Subject: Policies and procedures
Title of Policy: Privacy Protection Policy
Document Number: 18EX01V1.0 Effective Date: 17/07/2018 Approval Date: 17/07/2018
Revision due: 17/07/2018 Approved by: Bevan McPherson - CEO
Version: 1.0
Release Date: Jul 2018
Change: Review of Policy and Procedure
Approved: B McPherson
Revision Date: Jul 018

---

Purpose:
Patrick's College Australia collects and stores personal student information in compliance with the Privacy Act 1988 (Commonwealth). This policy describes how we may collect, manage, use disclose, protect, and dispose of personal information in accordance with the thirteen Australian Privacy Principles (APPs) outlined in Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.

---

Definitions
Under the Privacy Act 1988 and Privacy Amendment (Enhancing Privacy Protection) Act 2012 (s6(1)), personal and sensitive information is defined as follows:

• Personal information: “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.”
• Sensitive information: “(a) information or an opinion about an individual’s: (i) racial or ethnic origin, or (ii) political opinions, or (iii) membership of a political association, or (iv) religious beliefs or affiliations, or (v) philosophical beliefs, or (vi) membership of a professional or trade association, or (vii) membership of a trade union, or (viii) sexual preferences or practices, or (ix) criminal record, that is also personal information; or (b) health information about an individual; or (c) genetic information about an individual that is not otherwise health information; or (d) biometric information that is to be used for the purposes of automated biometric verification or biometric identification; or (e) biometric templates”.

---

Authority to collect and store information
Patrick's College Australia is an approved as a Registered Training Organisation (RTO) by the Australian Skills Quality Authority (ASQA). Registration is issued under the authority of the National Vocational Education and Training Regulator Act 2011. This legislation requires RTOs to collect personal and sensitive information from their students. This requirement is specified in the Data
Provision Requirements 2011 which is one of five legislative instruments that Patrick's College Australia must comply with, as a condition of its registration.

The data provision requirements require RTOs to collect data from students in accordance with the Australian Vocational Education and Training Management Information Statistical Standard (AVETMISS). This is a complex information standard that defines information about who the student is, where the training is delivered and what they are studying. The Standards for Registered Training Organisations 2011 require RTOs to retain and store information for up to 30 years and to report training activity to government agencies in accordance with mandatory reporting requirements.

Together these requirements form a statutory obligation to collect, store and report information of any
student participating in nationally accredited training. The publications referred to in this section can
be accessed from the ASQA website at the following link: www.asqa.gov.au

---

Collection and use
Patrick's College Australia collects personal information necessary for, or directly related to its training and assessment services. Some of the information collected may be regarded as ‘sensitive’ as defined by the Privacy Act.
The information requested from individuals by the college will only be used to:

• Provide details of study opportunities
• Enable efficient course administration
• Maintain proper academic records
• Assess an individual’s entitlement to VET Student Loans (VSL)and allocate a Commonwealth Higher Education Student Support Number (CHESSN)
• Report to government agencies as required by law.

If an individual chooses not to give the college certain information then the college may be unable to enrol that person in a course or supply them with appropriate information.
The Australian Skills Quality Authority (ASQA) is entitled to collect the information on this form for use by the relevant Commonwealth Department that regulates vocational education and training. This information is collected for the purpose of auditing participation and the monitoring and reporting of training outcomes. The information you provide may be accessed by officers of these two departments and by the National Centre for Vocational Education Research (NCVER) for the above purposes.

If you access Commonwealth Assistance (VET Student Loan) whilst enrolled with Patrick's College Australia, information about you and the study that you undertake will be provided to the Australian Taxation Office.

Under Smart and Skilled funding, the Department of Industry may disclose Personal Information to other Australian government agencies, including those located in States and Territories outside New South Wales.The above government agencies may use Personal Information for any purpose relating to the exercise of their government functions, including, but not limited to the evaluation and assessment of training, the determination of eligibility to receive subsidised training or any Fee Exemptions or Concessions. Personal Information may also be disclosed to other third parties if required by law.

---

Solicited information
Contact information such as name, organisation, position, address, telephone, and email are collected for marketing, support services, mandatory reporting and for communicating with stakeholders as part of our day to day operation.

