Wednesday 7 January 2009

Privacy of Client/Customer Information

1.0 Purpose

In accordance with the changes to the Privacy Act in 2001, clients have new rights in relation to how their personal information is handled by private sector organisations.  ASC Training & Development (ASC) is bound by the Privacy Act and respects your right to privacy.

The main purpose of the Privacy Act is to establish a national scheme for the collection, use, storage, correction, disclosure and transfer of personal information.  The Act has special protection for sensitive information.

Personal information is information that can identify a person, such as name, address or photograph.  Sensitive information is information about a person's racial or ethnic origin, political opinions, religious beliefs, membership of a trade union, professional or trade association, sexual preference, criminal record and health information.  Consumers have the right to know why an organisation collects their personal information, what it holds, how the information will be used and who else may have access to this information. Consumers can ask to see the information collected about them, and request that any errors to be corrected.

This policy aims to ensure that all reasonable steps are taken by ASC to protect the personal information it holds about its clients from unauthorised access, modification or disclosure and will not use or disclose personal information about them except in the limited circumstances set out in this document. ASC will make sure that personal information collected, used or disclosed is accurate and up-to-date.

All enquiries from students regarding the privacy policy of ASC Training & Development Pty Ltd must be directed to the Operations Manager, ASC.  Similarly any requests from students for access to their personal information, or to update, change or make corrections to their personal information, must also be directed to the Operations Manager.

If you would like to access your personal information, or it needs to be updated or corrected, you may contact ASC Training & Development by telephoning (08) 8357 9222, or via email at enquiries@asctraining.com.au or by writing to 438 Goodwood Road, Cumberland Park  SA  5041.

The client also has a responsibility to assist ASC by providing accurate and up-to-date information.

This policy also details how private client/customer information shall be stored and controlled within the ASC, in accordance with National Privacy Principles and the Federal Privacy Act 1988.

2.0 Scope

Applicable to all ASC employees and/or its contractors involved in work related to ASC.

3.0 Definitions

"Personal information" is defined in the policy as:

"……information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion."

4.0 Procedure

This policy aims to:

  • establish the responsible collection and handling of personal information by ASC
  • give individuals a right to access information which is held by ASC about them, and correct any errors in that information
  • establish a complaints procedure for investigation and rectification of features of this Policy

This policy applies to personal information collected by the ASC concerning staff, students, prospective students, individual clients and other individuals.  It does not apply to information about corporations.

All ASC staff, consultants, external contractors and students who have access to personal information held by the ASC, must observe this Policy.

Privacy Principles

ASC will collect personal information only if the information is necessary for one or more of its functions or activities and it must collect personal information only by lawful and fair means and not in an unreasonable or intrusive way.

When ASC collects personal information about an individual from the individual, it must take reasonable steps to ensure that the individual is aware of:

  • the identity of ASC and how to contact it
  • the fact that he or she is able to gain access to the information
  • the purpose for which the information is collected ("the primary purpose")
  • to whom ASC usually discloses information of that kind (all types of individuals or
  • organisations)
  • any law that requires the particular information to be collected
  • the main consequences (if any) for the individual, if all or part of information is not provided

If it is reasonable and practicable to do so, ASC will collect personal information about an individual, only from that  individual.  However, there will be instances where ASC will obtain such information from other sources e.g. references for employment purposes, results data for prospective students, and verification of formal qualifications of staff and students etc.  In such instances, ASC will take reasonable steps to ensure that the individual is or has been made aware of these matters, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

Use and disclosure

ASC will not, without the prior consent of an individual, use or disclose personal information about that individual for a purpose ("the secondary purpose") other than the primary purpose of collection and except in any of the following situations:

  • the secondary purpose is related to the primary purpose of collection, and if the personal information is sensitive information, directly related to the primary purpose of collection
  • the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual
  • it is impractical for ASC to seek the individual's consent before the use or disclosure of that information
  • in the case of disclosure - ASC reasonably believes that the recipient of the information will not disclose the information, or

 ASC reasonably believes that the use or disclosure is necessary to lessen or prevent either:

  • a serious and imminent threat to an individual's life, health, safety or welfare
  • a serious threat to public health, public safety, or public welfare
  • ASC has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities
  • the use or disclosure is required or authorised by or under law, or

ASC reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency:

  • the prevention, detection, investigation, prosecution or punishment of criminal offences for breaches of a law imposing a penalty or sanction
  • the enforcement of laws relating to the confiscation of the proceeds of crime
  • protection of the public revenue
  • the prevention, detection, investigation or remedying of seriously improper conduct
  • the preparation for, or conduct of, proceedings before any court or tribunal
  • The Australian Security Intelligence Organisation (ASIO) or the Australian Secret Service (ASIS), in connection with its functions, has requested Transfield Services RTO to disclose the personal information, and the disclosure is made to an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director General of ASIO or ASIS (as the case requires) to receive the disclosure

The Director or the ASC legal advisor can only make any such disclosure under this section.

