SGSCC – ST GEORGE & SUTHERLAND COMMUNITY COLLEGE
POLICY ON PRIVACY/CONFIDENTIALITY
This policy applies to:
2.1 SGSCC employees/contractors
2.2 SGSCC clients/students
3.1 Australian Privacy Principles 2014 (APP)
3.2 Privacy Amendment (Enhancing Privacy Protection) Act 2012
3.3 Privacy Act 1988 (Commonwealth)
3.4 Privacy Amendment (Notifiable Data Breaches) Act 2017
3.5 Freedom of Information Act 1989
3.6 Policy & Procedure on Copyright
3.7 The Health Records and Information Privacy Code of Practice 2005 (NSW)
3.8 Privacy, Confidentiality & Client Records Policy & Procedure –SGSCC disAbility
3.9 Policy & Procedure for Handling Client/Customer Complaints
SGSCC or the College --St George & Sutherland Community College Inc. For the purposes of this policy includes all College departments: SGSCC WorkSkills, SGSCC International, SGSCC disAbility, SGSCC SchoolAge, SGSCC English, SGSCC Leisure. A SGSCC disAbility policy and procedure outlines privacy and confidentiality issues specific to that department.
AVETMISS-Australian Vocational and Education and Training Management Information Statistical Standard. Administered by National Centre for Vocational Education Research (NCVER) a not-for-profit company owned by the Commonwealth and state and territory ministers responsible for vocational education and training.
PRISMS- Provider Registration and International Student Management System- through the Department of Education (Commonwealth)
4D/GLEP- A SGSCC student and tutor database that contains personal information
ONCOURSE - A SGSCC student and tutor database used for courses that contains personal information
ASQA- Australian Skills Quality Authority is the national regulator for Australia’s vocational education and training sector. ASQA regulates courses and training providers to ensure nationally approved quality standards are met.
NDIS – National Disability Insurance Scheme
NDIA- National Disability Insurance Agency
PRODA- Provider Digital Access- Australian Government: Department of Human Services.
Stakeholder- students, clients, customers, employees, volunteers, supplies as relevant to the situation
5.1 St George and Sutherland Community College (SGSCC) and its related bodies corporate recognise the importance of protecting the privacy and the rights of individuals in relation to their personal information.
SGSCC recognises that all employees, students, clients and suppliers have a right to privacy and confidentiality in relation to information known or held by the College concerning them. The College conforms to its legal requirements as outlined in Section 3.0 above. Information will not be released without informed written consent or legal obligation within the parameters of the aforementioned legislation. A SGSCC disAbility policy and procedure outlines privacy and confidentiality issues specific to that department.
This policy conforms to the Privacy Act 1988 (Cth), the Australian Privacy Principles 2014 and the Privacy Amendment (Notifiable Data Breaches) Act 2017 which govern the collection, use, access, disclosure, storage and data breaches of personal information
5.2 Personal information SGSCC may collect and hold
We may collect the following types of personal information:
- Mailing or street address;
- Email address;
- Telephone number;
- Facsimile number;
- Mobile number;
- Age or birth date;
- School level;
- Pension Status;
- Credit Card details for payment of services (destroyed after processing);
- Employment and employer status;
- Country of Birth;
- Language spoken at home;
- Disability and special needs status;
- Aboriginality or Torres Strait origin status;
- Residency Status;
- Details of the courses and services purchased from SGSCC or which have been enquired about, together with any additional information necessary to deliver those courses and services and to respond to enquiries;
- Any additional information relating to stakeholders that have been provided to SGSCC directly through websites or indirectly through use of SGSCC websites or online presence, through SGSCC representatives or otherwise;
- Information provided to SGSCC through any College centre, customer surveys;
- Records of student results of accredited programs;
SGSCC may also collect some information that is not personal information because it does not identify anyone. For example, anonymous answers to surveys or aggregated information about how users use the website, statistical analysis.
5.3 Business Partners
SGSCC may collect contact details, name of contact person and/or organisation/business, bank details (to receive payment or make payments for services), Australian Business number (ABN), and insurance details. Primary purpose for which information is collected is to provide or receive services, process payments, establish and manage partnerships.