In addition to information collected training activity, Patrick's College Australia will also collect, store and report information relating to satisfaction surveys, complaint handling and on our client employers.

Names, addresses, phone numbers, emergency contact details, bank account details and other employment related information is collected from employees for the purpose of managing human resources. The management of this personal information complies with this policy.

---

Collection methods
Personal and sensitive student information and also training activity information is prescribed by the AVETMISS Standard. This information is collected directly from our students using enrolment forms which may be paper based or electronic and/or other administrative forms including, but not limited to: complaint forms, recognition application, request for refund, transfer application, etc. This information is entered into our student management system “WiseNet”. Hard copy records are retained within our locked student files on campus, where applicable.

Survey responses are collected using Employer and Learner Satisfaction Surveys and are issued both in hard copy and electronic format. The survey results are returned to the campus office and entered into our survey analysis software

Enquiry information from prospective students including personal contact information is collected directly from individuals who make data requests either by telephone or email in person or via our website. Patrick's College Australia also collects personal information from individuals on employment commencement.

---

Sensitive information
Personal information collected by the college that may be regarded as ‘sensitive’ under the Privacy Act includes:

• ‘Disability’ and ‘long-term impairment status’ (health); and ‘indigenous status’, ‘language spoken at home’, ‘proficiency in spoken English’, ‘country of birth’ (implies ethnic/racial origin). This information is specified in the AVETMISS data elements and is collected for the national VET data collections, national VET surveys, and may be collected for VET-related research.
• ‘Dietary requirements’ (health-related) are collected for event catering purposes only.
• Biographical information, which may contain information on ‘affiliations’ and ‘membership of a professional or trade association’ are obtained from key note speakers for event marketing purposes.
• ‘Memberships of professional associations’ and ‘health and work injury information’ is collected from college employees for HR management purposes.

---

Direct marketing
Patrick's College Australia respects an individual’s right not to receive marketing material, and provides an option within communications and on its website for individuals to unsubscribe from receiving marketing material. The college conducts its marketing communications and dissemination of service information in accordance with Australian Privacy Principle 7 (Direct Marketing), the Spam Act 2003 (in respect of electronic communications), and the Do Not Call Register Act 2006. It is not Patrick's College Australia’s practice to ‘cold call’ for the purpose of marketing its products and services.

---

Google Analytics and cookies
Google Analytics is a web service provided by Google Inc. Cookies are used to generate data on website activity and usage. The cookies, which include IP addresses, are transmitted to and stored in Google servers in the United States where they are used to compile web-use reports. Google may transfer this information to third parties, where required by law, or for information processing on its behalf. Google will not associate IP addresses with any other data held by Google. More information on Google’s privacy policy can be found at: https://www.google.com.au/intl/en/policies/privacy/. It is possible to disable cookies by adjusting web-browser setting and to opt-out of Google Analytics (https://tools.google.com/dlpage/gaoptout). Doing so, however, may affect web-site functionality.

The college web servers automatically log information such as server address, date and time of visit and web pages accessed. No personal information is recorded. These logs are used for website management and improvement.

---

Unsolicited personal information
Unsolicited personal information, will be treated and managed by the college according to the Australian Privacy Principles.

---

Notification of collection
Patrick's College Australia aims to notify individuals of the collection of their personal information before, or at the time of collection, or as quickly as possible thereafter. Notifications are usually in writing, but may be verbal for telephone help-desk services, or research conducted by telephone interview.

• Marketing – notification is provided on our website course application page. Individuals are also notified at the time of collecting personal information for events. A privacy notice is provided in all Patrick's College Australia marketing communications.
• Quality Indicator surveys – notification is provided at the time of collecting the information (online or in person).
• Patrick's College Australia staff – Notification is provided on employment commencement.

---

Disclosure of personal information
Patrick's College Australia does not disclose personal information other than for the purpose for which it was collected, or an individual has consented to a secondary purpose, or an individual would reasonably expect this (such as receiving communications about upcoming events), or if required by law.

