Privacy Policy St George & Sutherland Community College

Privacy Policy

Privacy Policy

SGSCC – ST GEORGE & SUTHERLAND COMMUNITY COLLEGE
POLICY ON PRIVACY/CONFIDENTIALITY

1.0 Purpose

This document is our privacy policy and it tells stakeholders how we collect and manage personal information. It also outlines the rights to privacy and confidentiality of students, clients, employees, volunteers, business partners and suppliers of the College.

2.0 Scope

This policy applies to:

2.1 SGSCC employees/contractors

2.2 SGSCC clients/students

2.3 Board

2.4 Volunteers

2.5 Suppliers

3.0 References

3.1 Australian Privacy Principles 2014 (APP)

3.2 Privacy Amendment (Enhancing Privacy Protection) Act 2012

3.3 Privacy Act 1988 (Commonwealth)

3.4 Privacy Amendment (Notifiable Data Breaches) Act 2017

3.5 Freedom of Information Act 1989

3.6 Policy & Procedure on Copyright

3.7 The Health Records and Information Privacy Code of Practice 2005 (NSW)

3.8 Privacy, Confidentiality & Client Records Policy & Procedure –SGSCC disAbility

3.9 Policy & Procedure for Handling Client/Customer Complaints

4.0 Definitions

SGSCC or the College - St George & Sutherland Community College Inc. For the purposes of this policy includes all College departments: SGSCC WorkSkills, SGSCC International, SGSCC disAbility, SGSCC SchoolAge, SGSCC English, SGSCC Leisure. A SGSCC disAbility policy and procedure outlines privacy and confidentiality issues specific to that department.

Personal Information - When used in this privacy policy, the term “personal information” has the meaning given to it in the Privacy Act 1988 (Cth).Thereafter known as the Act. In general terms, it is any information that can be used to personally identify stakeholders e.g. name, address, email, age, etc

AVETMISS - Australian Vocational and Education and Training Management Information Statistical Standard. Administered by National Centre for Vocational Education Research (NCVER) a not-for-profit company owned by the Commonwealth and state and territory ministers responsible for vocational education and training.

PRISMS - Provider Registration and International Student Management System- through the Department of Education (Commonwealth)

4D/GLEP - A SGSCC student and tutor database that contains personal information

ONCOURSE - A SGSCC student and tutor database used for courses that contains personal information

ASQA - Australian Skills Quality Authority is the national regulator for Australia’s vocational education and training sector. ASQA regulates courses and training providers to ensure nationally approved quality standards are met.

NDIS – National Disability Insurance Scheme

NDIA - National Disability Insurance Agency

PRODA - Provider Digital Access- Australian Government: Department of Human Services.

Stakeholder - students, clients, customers, employees, volunteers, supplies as relevant to the situation

5.0 Policy

5.1 St George and Sutherland Community College (SGSCC) and its related bodies corporate recognise the importance of protecting the privacy and the rights of individuals in relation to their personal information.

SGSCC recognises that all employees, students, clients and suppliers have a right to privacy and confidentiality in relation to information known or held by the College concerning them. The College conforms to its legal requirements as outlined in Section 3.0 above. Information will not be released without informed written consent or legal obligation within the parameters of the aforementioned legislation. A SGSCC disAbility policy and procedure outlines privacy and confidentiality issues specific to that department.

