consider whether we are able to retain personal information we hold, and also to ensure the security of personal information we hold. This includes reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
RETS destroys personal information held once the information is no longer needed for any purpose for which the information may be legally used or disclosed.
Access to RETS offices and work areas are limited to our personnel only - visitors to our premises must be authorised by relevant personnel and are accompanied at all times. With regard to any information in a paper based form, we maintain storage of records in an appropriately secure place to which only authorised individuals have access.
Australian Privacy Principle 12 — Access to personal information
Where RETS holds personal information about an individual, we provide that individual access to the information on their request. In processing requests, we:
• Ensure through confirmation of identity that the request is made by the individual concerned, or by another person who is authorised to make a request on their behalf;
• Provide information access free of charge.
Australian Privacy Principle 13 – Correction of personal information
RETS takes reasonable steps to correct personal information we hold, to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held.
On an individual’s request, we:
• Correct personal information held; and
• Notify any third parties of corrections made to personal information, if this information was previously provided to these parties.
Correcting at RETS initiative
We take reasonable steps to correct personal information we hold in cases where we are satisfied that the personal information held is inaccurate, out-of-date, incomplete, irrelevant or misleading (that is, the information is faulty). This awareness may occur through collection of updated information, in notification from third parties or through other means.