Patrick's College Australia may share personal information with the Commonwealth Government and designated authorities, including the Australian Skills Quality Authority (ASQA), the Commonwealth Department with responsibility for administering the Higher Education Support Act 2003, and the Tuition Assurance Scheme manager (ACPET). This information includes personal and contact details, course and unit enrolment details and changes, in accordance with Commonwealth contractual obligations. In these circumstances, Patrick's College Australia will take reasonable steps to inform and seek consent from the individuals concerned and take all reasonable steps to ensure that the recipient handles the personal information according to the APPs.

Patrick's College Australia will not disclose an individual’s personal information to another person or organisations unless:
a) The individual concerned is reasonably likely to have been aware, or made aware that information of that kind is usually passed to that person or organisation
b) The individual concerned has given written consent to the disclosure
c) That the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person
d) The disclosure is required or authorised by or under law, or
e) The disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.

When personal information is disclosed for the purposes of enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the purpose of the protection of the public revenue, the college shall include in the record containing that information a note of the disclosure. Patrick's College Australia will only disclose information to an overseas recipient if that disclosure relates to an individual’s course containing an overseas component (study or practicum). Patrick's College Australia will take all reasonable steps to ensure that any overseas recipient complies with the APPs.

Any person or organisation that collects information on behalf of Patrick's College Australia or to whom personal information is disclosed as described in this procedure will be required to not use or disclose the information for a purpose other than the purpose for which the information was collected by them or supplied to them.

Patrick's College Australia does not sell its mailing lists to third parties for marketing purposes.

---

Management of personal information
Patrick's College Australia endeavours to ensure the personal information it collects and uses or discloses is accurate, up to date, complete and relevant. The college routinely updates the information held in its customer relationship management system. This includes confirming with students who are returning for a new enrolment if their personal contact details have changed.

---

Access to and correction of personal information
Individuals may, subject to the exceptions prescribed by the Australian Privacy Principles, request access to and correction of their personal information where this is collected directly from individuals by Patrick's College Australia.

Patrick's College Australia does not charge for giving access to or for correcting personal information. Requests for access to or correction of personal information should be made in accordance with thestudent access to records policy.

---

Information retention and disposal
Personal information is held in electronic and paper format:

• Information collected from student enrolment applications and survey responses is held in databases and in hard copy until the destruction at the documented time (along with student evidence).
• Names and contact details of stakeholders are held in email contact lists
• Names and contact details collected during the delivery of services may be held either in electronic form in Patrick's College Australia document management system or in paper documents which are locked in cupboards and filing cabinets.
• Personal staff information is held in RTO Data and HR files
• Backup copies of all electronic files held in the college’s systems are kept in the event of system failure/loss. All backup copies of system files are secured.

Patrick's College Australia retains personal information for 30 years. When personal information is no longer necessary for Patrick's College Australia business functions, and it is lawful to do so, Patrick's College Australia will destroy the information.

---

Information security
Patrick's College Australia takes active steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

• College systems and internal network are protected from unauthorised access using appropriate technologies. Most system data transferred over the internet is protected by Secure Socket Level protocol (SSL). The inherent risks associated with data transmission over the internet are, however, commonly acknowledged. Individuals, who do not wish to provide their personal information via the online website forms have the option of mailing this information to the college.
• Access to RTO Data is protected through user log-on and password, and assignment of user access rights.
• Access to WiseNet is protected through user log-on and password.
• Third party providers used by the college for the delivery of services are all located within Australia and are required to be compliant with the Australian Privacy Principles and offer appropriate safeguards to protect personal information.
• The college premises and data storage systems are fully secured and paper documents containing names and addresses are locked away and shredded when destroyed. All hardware is properly ‘sanitised’ before disposal.

---

Complaints and concerns
Complaints or concerns about the college’s management of personal information should be directed in writing (preferably by using the complaints and appeals form available on the website) to:
Please complete this form and submit to:

In Person: CEO Bevan McPherson
Post: 7/451 Pitt St Haymarket Sydney NSW 2000
Scan and email to: info@pca.edu.au
Patrick's College Australia will respond in writing within 10 business days. Complaints received will be managed in accordance with the Complaints and Appeals Policy.