Data Quality

ASC will take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

If ASC is to ensure quality and accuracy of personal information, this places an obligation upon an individual to provide relevant and accurate information to ASC.

Data Security

ASC will take reasonable steps to protect the personal information that it holds from misuse or loss and from unauthorised access, modification or disclosure.

ASC will take reasonable steps to destroy or permanently de-identify personal information, if it is no longer needed for any purpose.

Under the Public Record Act 1973, ASC is required to keep full and accurate records and implement a record disposal program.

Destruction of personal information must be carried out in accordance with the ASC Record Retention Policy, including the AQTF requirements to retain information for all trainees for a period of 30 years.

Personal information must be properly secured at all times.

Customer information must be protected from either deliberate or inadvertent release to persons not entitled to it.

Offices where information is kept must be kept secure (locked when not occupied and information not left where third parties can have access).

Information in vehicles must be properly secured at all times (the vehicle must be locked when not occupied and the information not left where it could be accessed by third parties)

Information must not be stored or left where any third party has open access.

Openness

ASC will make this policy available to anyone who asks for it.  On request, ASC will take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.

Access and Correction

If ASC holds personal information about an individual, it will provide the individual with access to the information on request by the individual, except to the extent that:

  • providing access would pose a serious and imminent threat to the life or health of any individual
  • providing access would have an unreasonable impact on privacy of other individuals
  • request for access is frivolous or vexatious
  • the information related to existing legal proceedings between ASC and the individual, and the information would not be accessible by the process of discovery or subpoena in those proceedings
  • providing access would reveal the intentions of ASC in relation to negotiations with the individual in such a way as to prejudice those negotiations
  • providing access would be unlawful
  • denying access is required or authorised by, or under law
  • providing access would be likely to prejudice an investigation into possible unlawful activity
  • providing access would be likely to prejudice the prevention, detection, investigation, prosecution or punishment of criminal offences for breaches of a law, imposing a penalty or sanction
  • ASIO, ASIS or a law enforcement agency performing a lawful security function asks ASC not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia

Where providing access would reveal evaluative information generated within ASC in connection with a commercially sensitive decision-making process, ASC may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.

ASC reserves the right to charge for providing access to personal information, and if it does, it will:

  • advise an individual who requests access to personal information that ASC will provide access upon payment of the prescribed fee
  • may refuse access to the personal information until the fee is paid

If ASC holds personal information about an individual and the individual is able to establish that the information held by ASC is not accurate, complete and up-to-date, ASC will take reasonable steps to correct the information so that it is then accurate, complete and up-to-date.

If the individual requests access to, or the correction of, personal information held by ASC, then ASC will:

  • provide access, or reasons for the denial of access
  • correct the personal information, or provide reasons for the refusal to correct the personal information
  • provide reasons for the delay in responding to the request for access to or for the correction of personal information as soon as practicable, but no later than 45 days after receiving the request

Nothing in this policy applies to a document containing personal information or the personal information contained in a document which would be subject to the provisions of the Freedom of Information Act 1992 (FOI Act).

If the person requires access to such a document, an application must be made under the FOI Act and the FOI Act will then determine access and correction of any errors (refer to ASC Freedom of Information Policy ASC-19).

ASC is not required to provide an individual with access to information about that individual if that information is generally available to the public.

Anonymity

Because of the nature of ASC business, it will usually be impractical for individuals transacting with ASC to have the option of not identifying themselves.  However where it is a lawful and practical to do so, ASC will give individuals this option.