This policy conforms to the Privacy Act 1988 (Cth), the Australian Privacy Principles 2014 and the Privacy Amendment (Notifiable Data Breaches) Act 2017 which govern the collection, use, access, disclosure, storage and data breaches of personal information

5.2 Personal information SGSCC may collect and hold We may collect the following types of personal information:

  • Name;
  • Mailing or street address;
  • Email address;
  • Telephone number;
  • Facsimile number;
  • Mobile number;
  • Age or birth date;
  • Qualifications;
  • School level;
  • Pension Status;
  • Credit Card details for payment of services (destroyed after processing);
  • Employment and employer status;
  • Country of Birth;
  • Language spoken at home;
  • Disability and special needs status;
  • Aboriginality or Torres Strait origin status;
  • Residency Status;
  • Details of the courses and services purchased from SGSCC or which have been enquired about, together with any additional information necessary to deliver those courses and services and to respond to enquiries;
  • Any additional information relating to stakeholders that have been provided to SGSCC directly through websites or indirectly through use of SGSCC websites or online presence, through SGSCC representatives or otherwise;
  • Information provided to SGSCC through any College centre, customer surveys;
  • Records of student results of accredited programs;
  • Please see SGSCC disAbility Privacy Policy for specific personal information collected pertaining to clients of this department SGSCC may also collect some information that is not personal information because it does not identify anyone. For example, anonymous answers to surveys or aggregated information about how users use the website, statistical analysis.

5.3 Business Partners

SGSCC may collect contact details, name of contact person and/or organisation/business, bank details (to receive payment or make payments for services), Australian Business number (ABN), and insurance details. Primary purpose for which information is collected is to provide or receive services, process payments, establish and manage partnerships.

5.4 Methods for Collecting Personal Information

SGSCC collects personal information directly from stakeholders unless it is unreasonable or impracticable to do so. When collecting personal information SGSCC may collect in ways including: Through access and use of College websites;

During conversations between a stakeholder and SGSCC employees; or When an enrolment is completed either via phone, web, fax or in person; When details are provided for a waiting list; SGSCC may also collect personal information from third parties including:

  • From third party companies such as credit reporting agencies, law enforcement agencies and other government entities;
  • When more than one person is being enrolled using a single credit card;

5.5 Cookies

In some cases SGSCC may also collect personal information through the use of cookies. When accessing SGSCC websites, it may send a “cookie” (which is a small summary file containing a unique ID number) to individual’s computer. This enables SGSCC to recognise individual computers and greet each time the website is accessed without bothering with a request to register. It also enables SGSCC to keep track of products or services viewed so that it can send news about those products or services. SGSCC also use cookies to measure traffic patterns, to determine which areas of the websites have been visited and to measure transaction patterns in the aggregate. SGSCC use this to research users’ habits so that online products and services can be improved. SGSCC cookies do not collect personal information. If a stakeholder does not wish to receive cookies, the browser can be set so that your computer does not accept them.

SGSCC may log IP addresses (that is, the electronic addresses of computers connected to the internet) to analyse trends, administer the website, track users movements, and gather broad demographic information.

5.6 Why SGSCC needs personal information

If personal information as described above is not provided, some or all of the following may happen:

  • SGSCC may not be able to provide the requested courses or services to individuals, either of the same standard or at all;
  • SGSCC may not be able to provide information about courses and services that may be wanted by individuals, including information about discounts, sales or special promotions;
  • SGSCC may be unable to tailor the content of its websites to stakeholder preferences and individual experience of SGSCC websites may not be as enjoyable or useful;
  • SGSCC will not be able to provide Statements and Certificates to students in accredited courses;
  • Some government funds may not be available for specific courses and services;
  • Employees/contractors/volunteers may not be able to be employed or placed ;

5.7 Purposes for collecting, holding, using and disclosing personal information

SGSCC collects personal information so that it can perform education and training, lifelong learning activities, business activities and functions and to provide best possible quality of customer service. SGSCC collects, holds, uses and discloses personal information for the following purposes:

  • To provide services, education, training and courses to stakeholders and to send communications requested by them;
  • To provide Statements and Certificates for qualifications gained in an accredited course;
  • To answer enquiries and provide information or advice about existing and new courses or services;
  • To provide access to protected areas of SGSCC websites;
  • To assess the performance of the website and to improve the operation of the website;
  • To conduct business processing functions including providing personal information to our tutors, peak body CCA- Community Colleges Australia, service providers;
  • Data and statistical information needed by Government agencies through 4D/GLEP, ONCOURSE, AVETMISS, PRISM, PRODA or other third parties (although some information maybe encrypted to remove personal identifiers);
  • For the administrative, marketing (including direct marketing), planning, course or service development, quality control and research purposes of the above mentioned data collection government agencies, its related bodies corporate, service providers;
  • To provide updated personal information to the above mentioned groups;
  • To update SGSCC records and keep contact details up to date;
  • To process and respond to any complaint made by stakeholders; and
  • To comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator or funding body, or in co-operation with any governmental authority or any other country as applicable. Personal information will not be shared, sold, rented or disclosed other than as described in this Privacy Policy.

5.8 Personal Information may be disclosed to:

  • SGSCC employees, relevant government departments and funding bodies, peak bodies, tutors or service providers for the purposes of operation of SGSCC website or business, fulfilling requests by stakeholders, and to otherwise provide education and training and courses and services to stakeholders including, without limitation, web hosting providers, IT systems administrators, mailing houses, international recruitment agencies, couriers, payment processors, data entry service providers, electronic network administrators, debt collectors, and professional advisors such as accountants, solicitors, business advisors and consultants;
  • Suppliers and other third parties with whom SGSCC has commercial relationships, for business, marketing, and related purposes; and
  • Any organisation for any authorised purpose with stakeholder express consent.

SGSCC may combine or share any information that we collect from Stakeholders with information collected by any of the aforementioned (within Australia).

5.9 Direct marketing materials

SGSCC may send you direct marketing communications and information about courses and services that SGSCC consider may be of interest. These communications may be sent in various forms, including mail, SMS, fax and email, in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth). If a preference for a method of communication is indicated to SGSCC, it will endeavour to use that method whenever practical to do so. In addition, at any time stakeholders may opt-out of receiving marketing communications from SGSCC by contacting the Privacy Officer (see the details below) or by using opt-out facilities provided in the marketing communications and SGSCC will then ensure that the name is removed from the mailing list. SGSCC does not provide personal information to other organisations for the purposes of direct marketing.

5.10 How to access and correct personal information

Stakeholders may request access to any personal information SGSCC holds at any time by contacting The Privacy Officer (see the details below). Where SGSCC holds information that stakeholders are entitled to access, SGSCC will try to provide a suitable means of accessing it (for example, by mailing or emailing it). All requests must be in writing and include a photocopy of a primary source of identification such as a photo identification.

SGSCC will not charge for simply making the request and will not charge for making any corrections to personal information. Copies of qualifications and certificates will attract an administration charge. (available by contacting the relevant department) There may be instances where SGSCC cannot grant access to the personal information held. For example, SGSCC may need to refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, SGSCC will give written reasons for any refusal.

If a stakeholder believes that personal information SGSCC holds about them is incorrect, incomplete or inaccurate, then a request may be made to amend it. SGSCC will consider if the information requires amendment. If SGSCC does not agree that there are grounds for amendment then SGSCC will add a note to the personal information stating that the stakeholder disagrees with it.

5.11 Process for complaining about a breach of privacy

If a stakeholder believes that their privacy has been breached, the Privacy Officer can be contacted using the contact information below providing details of the incident so that SGSCC can investigate it. SGSCC procedure for investigating and dealing with privacy breaches is for the Privacy Officer to notify the Manager of the relevant area of the College. The Manager will notify the Principal and thoroughly investigate and remedy immediately if findings warrant. The stakeholder and Principal will be informed of the outcome. If the stakeholder is not happy with the outcome the SGSCC complaints policy will be followed, a copy of which will be provided to the stakeholder on request.

5.12 Personal information disclosed outside of Australia

SGSCC may disclose personal information to third party suppliers and service providers located overseas including email and survey services and International recruitment agents for international students.