5.4 Methods for Collecting Personal Information
SGSCC collects personal information directly from stakeholders unless it is unreasonable or impracticable to do so. When collecting personal information SGSCC may collect in ways including:
Through access and use of College websites;
- During conversations between a stakeholder and SGSCC employees; or
- When an enrolment is completed either via phone, web, fax or in person;
- When details are provided for a waiting list;
SGSCC may also collect personal information from third parties including:
- From third party companies such as credit reporting agencies, law enforcement agencies and other government entities;
- When more than one person is being enrolled using a single credit card;
SGSCC may log IP addresses (that is, the electronic addresses of computers connected to the internet) to analyse trends, administer the website, track users movements, and gather broad demographic information.
5.6 Why SGSCC needs personal information
If personal information as described above is not provided, some or all of the following may happen:
- SGSCC may not be able to provide the requested courses or services to individuals, either of the same standard or at all;
- SGSCC may not be able to provide information about courses and services that may be wanted by individuals, including information about discounts, sales or special promotions;
- SGSCC may be unable to tailor the content of its websites to stakeholder preferences and individual experience of SGSCC websites may not be as enjoyable or useful;
- SGSCC will not be able to provide Statements and Certificates to students in accredited courses;
- Some government funds may not be available for specific courses and services;
- Employees/contractors/volunteers may not be able to be employed or placed ;
5.7 Purposes for collecting, holding, using and disclosing personal information.
SGSCC collects personal information so that it can perform education and training, lifelong learning activities, business activities and functions and to provide best possible quality of customer service. SGSCC collects, holds, uses and discloses personal information for the following purposes:
- To provide services, education, training and courses to stakeholders and to send communications requested by them;
- To provide Statements and Certificates for qualifications gained in an accredited course;
- To answer enquiries and provide information or advice about existing and new courses or services;
- To provide access to protected areas of SGSCC websites;
- To assess the performance of the website and to improve the operation of the website;
- To conduct business processing functions including providing personal information to our tutors, peak body CCA- Community Colleges Australia, service providers;
- Data and statistical information needed by Government agencies through 4D/GLEP, ONCOURSE, AVETMISS, PRISM, PRODA or other third parties (although some information maybe encrypted to remove personal identifiers);
- For the administrative, marketing (including direct marketing), planning, course or service development, quality control and research purposes of the above mentioned data collection government agencies, its related bodies corporate, service providers;
- To provide updated personal information to the above mentioned groups;
- To update SGSCC records and keep contact details up to date;
- To process and respond to any complaint made by stakeholders; and
- To comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator or funding body, or in co-operation with any governmental authority or any other country as applicable.
5.8 Personal Information may be disclosed to:
- SGSCC employees, relevant government departments and funding bodies, peak bodies, tutors or service providers for the purposes of operation of SGSCC website or business, fulfilling requests by stakeholders, and to otherwise provide education and training and courses and services to stakeholders including, without limitation, web hosting providers, IT systems administrators, mailing houses, international recruitment agencies, couriers, payment processors, data entry service providers, electronic network administrators, debt collectors, and professional advisors such as accountants, solicitors, business advisors and consultants;
- Suppliers and other third parties with whom SGSCC has commercial relationships, for business, marketing, and related purposes; and
- Any organisation for any authorised purpose with stakeholder express consent.
SGSCC may combine or share any information that we collect from Stakeholders with information collected by any of the aforementioned (within Australia).
5.9 Direct marketing materials
SGSCC may send you direct marketing communications and information about courses and services that SGSCC consider may be of interest. These communications may be sent in various forms, including mail, SMS, fax and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth). If a preference for a method of communication is indicated to SGSCC, it will endeavour to use that method whenever practical to do so. In addition, at any time stakeholders may opt-out of receiving marketing communications from SGSCC by contacting the Privacy Officer (see the details below) or by using opt-out facilities provided in the marketing communications and SGSCC will then ensure that the name is removed from the mailing list. SGSCC does not provide personal information to other organisations for the purposes of direct marketing.