Sensitive Information

ASC will not collect sensitive information about an individual unless:

  • the individual has consented
  • the collection is required under law
  • the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual; that is where the individual whom the information concerns is physically or legally incapable of giving consent to the collection of the information; or the collection is necessary for the establishment, exercise or defence of a legal or equitable claim

ASC may collect sensitive information about an individual if the collection:

  • is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services
  • is of information relating to an individual's racial or ethnic origin and is collected for the purpose of providing government funded targeted welfare or educational services
  • it is impractical ASC to seek the individual's consent to the collection

(for additional information regarding the 10 National Privacy Principles please refer to Appendix One)

Responsibilities

Operations Manager

shall be responsible for the following:

  • notifying the clients/customers in the event of a reported loss/theft of records
  • ensuring that the contents of this policy are implemented and maintained across the RTO
  • reporting to the relevant authorities
  • review of security arrangements
  • archiving and security of the client/customers' records.
    implementation and management of the "Private Customer Information" awareness sessions, for all current and new staff employees.
  • processing and recording of staff participation in the awareness sessions.

Staff Employee/s

  • attend a "Private Customer Information" awareness session
  • responsible for the disposal of identified client/customer records in accordance with this procedure.
  • notify the Operations Manager of the loss/theft of client/customer records

4.3 Archiving Records

Records containing personal customer information must be archived in such a way as to prevent its deliberate or accidental release or misuse. National Training Framework training records are now required to be stored for a period of 30 years. The Operations Manager shall be responsible for the archiving of the records.

4.4 Disposing of Records

When the records are no longer required they must be disposed or disfigured in such a way as to make the customer information unreadable. If the records are to be destroyed, they must be shredded.

Normal re-cycling or rubbish disposal services are not to be used to dispose of records containing customer information.

The disposal of the records must be carried out either by, or under the supervision of an ASC employee authorised to do so.

4.5 Employee Training

All staff employees with access to any personal customer information must have undergone the ASC Privacy Act Awareness Training Session as part of their initial ASC Induction.

The Operations Manager shall implement and manage the training of all ASC staff in the awareness sessions for Customer Privacy Information.

4.6 Loss of Records

An agreement with the client shall be reached on the process to follow in the event of records being lost or stolen. Depending on the type of information and the circumstances of the loss/theft, the Operations Manager shall be notified and is responsible for the following:

  • contact the client to inform them of loss or theft
  • contact the relevant customers concerned
  • contact the Police
  • review the security of records

5.0 Reference Documentation

ASC Freedom of Information Policy ASC-19

AQTF Standards for RTO and Training and Skills Commission Policies on Registered Training Organisations and Accreditation of Courses, using the AQTF as the framework and context for all policies, procedures and practices.

Appendix One

The Act sets out the National Privacy Principles (NPPs) that are the ten basic privacy standards for which organisations must comply in order to protect personal information.
A brief summary of the NPPs are as follows:

Collection (NPP1)

Collection of personal information must be fair, lawful and unobtrusive and necessary for the organisation's functions.  You must advise the person of the organisation's name, the purpose for collection, any other organisations to whom it may be disclosed, and that they can get access to their personal information and what happens if they do not give the information.

Use & Disclosure (NPP 2)

An organisation may only use or disclose the information for the purpose it was collected (primary purpose) unless the person has consented, or the secondary purpose is related to the primary purpose and the person would reasonably expect such use or disclosure.  Direct marketing may be used in specified circumstances but certain rules apply - where you have the opportunity to get consent, you should do so.  The marketing material should advise that the person may request not to receive the material and it should set out the contact details of the firm.  Personal information may be disclosed when it relates to law enforcement or for health and safety.

Data Quality (NPP3)

An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

Data Security (NPP4)

An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Openness (NPP5)

An organisation must have a policy document outlining its information handling practices and make this available to anyone who requests it.

Access & Correction (NPP6)

Generally speaking, an organisation must give an individual access to personal information it holds about that individual on request.  Exceptions apply, such as where this would pose a serious threat to life or health, is vexatious, or impacts on another person's privacy, where there are legal proceedings, or it is prejudicial to a police investigation, etc.  Reasonable steps must be taken to correct information.

Identifiers (NPP7)

Generally speaking an organisation must not adopt, use or disclose, an identifier that has been assigned by a Commonwealth government 'agency', for example, social security numbers.  An ABN is exempted.

Anonymity (NPP8)

Organisations must give people the option to interact anonymously whenever it is lawful and practicable to do so.

Transborder Data Flow (NPP9)

An organisation can only transfer personal information to a recipient in a foreign country in circumstances where the information will have appropriate protection such as similar privacy legislation, or with consent.

Sensitive Information (NPP10)

An organisation must not collect sensitive information unless the person has consented, or it is required by law or in special circumstances, for example, to a health service or for public health or safety.

 (Note:  For further information on the National Privacy Principles go to the Federal Privacy Commissioner's website: www.privacy.gov.au)