Purpose

All members of Group Colleges Australia Group of Companies (GCA) will follow the Australian Privacy Principles in the management of all student and staff information, however allowing access to all information as required by relevant National and State Training Authorities for the purpose of monitoring and/or auditing GCA’s operations as a higher education provider under the Higher Education Standards Framework (Threshold Standards) 2021. GCA acknowledges its obligation with the collection, storage and use of this information under the Privacy Act 1988, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the Australian Privacy Principles (APPs), and the Privacy Amendment (Notifiable Data Breaches) Act 2017.

This policy sets out GCA's commitment to protecting personal information and outlines the GCA privacy management plan.

The purpose of this privacy policy is to:

• Describe the types of personal information that we collect, hold, use and disclose; outline our personal information handling systems and practices;
• Enhance the transparency of our management of personal information;
• Explain our authority to collect personal information, why it may be held by us, how it is used and how it is protected;
• Notify whether we are likely to disclose personal information and, if so, to whom;
• Provide information on how personal information can be accessed, correct it if necessary and complain if you believe it has been wrongly collected or inappropriately handled.

Scope

This policy applies to all GCA staff, students, contractors and partners. The policy does not apply to personal information that is:

• In a publicly available publication
• Kept in a library, art gallery or museum, for study or exhibition purposes
• A public record that is available for public inspection or
• An archive within the meaning of the Commonwealth Copyright Act 1968.

INTRODUCTION

The Privacy Act

GCA, including its employees, contractors and agents, is subject to the Privacy Act 1988 (the Privacy Act) and to the requirements of the Australian Privacy Principles (APPs) contained in the Privacy Act.

The APPs regulate how we as an organisation can collect, hold, use and disclose personal information and how you can access and correct that information.

Detailed information and guidance about the APPs can be found on the website of the Office of the Australian Information Commissioner (OAIC).

Information Covered Under This Policy

This Privacy Policy embodies GCA’s commitment to protecting the privacy of personal information. It applies to personal information collected by GCA and all its personnel regardless of their role.

It covers how we collect and handle personal information, including sensitive information.

‘Sensitive information’ means personal information about staff and students that are of a sensitive nature, including information about health, genetics, biometrics or disability; racial or ethnic origin; religious, political or philosophical beliefs; professional association or trade union memberships, sexuality; or criminal record1. Special requirements apply to the collection and handling of sensitive information.

This privacy policy is not intended to cover our handling of commercially sensitive information or other information that is not personal information as defined in the Privacy Act.

Collection of Personal Information

Personal information collected by the GCA from staff or students may be collected directly from them, or on their behalf from a representative they have authorised.

Under the APPs, we will only collect information for a lawful purpose that is reasonably necessary for, or directly related to, one or more of our functions and activities relevant to your relationship with the GCA, or where otherwise required or authorised by law.

When we collect personal information, we are required under the APPs to notify you of a number of matters. These include the purposes for which we collect the information, whether the collection is required or authorised by law, and any person or body to whom we usually disclose the information.

Privacy notices and declarations are included on all relevant documentation (e.g. Declaration on the enrolment form, information in the Student Training Manual, and induction declaration).

Types of Personal Information Collected by Us

We collect and hold a broad range of personal information in records for our functions and activities as a higher education provider relating to:

1. Employment and personnel matters for our staff and contractors (including working with children check and criminal history record checks);
2. The performance of our legislative and administrative functions (e.g. enrolment information, AVETMISS data);
3. Individuals participating in our courses;
4. The management of contracts and funding agreements; and
5. Complaints (including privacy complaints) made and feedback provided to us.

This personal information may include but is not limited to:

• Staff or students name, address and contact details (e.g. phone, email and fax);
• Photographs, video recordings and audio recordings of you
• Information about your personal circumstances (e.g. marital status, gender, emergency contact information)
• Information about your financial details (e.g. payment details, bank account details)
• Information about your identity (e.g. date of birth, country of birth, passport details, visa details, driving licence)
• Information about your educational background (e.g. qualifications, English proficiency score)
• Government identifiers such as Tax File Number and
• Information about assistance provided to you under our funding arrangements.

Collection of Sensitive Information

In carrying out our functions and activities we may collect personal information that is sensitive information (see section 1.2). The APPs impose additional obligations on us when collecting, using or disclosing sensitive information. We may only collect sensitive information:

• Where consent is provided; or
• Where required or authorised by law; or
• Where a permitted general situation exists such as to prevent a serious threat to safety.