SGSCC take reasonable steps to ensure that the overseas recipients of personal information do not breach the privacy obligations relating to personal information. SGSCC may disclose personal information to entities located outside of Australia, including the following:

MailChimp which is an online email service based in the USA (MailChimp Privacy Policy: http://mailchimp.com/legal/privacy/) and SurveyMonkey which is an online questionnaire and survey company based in USA (SurveyMonkey Privacy Policy: https://www.surveymonkey.com/mp/policy/privacy-policy/)

5.13 Security

SGSCC takes reasonable steps to ensure personal information is protected from misuse and loss and from unauthorised access, modification or disclosure. SGSCC may hold information in either electronic or hard copy form. Personal information is destroyed or de-identified when no longer needed. As SGSCC websites are linked to the internet, and the internet is inherently insecure, SGSCC cannot provide any assurance regarding the security of transmission of information communicated to us online. SGSCC also cannot guarantee that the information supplied will not be intercepted while being transmitted over the internet. Accordingly, any personal information or other information which is transmitted to SGSCC online is transmitted at the stakeholder’s own risk.

5.14 Links

SGSCC website may contain links to other websites operated by third parties. SGSCC make no representations or warranties in relation to the privacy practices of any third party website and are not responsible for the privacy policies or the content of any third party website. Third party websites are responsible for informing stakeholders about their own privacy practices.

5.15 Mandatory Data Breach Notification

Any suspected data breach will be immediately reported to the Privacy Officer who will investigate and consult the SGSCC IT contractor if necessary. If it is concluded that there has been a serious breach of data such as unauthorised access to, unauthorised disclosure of, or loss of personal information held by SGSCC, the Privacy Commissioner and any affected individuals will be notified as per requirements under the Privacy Amendment (Notifiable Data Breaches) Act 2017. SGSCC will provide notice of any serious data breach to the Australian Information Commissioner (Commissioner) via the Notifiable Data Breach Form https://forms.business.gov.au/smartforms/landing.htm?formCode=OAIC-NDB

5.16 Contacting SGSCC

If stakeholders have any questions about this privacy policy, any concerns or a complaint regarding the treatment of privacy or a possible breach of privacy, please use the contact link on our website or contact our Privacy Officer using the details set out below.

SGSCC will treat requests or complaints confidentially. SGSCC’s representative will contact stakeholders within a reasonable time after receipt of questions and complaints to discuss concerns and outline options regarding how they may be resolved. SGSCC will aim to ensure that issues are resolved in a timely and appropriate manner.

Please contact our Privacy Officer at:

Privacy Officer

St George & Sutherland Community College

Post: PO Box 404 Jannali 2226

Tel: 02 8543 7417

Email: thiggins@sgscc.edu.au

5.17 Changes to our privacy policy

SGSCC may change this privacy policy from time to time. Any updated versions of this privacy policy will be posted on our website.

5.18 Staff and student home telephone numbers, addresses and emails will not be given out at any time except at the beginning of each course when tutors/trainers will be provided with a class roll containing this information for communication purposes. Staff will only use information for direct communication with the student concerned and will not give out this information to other students or other agencies or use this information for private or commercial purposes. Breach of this policy will incur legal action and/or discipline of the staff member.

Students can choose not to receive promotional communication from the College at any time. All direct marketing will contain information on a simple method to elect not to receive promotional communications.

Students or prospective students who desire contact with the tutor prior to class commencement are informed that the tutor will contact them if possible. Staff will get permission from the student to pass on their contact details to the tutor who will either phone or email them.

Signed permission will be sought from students if their email may be revealed to other students if the need for group emailing of students in a class is required. This will only be for the duration of the course and the blind copy option will STILL be used wherever possible by staff and tutors to protect the privacy of students.

Staff and tutors will ensure that email addresses are not inadvertently relayed to a third party. The blind copy option can be used to avoid this.

