1. Privacy Statement
RMIT Training Pty Ltd (RMIT Training) is committed to protecting the privacy of any information volunteered by visitors to its websites, and employees, students and others who have rights to log into them.
All users of RMIT Training’s websites and services should ensure they read and understand this Statement prior to using such websites or services. If you do not agree with this Privacy Statement, please do not use any RMIT Training website or the related services.
The purposes of this Statement are to:
- clarify the responsible collection and handling of personal information by RMIT Training
- inform individuals of their right to access information about them which is held by RMIT Training and to correct any errors in that information
- establish a complaints procedure for investigation and rectification of privacy breaches.
3. Scope and responsibility
This Statement applies to personal information collected by RMIT Training concerning students, prospective students, clients and other individuals. It also applies to employees to the extent that the personal information is not part of the employee’s employment record with RMIT Training. It does not apply to information about corporations.
This Statement must be observed by all RMIT Training employees, consultants, external contractors and students who have access to personal information held by RMIT Training.
4. Privacy Principles
The Privacy Act 1988 (Cth) sets out Privacy Principles which must be observed by organisations such as RMIT Training that collect and hold personal information. RMIT Training’s rights and obligations with respect to personal information are based on those Privacy Principles.
5. Privacy Officer
RMIT Training has appointed a Privacy Officer who will be responsible for the administration of this Statement. RMIT Training’s Privacy Officer may be contacted for further information via telephone at 03 9657 5851 or email at firstname.lastname@example.org.
6. Complaints process
The following process will apply if an individual considers that RMIT Training has been involved in a privacy breach in respect of that individual:
- A written complaint must be forwarded by email to the Privacy Officer within three (3) months of the time the complainant first became aware of the apparent breach. The complaint must specify details of the apparent breach.
- The Privacy Officer must make a determination on the complaint within forty-five (45) days of receipt of the complaint, and advise the complainant in writing.
- If the Privacy Officer determines that there has been a privacy breach, he or she will, upon notification of the determination to the complainant, advise relevant RMIT Training personnel in writing of any action required in order to remedy the breach. If the breach is capable of being rectified and is not rectified within thirty (30) days of the advice from the Privacy Officer, the Privacy Officer must inform the Chief Executive Officer of RMIT Training.
- The Privacy Officer will keep a record of complaints.
7. Consequences if this Statement is breached
Disciplinary or legal action may be taken against any person who is involved in privacy breaches, including summary dismissal in the event of what RMIT Training considers to be a serious breach by an employee.
1.1 RMIT Training:
- will collect personal information only if the information is necessary for one or more of its functions or activities
- must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.
1.2 When RMIT Training collects personal information about an individual from the individual, it will take reasonable steps to ensure that the individual is aware of:
- the identity of RMIT Training and how to contact it; and
- the fact that he or she is able to gain access to the information; and
- the purposes for which the information is collected (the primary purposes); and
- to whom (or the types of individuals or organisations to which) RMIT Training usually discloses information of that kind; and
- any law that requires the particular information to be collected; and
- the main consequences (if any) for the individual if all or part of the information is not provided.
1.3 If it is reasonable and practicable to do so, RMIT Training will collect personal information about an individual only from that individual.
However, there will be instances where RMIT Training will obtain such information from other sources, e.g. references for employment purposes, results data for prospective students, verification of formal qualifications of employees and students. In such instances RMIT Training will take reasonable steps to ensure that the individual is or has been made aware of the matters listed in Principle 1.2 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
2. Use and disclosure
RMIT Training will not without the prior consent of an individual use or disclose personal information about that individual for a purpose (the secondary purpose) other than the primary purposes of collection except in any of the following situations:
- both of the following apply:
- the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;
- the individual would reasonably expect RMIT Training to use or disclose the information for the secondary purpose of collection; or
- if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual:
- it is impracticable for RMIT Training to seek the individual’s consent before the use or disclosure; and
- in the case of disclosure, RMIT Training reasonably believes that the recipient of the information will not disclose the information; or
- RMIT Training reasonably believes that the use or disclosure is necessary to lessen or prevent either:
- a serious and imminent threat to an individual’s life, health, safety or welfare; or
- a serious threat to public health, public safety or public welfare; or
- RMIT Training has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
- the use or disclosure is required or authorised by or under law; or
- RMIT Training reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency:
- the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;
- the enforcement of laws relating to the confiscation of the proceeds of crime;
- the protection of the public revenue;
- the prevention, detection, investigation or remedying of seriously improper conduct;
- the preparation for, or conduct of, proceedings before any court or tribunal; or
- the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its function, has requested RMIT Training to disclose the personal information, and:
- the disclosure is made to an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) to receive the disclosure; and
- an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) for the purposes of this paragraph has certified that the disclosure would be connected with the performance by ASIO or ASIS (as the case requires) of its functions.
Any such disclosure under this paragraph inclusively can only be made by the RMIT Training CEO or Solicitor, and written note to that effect must be made.
3. Data quality
3.1 RMIT Training will take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.
3.2 If RMIT Training is to ensure the quality and accuracy of personal information, this places an obligation upon an individual to provide relevant and accurate information to RMIT Training.