5.10 How to access and correct personal information
Stakeholders may request access to any personal information SGSCC holds at any time by contacting The Privacy Officer (see the details below). Where SGSCC holds information that stakeholders are entitled to access, SGSCC will try to provide a suitable means of accessing it (for example, by mailing or emailing it). All requests must be in writing and include a photocopy of a primary source of identification such as a photo identification.
SGSCC will not charge for simply making the request and will not charge for making any corrections to personal information. Copies of qualifications and certificates will attract an administration charge. (available by contacting the relevant department) There may be instances where SGSCC cannot grant access to the personal information held. For example, SGSCC may need to refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, SGSCC will give written reasons for any refusal.
If a stakeholder believes that personal information SGSCC holds about them is incorrect, incomplete or inaccurate, then a request may be made to amend it. SGSCC will consider if the information requires amendment. If SGSCC does not agree that there are grounds for amendment then SGSCC will add a note to the personal information stating that the stakeholder disagrees with it.
5.11 Process for complaining about a breach of privacy
If a stakeholder believes that their privacy has been breached, the Privacy Officer can be contacted using the contact information below providing details of the incident so that SGSCC can investigate it. SGSCC procedure for investigating and dealing with privacy breaches is for the Privacy Officer to notify the Manager of the relevant area of the College. The Manager will notify the Principal and thoroughly investigate and remedy immediately if findings warrant. The stakeholder and Principal will be informed of the outcome. If the stakeholder is not happy with the outcome the SGSCC complaints policy will be followed, a copy of which will be provided to the stakeholder on request.
5.12 Personal information disclosed outside of Australia
SGSCC may disclose personal information to third party suppliers and service providers located overseas including email and survey services and International recruitment agents for international students.
SGSCC take reasonable steps to ensure that the overseas recipients of personal information do not breach the privacy obligations relating to personal information. SGSCC may disclose personal information to entities located outside of Australia, including the following:
SGSCC takes reasonable steps to ensure personal information is protected from misuse and loss and from unauthorised access, modification or disclosure. SGSCC may hold information in either electronic or hard copy form. Personal information is destroyed or de-identified when no longer needed. As SGSCC websites are linked to the internet, and the internet is inherently insecure, SGSCC cannot provide any assurance regarding the security of transmission of information communicated to us online. SGSCC also cannot guarantee that the information supplied will not be intercepted while being transmitted over the internet. Accordingly, any personal information or other information which is transmitted to SGSCC online is transmitted at the stakeholder’s own risk.
SGSCC website may contain links to other websites operated by third parties. SGSCC make no representations or warranties in relation to the privacy practices of any third party website and are not responsible for the privacy policies or the content of any third party website. Third party websites are responsible for informing stakeholders about their own privacy practices.
5.15 Mandatory Data Breach Notification.
Any suspected data breach will be immediately reported to the Privacy Officer who will investigate and consult the SGSCC IT contractor if necessary. If it is concluded that there has been a serious breach of data such as unauthorised access to, unauthorised disclosure of, or loss of personal information held by SGSCC, the Privacy Commissioner and any affected individuals will be notified as per requirements under the Privacy Amendment (Notifiable Data Breaches) Act 2017. SGSCC will provide notice of any serious data breach to the Australian Information Commissioner (Commissioner) via the Notifiable Data Breach Form https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB
5.16 Contacting SGSCC
SGSCC will treat requests or complaints confidentially. SGSCC’s representative will contact stakeholders within a reasonable time after receipt of questions and complaints to discuss concerns and outline options regarding how they may be resolved. SGSCC will aim to ensure that issues are resolved in a timely and appropriate manner.
Please contact our Privacy Officer at:
St George & Sutherland Community College
Post: PO Box 404 Jannali 2226
Tel: 02 8543 7417
5.18 Staff and student home telephone numbers, addresses and emails will not be given out at any time except at the beginning of each course when tutors/trainers will be provided with a class roll containing this information for communication purposes. Staff will only use information for direct communication with the student concerned and will not give out this information to other students or other agencies or use this information for private or commercial purposes. Breach of this policy will incur legal action and/or discipline of the staff member.
Students can choose not to receive promotional communication from the College at any time. All direct marketing will contain information on a simple method to elect not to receive promotional communications.