5.19 Employee and Volunteer Personnel files - These files may contain contact details, personal details and emergency contact person’s, date and country of birth, citizenship and/or visa details, previous employment or volunteer involvement, resumes, qualifications, identity photocopies (e.g. driver’s licence), referees reports, a copy of the employee’s contract, all correspondence relating to job description changes, salary & leave changes, leave entitlements. National Criminal Checks and Working with Children Checks records are also included in files if relevant to the position and department of the employee or volunteer. Access to personnel information is restricted to the individual employee or volunteer, CEO, HR Manager and relevant supervisor. Personal details will not be given out to third parties at any time. Messages will be relayed to the staff member or volunteer concerned by a member of the office staff. Personal information is held securely in locked cabinets- all employees by the Human Resources Manager, volunteers in the relevant department.

5.20 Data collected regarding staff and students will be held for the required length of time and in a secure place that ensures only authorised persons have access according to legislative and government statistical requirements. All staff records will be placed in a locked file. All staff and student information held on computer will only be accessed by authorised personnel using passwords.

All rolls, including tutor ‘take home’ copies are returned to the Jannali office following the final session to be securely stored for the required duration. For VET accredited courses with assignments and assessments the Tutor/Assessor will return the tutor copy with the last marked assignment or assessment.

5.21 Staff and students will only be photographed or recorded for promotional purposes with their permission. A release form will be completed and signed.

5.22 Staff and students will not have their name or work included on the College Web sites without signed consent being obtained

5.23 Information will not be given out regarding suppliers unless directly requested by them.

5.24 Requests for release of information other than an individual’s personal information must be addressed in writing to the Principal and contain excerpts from the relevant acts empowering the individual, organisation or government department to ask for information. Each such written request will then be submitted to the College lawyers for validation/ratification. Otherwise information will only be released on subpoena.

5.25 Student Records

Students have the right to view their own records. All requests must be in writing and include a photocopy of a primary source of identification such as a photo identification.

5.26 Replacement certificates for accredited courses

All requests for certificates to replace those that have been lost or damaged must be in writing and include a photocopy of a primary source of identification such as a driving licence or other photo identification. A fee may be charged for replacement certificates.

5.27 Prospective employees who were unsuccessful in their application will be asked for permission for SGSCC to retain Resumes on file for any future positions.

5.28 Information that is confidential to the College must be kept as confidential by all staff and suppliers. This includes but is not limited to documents that are not released to the public or competitors because of commercial in confidence considerations, eg:

Price setting documents Tender application documents Letters of complaint Planning and marketing documents Signed contracts- including employment contracts an/or letters of appointment Class manuals prepared by staff paid by the College to do so Employee personnel files

5.29 Unsolicited Personal Information

Unsolicited personal information is information that was not requested. For example it could be misdirected mail/email meant for another party. SGSCC will determine in a reasonable time if any suspected unsolicited personal information that it receives could have been requested and direct it to the appropriate department concerned. If it has been determined that the personal information has not been requested SGSCC will securely destroy or de-identify the information immediately unless it is contained in a Commonwealth record or it is unlawful or unreasonable to do so.

5.30 Pseudonymity and Anonymity

Enquiring about services via phone, reception counter, interview or email or accessing or searching SGSCC websites can be done without providing personal information. Some SGSCC services and funded programs cannot be provided without the provision of personal information. Any person who would like access to services on an anonymous basis or using a pseudonym can contact the privacy officer. If this is possible and lawful, SGSCC will take all reasonable steps to comply with requests.

5.31 Specific Privacy considerations for clients of SGSCC disAbility are outlined in Standard 1- Rights folder /1.4 Privacy Policy SGSCC disAbility. Access online or contact the Privacy Officer for a copy.

6.0 Documentation

6.1 Media Release Authorisation

6.2 Media Release Authorisation Form for Groups

6.3 1.4 Privacy Policy SGSCC disAbility

6.4 PS01- Complaints Policy