4. Data security
4.1 RMIT Training will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 RMIT Training will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose.
5.1 RMIT Training will make this Statement available to anyone who asks for it.
5.2 On request by a person to the Privacy Officer, RMIT Training will take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
6. Access and correction
6.1 If RMIT Training holds personal information about an individual, it will provide the individual with access to the information on request by the individual, except to the extent that:
- providing access would pose a serious and imminent threat to the life or health of any individual; or
- providing access would have an unreasonable impact on the privacy of other individuals; or
- the request for access is frivolous or vexatious; or
- the information relates to existing legal proceedings between RMIT Training and the individual, and the information would not be accessible by the process of discovery or subpoena in those proceedings; or
- providing access would reveal the intentions of RMIT Training in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
- providing access would be unlawful; or
- denying access is required or authorised by or under law; or
- providing access would be likely to prejudice an investigation of possible unlawful activity; or
- providing access would be likely to prejudice:
- the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction; or
- the enforcement of laws relating to the confiscation of the proceeds of crime; or
- the protection of public revenue; or
- the prevention, detection, investigation or remedying of seriously improper conduct; or
- the preparation for or conduct of proceedings before any court or tribunal, or implementation of its orders by or on behalf of a law enforcement agency; or
- ASIO, ASIS or a law enforcement agency performing a lawful security function asks RMIT Training not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2 Where providing access would reveal evaluative information generated within RMIT Training in connection with a commercially sensitive decision-making process, RMIT Training may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
6.3 If RMIT Training is not required to provide the individual with access to the information because of one or more paragraphs within 6.1 inclusively, RMIT Training will, if reasonable, upon request by the individual to RMIT Training’s Privacy Officer, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 RMIT Training reserves the right to charge for providing access to personal information, and if it does so it will:
- advise an individual who requests access to personal information that RMIT Training will provide access on the payment of the prescribed fee; and
- may refuse access to the personal information until the fee is paid.
6.5 If RMIT Training holds personal information about an individual and the individual is able to establish that the information is not accurate, complete and up-to-date, RMIT Training will take reasonable steps to correct the information so that it is accurate, complete and up-to-date.
6.6 If RMIT Training and the organisation disagree about whether the information is accurate, complete and up-to-date, and the individual asks the organisation to associate with the information a statement from the individual claiming that the information is not accurate, complete or up-to-date, RMIT Training will take reasonable steps to do so.
6.7 RMIT Training will provide reasons for denial of access or a refusal to correct personal information.
6.8 If an individual requests access to, or the correction of, personal information held by RMIT Training, RMIT Training will:
- provide access, or reasons for the denial of access; or
- correct the personal information, or provide reasons for the refusal to correct the personal information; or
- provide reasons for the delay in responding to the request for access to or for the correction of personal information as soon as practicable, but no later than forty-five (45) days after receiving the request.
6.9 RMIT Training is not required to provide an individual with access to information about that individual if that information is generally available to the public.
7. Unique identifiers
7.1 RMIT Training will not assign unique identifiers to individuals (except for an Employee Number to identify an employee, a Student Number to identify a student and a database primary key to ensure the uniqueness of a database record) unless it is necessary for RMIT Training to carry out its functions efficiently. Employee Numbers, Student Numbers and database primary keys are considered necessary for RMIT Training to carry out its functions efficiently.
7.2 RMIT Training will not knowingly adopt as its own unique identifier of an individual a unique identifier of the individual that has been assigned by another organisation (except for employee and student numbers assigned by RMIT University).
7.3 RMIT Training will not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorised by law or the provision is in connection with the purpose (or a directly related purpose) for which the unique identifier was assigned.
Because of the nature of some of RMIT Training’s core businesses, it may be impractical for individuals transacting with RMIT Training to have the option of not identifying themselves. However, where it is lawful and practical to do so, RMIT Training will give individuals this option.
9. Transborder data flows
9.1 RMIT Training will only transfer personal information about an individual to someone (other than RMIT Training or the individual) who is outside Victoria if:
- RMIT Training reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Privacy Principles set out in this Statement; or
- the individual consents to the transfer; or
- the transfer is necessary for the performance of a contract between the individual and RMIT Training, or for the implementation of pre-contractual measures taken in response to the individual’s request; or
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between RMIT Training and a third party; or
- all of the following apply:
- the transfer is for the benefit of the individual;
- it is impracticable to obtain the consent of the individual to that transfer;
- if it were practicable to obtain that consent, the individual would be likely to give it; or
- RMIT Training has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Privacy Principles set out in this Statement.
10. Sensitive information
10.1 RMIT Training will not collect sensitive information about an individual unless:
- the individual has consented; or
- the collection is required under law; or
- the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
- is physically or legally incapable of giving consent to the collection; or
- physically cannot communicate consent to the collection; or
- the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
10.2 Despite paragraph 10.1, RMIT Training may collect sensitive information about an individual if the collection:
- is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services; or
- is of information relating to an individual’s racial or ethnic origin and is collected for the purpose of providing government funded targeted welfare or educational services; and
- there is no reasonably practicable alternative to collecting the information for that purpose; and
- it is impracticable for RMIT Training to seek the individual’s consent to the collection.