We also collect sensitive information where authorised to do so for the purposes of human resource management, fraud investigations, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other external review bodies.

Collection of Unsolicited Information

Sometimes personal information is not sought by us but is delivered or sent to us by either the individual or a third party without prior request.

Where unsolicited information is received by us, we will, within a reasonable period, determine whether that information is directly related to one or more of our functions or activities.

If this cannot be determined, we will, as soon as practicable, destroy or de-identify the information. If this can be determined we will notify you of the purpose of collection and our intended uses and disclosures according to the requirements of the APPs, unless it is impracticable or unreasonable for us to do so.

How We Collect Personal Information?

We primarily use forms and other electronic or paper correspondence to collect your personal information. By signing paper documents or agreeing to the terms and conditions and disclaimers for electronic documents you are consenting to the collection of any personal information you provide to us.

We may also collect personal information if you:

• Communicate with us by telephone, mail, email, fax or SMS; attend a face-to-face meeting or event conducted by us;
• Use our websites; and
• Interact with us on our social media platforms (e.g. Twitter, Instagram and Facebook)

Remaining Anonymous or Using a Pseudonym

We understand that anonymity is an important element of privacy and you may wish to remain anonymous or use a pseudonym when interacting with us.

In some cases, staff or students will be able to advise us that they wish to remain anonymous or use a pseudonym during your contact with us. However, there will be occasions where it will not be practicable for them to remain anonymous or use a pseudonym and we will notify them accordingly at the time of collection. For example, it may be impracticable for the GCA to investigate and resolve a particular complaint unless the staff or student provides their name or similar information.

Information Collected by Our Contractors

Under the Privacy Act, we are required to take contractual measures to ensure that contracted service providers (including subcontractors) comply with the same privacy requirements applicable to us.

Storage and Data Security

Storage

We hold personal information in a range of paper-based and electronic records.

Storage of personal information (and the disposal of information when no longer required) is managed in accordance with the requirements set out by the Tertiary Education Quality and Standards Agency (TEQSA). This ensures your personal information is held securely.

Data Security

We take all reasonable steps to protect the personal information held in our possession against loss, unauthorised access, use, modification, disclosure or misuse.

Access to personal information held by us is restricted to authorised persons who are GCA employees or contractors, on a need-to-know basis.

For more information on Data Security, please contact our GCA IT Department.

Data Quality

We take all reasonable steps to ensure that the personal information we collect is accurate, up-to-date, complete, relevant and not misleading.

These steps include responding to requests to correct personal information when it is reasonable and appropriate to do so. For further information on correcting personal information see later in this document.

For more information on Data Quality, please contact our GCA IT Department.

Purposes for Which Information Is Collect, Held, Used and Disclosed

We collect personal information for a variety of different purposes relating to our functions and activities including:

• Performing our employment and personnel functions in relation to our staff and contractors; performing our legislative and administrative functions;
• Policy development, research and evaluation; complaints handling;
• Program management;
• Contract management; and
• Management of correspondence.

Personal information collected during the enrolment process is used by GCA to meet its compliance obligations under the ESOS Act 2000 and the National Code 2018.

We use and disclose personal information for the primary purpose for which it is collected. You will be given information about the primary purpose of collection at the time the information is collected.

We will only use personal information for secondary purposes where we are able to do so in accordance with the Privacy Act. This may include where you have consented to this secondary purpose, or where the secondary purpose is related (or if sensitive information, directly related) to the primary purpose and you would reasonably expect us to use or disclose the information for the secondary purpose, where it is required or authorised by law or where a permitted general situation exists such as to prevent a serious threat to safety.

Likely secondary purposes for which we may use or disclose your personal information include but are not limited to quality assurance, auditing, reporting, research, evaluation and analysis, and promotional purposes.

Under its obligations with the Education Services for Overseas Students Act (ESOS ACT) 2000 and the National Code of Practice for Registration Authorities and Providers of Education and Training to Overseas Students 2018 (the National Code), GCA may provide personal information collected during the enrolment process to Commonwealth and State agencies and the Tuition Protection Service (TPS) and the TPS Director.