Students or prospective students who desire contact with the tutor prior to class commencement are informed that the tutor will contact them if possible. Staff will get permission from the student to pass on their contact details to the tutor who will either phone or email them.
Signed permission will be sought from students if their email may be revealed to other students if the need for group emailing of students in a class is required. This will only be for the duration of the course and the blind copy option will STILL be used wherever possible by staff and tutors to protect the privacy of students.
Staff and tutors will ensure that email addresses are not inadvertently relayed to a third party. The blind copy option can be used to avoid this.
5.19 Employee and Volunteer Personnel files- These files may contain contact details, personal details and emergency contact person’s, date and country of birth, citizenship and/or visa details, previous employment or volunteer involvement, resumes, qualifications, identity photocopies (e.g. driver’s licence), referees reports, a copy of the employee’s contract, all correspondence relating to job description changes, salary & leave changes, leave entitlements. National Criminal Checks and Working with Children Checks records are also included in files if relevant to the position and department of the employee or volunteer. Access to personnel information is restricted to the individual employee or volunteer, CEO, HR Manager and relevant supervisor. Personal details will not be given out to third parties at any time. Messages will be relayed to the staff member or volunteer concerned by a member of the office staff. Personal information is held securely in locked cabinets- all employees by the Human Resources Manager, volunteers in the relevant department.
5.20 Data collected regarding staff and students will be held for the required length of time and in a secure place that ensures only authorised persons have access according to legislative and government statistical requirements. All staff records will be placed in a locked file. All staff and student information held on computer will only be accessed by authorised personnel using passwords.
All rolls, including tutor ‘take home’ copies are returned to the Jannali office following the final session to be securely stored for the required duration. For VET accredited courses with assignments and assessments the Tutor/Assessor will return the tutor copy with the last marked assignment or assessment.
5.21 Staff and students will only be photographed or recorded for promotional purposes with their permission. A release form will be completed and signed.
5.22 Staff and students will not have their name or work included on the College Web sites without signed consent being obtained
5.23 Information will not be given out regarding suppliers unless directly requested by them.
5.24 Requests for release of information other than an individual’s personal information must be addressed in writing to the Principal and contain excerpts from the relevant acts empowering the individual, organisation or government department to ask for information. Each such written request will then be submitted to the College lawyers for validation/ratification. Otherwise information will only be released on subpoena.
5.25 Student Records
Students have the right to view their own records. All requests must be in writing and include a photocopy of a primary source of identification such as a photo identification.
5.26 Replacement certificates for accredited courses
All requests for certificates to replace those that have been lost or damaged must be in writing and include a photocopy of a primary source of identification such as a driving licence or other photo identification. A fee may be charged for replacement certificates.
5.27 Prospective employees who were unsuccessful in their application will be asked for permission for SGSCC to retain Resumes on file for any future positions.
5.28 Information that is confidential to the College must be kept as confidential by all staff and suppliers. This includes but is not limited to documents that are not released to the public or competitors because of commercial in confidence considerations, eg:
- Price setting documents
- Tender application documents
- Letters of complaint
- Planning and marketing documents
- Signed contracts- including employment contracts an/or letters of appointment
- Class manuals prepared by staff paid by the College to do so
- Employee personnel files
5.29 Unsolicited Personal Information
Unsolicited personal information is information that was not requested. For example it could be misdirected mail/email meant for another party. SGSCC will determine in a reasonable time if any suspected unsolicited personal information that it receives could have been requested and direct it to the appropriate department concerned. If it has been determined that the personal information has not been requested SGSCC will securely destroy or de-identify the information immediately unless it is contained in a Commonwealth record or it is unlawful or unreasonable to do so.
5.30 Pseudonymity and Anonymity
Enquiring about services via phone, reception counter, interview or email or accessing or searching SGSCC websites can be done without providing personal information. Some SGSCC services and funded programs cannot be provided without the provision of personal information. Any person who would like access to services on an anonymous basis or using a pseudonym can contact the privacy officer. If this is possible and lawful, SGSCC will take all reasonable steps to comply with requests.
6.1 Media Release Authorisation
6.2 Media Release Authorisation Form for Groups
6.4 PS01- Complaints Policy