ISM is committed to protecting the privacy and confidentiality of its students, clients and employee in accordance with the Privacy Act 1988 and the Australian Privacy Principles (APPs) and in compliance with EU – General Data Protection Regulation (GDPR) 2016/679 as outlined below:
Collection of personal information
For the purpose of this policy personal information is described as follows: Personal information Is information or an opinion that identifies an individual or allows their identity to be readily identified from such information. It includes but is not limited to information such as a person’s name, address, financial information, marital status or billing details.
Use and disclosure of personal information
ISM will collect personal information via an enrolment process or through other means, which will be used by the RTO for purposes of meeting VET requirements for awarding qualifications and complying with reporting requirements of the relevant government regulator. Personal information may also be accessed for the purposes of an audit by ASQA or reasonably expected secondary purposes, and in other circumstances authorised by the Privacy Act.
ISM external accountant and Authorised Tax Office Staff may access personal information of staff.
When taking credit card payments, ISM staff will not copy or record details other than for the specific use of processing the payment.
Access to Personal Information
You can gain access to personal information held about you by emailing a request to the CEO. We will handle all requests for access to personal information in accordance with the APPs and GDPR.
Management of Personal Information
ISM will take all reasonable steps to maintain the privacy and security of personal information. Information stored electronically is kept on a secure server and access is restricted to authorised employees. This server is regularly backed up and kept in a secure location.
Paper-based documents containing personal information are in a locked filing cabinet and held within a secure area within the RTO premises.
Where documents are required to be transferred to another location, personal information is transported securely in an envelope or document box. Any third party person (such as scanning personnel) will be required to sign a non-disclosure document.
Reasonable steps will be taken to destroy or permanently de-identify personal information when it is no longer required for any purpose.
Student information will be kept electronically for 30 years.
Some personal information we collect is ‘sensitive information’. Sensitive information includes personal information relating to a person’s health, racial or ethnic origin, political opinions, and religion, trade union or other professional or trade association membership, sexual preferences, or criminal record.
Sensitive information will be used or disclosed only for the primary purpose for which it was collected or a directly related secondary purpose, unless you agree otherwise, or where certain other limited circumstances apply (for example, where required by law).
Updates to Policy
4.5.1 Privacy Procedures
- ISM will ensure that only authorised personnel have access to its LMS and eLearning portal at all times. Upon ceasing employment / contract with ISM all accesses will be revoked.
- ISM will ensure it uses and maintains a secure and protected LMS and eLearning portal that meets privacy legislation
- ISM will ensure that any third party persons or companies that may have access to private or sensitive information signs a non-disclosures agreement / contracts.
- ISM will ensure at all times paper-based documents are in lockable cabinets whilst not being worked on.
- ISM will ensure that the enrolment terms and conditions and declaration is clear with straightforward language, up to date and current at all times.
- ISM will ensure that this policy is reviewed and amended as required.
- ISM will ensure that this policy is displayed on its website for all staff and students.
- ISM will inform learners/users without delay in case of harmful data breach.