Welcome back to TRANSPARENT – a quarterly newsletter providing information to help you meet your privacy obligations under the Student Identifiers Act 2014 (SI Act) and the Privacy Act 1988 (Privacy Act).
This newsletter is published by the Unique Student Identifier (USI) Office and written in collaboration with the Office of the Australian Information Commissioner (OAIC), the regulator of the Privacy Act.
In this newsletter, we focus on the Australian Privacy Principles (APPs) and what you need to know about privacy policies and best practice privacy practices.
We hope you find the newsletter helpful and look forward to receiving your feedback on this edition.
IMPORTANT NOTE: The Privacy Act, including the APPs, applies to APP entities only. To determine whether your training organisation is an APP entity, refer to Chapter B of the APP Guidelines.
Inside this edition
- How do the Australian Privacy Principles apply to you?
- What to do before collecting personal information?
- What personal information can I collect?
- What is sensitive information?
- What to tell people when collecting personal information?
- How to use and disclose personal information?
- How to secure and store personal information?
- What to do when you no longer need personal information?
- Who is the Office of the Australian Information Commissioner?
- What is in the next edition?
How do the Australian Privacy Principles apply to you?
When you apply for a USI on behalf of a student, you need to collect personal information from the student including their name, gender, date and place of birth and contact details, and some form of identification.
The unauthorised collection, use and disclosure of USIs, failure to destroy the personal information collected solely for USI applications, or failure to protect USI records, is a breach of both the SI Act and the Privacy Act.
The Privacy Act contains 13 APPs, which outline how you must handle, use, disclose and destroy personal information.
What to do before collecting personal information?
Your privacy obligations begin with APP 1, which ensures entities manage personal information in an open and transparent way.
APP 1 requires you to:
- take reasonable steps to implement practices, procedures, and systems that support your compliance with all of the APPs. What steps are reasonable for your entity will depend on your circumstances, including what types of personal information you hold, the potential consequences of a data breach, and how practical it is to put in place various practices;
- deal with privacy inquiries and complaints; and
It is important to consider these requirements, and how you will meet them, before collecting personal information. You should also regularly review the steps you have in place to comply with APP 1, to ensure they are updated as your circumstances change.
Read Chapter 1 of the APP Guidelines for additional examples and information.
- the kinds of personal information you collect and hold;
- how you collect and hold personal information;
- why you collect, hold, use, and disclose personal information;
- how individuals can access and correct their personal information;
- your complaints handling process (i.e. how individuals can make a complaint and how you will deal with a complaint); and
- whether you disclose personal information to overseas recipients.
What personal information can I collect?
Under APP 3, you can collect personal information that is ‘reasonably necessary’ for your functions or activities.
When deciding whether it is reasonably necessary to collect personal information, consider why you are collecting it, how you are going to use it, and whether you could undertake the relevant function or activity without collecting the personal information.
Read Chapter 3 of the APP Guidelines for further information about collecting personal information.
Under the SI Act, you are only able to collect or verify a USI with the express or implied consent of the individual unless an exception applies. More information is available in Privacy and the Unique Student Identifier, published on the USI website.
What is sensitive information?
When a registered training organisation (RTO) collects information about someone’s place of birth, they may be collecting sensitive information. This is because someone’s place of birth may indicate their racial or ethnic origin.
‘Sensitive information’ is a category of personal information. It includes information about an individual’s health, racial or ethnic origin, political opinions or affiliations, religious or philosophical beliefs or affiliations, sexual orientation or practices, criminal record or biometric data (i.e. information about an individual’s physical characteristics).
APP 3 includes additional requirements around the collection of sensitive information. Individuals must consent to the collection unless an exception applies under the Privacy Act, such as where the collection is authorised or required by law.
Therefore, an individual must give their consent for you to collect information about their place of birth to apply for a USI on their behalf.
Read Chapter B of the APP Guidelines for further information about sensitive information.
What to tell people when collecting personal information?
APP 5 requires you to take reasonable steps to notify individuals, or to ensure they are aware of certain matters (listed in Chapter 5 of the APP Guidelines), when you collect their personal information. If it is not practicable to do this when you collect the information, you must do so as soon as practicable after collection.
The purpose of an APP privacy notice is to ensure individuals are able to make informed choices about sharing their personal information with entities.
An APP 5 privacy notice can be presented in a variety of ways, as long as the information it provides is clear. For instance, you may consider including a brief privacy notice on a form or sign, in addition to a longer notice available online.
Note that the National VET Data Policy requires all RTOs to give students the privacy notice at Schedule 1 of the policy. In addition, where your organisation applies for a USI on behalf of a student, you must give the student the privacy notice on the USI website.
Read Chapter 5 of the APP Guidelines for further information.
How to use and disclose personal information?
Under APP 6, you can only use or disclose personal information for a purpose for which it was collected. You can use personal information for a secondary purpose if an exception applies under the Privacy Act.
Additional protections apply to the use or disclosure of a USI. Under the SI Act, you can only use or disclose a USI with the express or implied consent of the individual. However, this requirement does not exist where the use or disclosure by a RTO is authorised by the Student Identifiers Regulation 2014, for example:
- to meet its obligations under the VET standards and government contracts;
- to assist in establishing the eligibility of a student for a training subsidy; or
- to deliver a VET course to a student.
Read Chapter 6 of the APP Guidelines for more information on the use and disclosure of personal information. You can find more information about the collection, use, and disclosure of USIs in Privacy and the Unique Student Identifier, published on the USI website.
How to secure and store personal information?
If you hold personal information, APP 11 requires you to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Similar requirements exist under the SI Act in relation to USI records.
When deciding what steps to take, you should consider all the personal information you handle, where and how it is stored and the risks associated with that information. You should also consider whether you need to take additional steps to protect personal information that presents greater privacy risks, such as sensitive information.
Read Chapter 11 of the APP Guidelines for more information about security of personal information.
What to do when you no longer need personal information?
APP 11 also requires you to take reasonable steps to destroy or de-identify personal information when you no longer need it for any permitted use or disclosure under the APPs.
Similarly, where an individual has authorised you to create a USI on their behalf, you are required by the SI Act to destroy any personal information collected solely for that purpose as soon as possible after the USI application has been made, or if it is no longer needed for that purpose. The only exception to this is where you are required by another law to retain the information; for example, where you must retain the information as proof of a student’s eligibility for a VET Student Loan.
Read the Guide to securing personal information for examples and information on what you should consider when developing policies and procedures for the destruction and de-identification of personal information.
Who is the Office of the Australian Information Commissioner?
The USI Office works with the OAIC to protect students’ personal information.
The OAIC is an independent Commonwealth statutory agency responsible for regulating Commonwealth privacy and freedom of information laws (the Privacy Act and the Freedom of Information Act 1982). The OAIC is responsible for privacy functions conferred by the Privacy Act as well as other legislation, including the SI Act.
Further information on the functions of the OAIC may be found here.
What is in the next edition?
The next edition will discuss:
- examples of good privacy training;
- information and tips about accountability; and
- examples of how to implement privacy policies and procedures.