Note that we may disclose your personal information to Australian Government agencies including Services Australia, where this is required or authorised by Australian law. Information about your enrolment with GCA may be disclosed if you are claiming or receiving a payment from Services Australia. You are required to notify Services Australia of any change in circumstances that may affect your payment. All personal information disclosed to Services Australia is protected by Law including the Privacy Act.

Personal information may be shared with other sections of GCA and for placement purposes with other educational institutions.

Any staff member who becomes aware of an actual or potential privacy breach must notify the Privacy Officer of GCA the Compliance Director immediately.

Electronic Communication

There are inherent risks associated with the transmission of information over the internet, including via email. Staff and students should be aware of this when sending personal information to us via email or via our website or social media platforms. If this is of concern to you then you may use other methods of communicating with us, such as post, fax or telephone (although these also have risks associated with them).

Disclosure of Personal Information Overseas

We will, on occasion, disclose personal information to overseas recipients. The situations in which we may disclose personal information overseas include:

• The publication on the internet of material that may contain personal information, such as photographs, video recordings and audio recordings; and posts and comments on our social media platforms;
• The provision of personal information to overseas researchers or consultants (where consent has been given for this or we are otherwise legally able to provide this information);
• The provision of personal information to recipients using a web-based email account where data is stored on an overseas server; and
• The provision of personal information to foreign governments and law enforcement agencies (in limited circumstances and where authorised by law).

We will not disclose your personal information to an overseas recipient unless at least one of the following applies:

• The recipient is subject to a law or binding scheme substantially similar to the Australian Privacy Principles, including mechanisms for enforcement;
• You consent to the disclosure after being expressly informed that we will not be taking reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles;
• Disclosure is required or authorised by law;
• Disclosure is reasonably necessary for an enforcement-related activity conducted by, or on behalf of, an enforcement body.

It is not practicable to list every country to which we may provide personal information as this will vary depending on the circumstances.

Accidental or Unauthorised Disclosure of Personal Information

We will take this seriously and deal promptly with any accidental or unauthorised disclosure of personal information.

Legislative or administrative sanctions may apply to unauthorised disclosures of personal information.

How to Seek Access to and Correction of Personal Information?

You have a right under the Privacy Act to access personal information we hold about you. You also have a right under the Privacy Act to request corrections of any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

To access or seek correction of personal information we hold about you, please contact us using the contact details set out in Part E of this privacy policy.

Our Access and Correction Process

If you request access to or correction of your personal information, we will respond to you within 30 calendar days.

While the Privacy Act requires that we give you access to your personal information upon request or an opportunity to request the correction of your personal information, it does set out circumstances in which we may refuse to give you access or decline to correct your personal information.

If we refuse to give you access or make corrections to your personal information, we will provide you with a written notice which, among other things, gives our reasons for refusing your request.

If You Are Unsatisfied with Our Response

If you are unsatisfied with our response, you may make a complaint, either directly to us (see Part E below), or you may wish to contact:

• Tertiary Education Quality and Standards Agency and complete the online complaints form

COMPLAINTS

How to Make a Complaint?

If you think we may have breached your privacy you may contact us to make a complaint using the contact details set out in Part E of this privacy policy. In order to ensure that we fully understand the nature of your complaint and the outcome you are seeking, we prefer that you make your complaint in writing.

Please be aware that it may be difficult to properly investigate or respond to your complaint if you provide insufficient detail. You may submit an anonymous complaint, however if you do it may not be possible for us to provide a response to you.

Our Complaint-Handling Process

We are committed to quick and fair resolution of complaints and will ensure your complaint is taken seriously and investigated appropriately. Please be assured that you will not be victimised or suffer negative treatment if you make a complaint.

If You Are Unsatisfied with Our Response

If you are unsatisfied with our response, you may make a complaint, either directly to us (see Part E below), or you may wish to contact:

• The Tertiary Education Quality and Standards Agency and complete the online complaints form.

CONTACT US

General Enquiries, Complaints, Requests for Access or Correction

If you wish to:

• Query how your personal information is collected, held, used or disclosed by us; ask us questions about this privacy policy;
• Request access to or seek correction of your personal information; or make a privacy complaint.

Please contact the GCA Privacy Officer:

By Post: Locked Bag A3100 Sydney South NSW 1235

By Email: privacy@ubss.edu.au

By Phone: 02 9261 4161

Availability of This Privacy Policy

If you wish to access this privacy policy in an alternative format (e.g. hard copy) please contact us using the contact details set out above. This privacy policy will be made available free of charge.