DG Institute is committed to protecting employee and client privacy and confidentiality to the extent permissible by law. However, to achieve the required outcomes of its operations and services, the organisation collects information about its students and their employers (where applicable). Bound by the Australian Privacy Principles, this policy describes how DG Institute takes reasonable measures to protect the privacy of its staff and students, in line with state and federal legislation.
This document applies to the reasonable measures the organisation takes regarding collection, handling and disclosure of all information that identifies an individual, including both clients and staff of DG Institute. This policy does not cover internal operations or business practices such as billing, financial auditing or planning.
RELEVANT STANDARDS, GUIDELINES, LEGISLATION & REGULATIONS
When personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.
Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.
Moderation of Assessments
Moderation is the process of bringing assessment judgements and standards into alignment. It is a process that ensures the same standards are applied to all assessment results within the same Unit(s) of Competency. It is an active process in the sense that adjustments to assessor judgements are made to overcome differences in the difficulty of the tool and/or the severity of judgements.
The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney General’s portfolio.
Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.
DG Institute has put in place reasonable security safeguards and takes reasonable steps to protect the personal information held from loss and from unauthorised access, use, modification or disclosure, or other misuse.
DG Institute collects personal information to properly and efficiently carry out its functions. DG Institute only collects personal information that is required for the purposes of employment or education, requests for Australian Government fee assistance or to meet government reporting requirements. DGI policies and procedures abide by the Australian Privacy Principles and outline reasonable measures taken to protect the privacy of individuals and staff in line with state and federal legislation. A mechanism exists in which individuals and staff can raise a complaint in relation to how their personal information is handled. All relevant client policies and procedures are available on the DG Institute website.
Rights and Choices of individuals
The rights and choices of individuals and staff:
Information Collected and how it is used
The type of information collected and held by DG Institute includes personally identifiable information, including sensitive information about clients before, during and after the completion of training. Consent for client’s information is gained at application via the order form.
Information may include;
DG Institute also collects personal and professional information from staff to meet its obligations with regards to employment, legal requirements and taxation.
How Information is collected
Generally, information is provided to DG Institute by the individuals themselves. Individuals provide personal information over the phone, in person, online, via email and by completing various forms, including:
How we hold information
Depending on the circumstances, we may hold individual’s information in either hardcopy or electronic form, or both. Our client database is held in electronic format. For more information, refer to the Storage, Security and Destruction of Personal Information section of this Policy.
How information is used
DG Institute only uses information for its intended purpose. We use personal information:
Information collected or held by DG Institute will only be disclosed to third parties after written consent has been obtained by the individual using the Information Release Form or where required by law. This may include:
DG Institute will make all reasonable efforts to secure and protect confidential information from unlawful disclosure. No personally identifiable information will be disclosed by DG Institute without the consent of the individual(s) concerned.
For the purpose of this document, DG Institute does not disclose personal information to overseas recipients. An ‘overseas recipient’ is a person who receives personal information from an APP entity (organisation) and is:
Access and requests for information correction
Individuals may request access to the personal information held and may also make requests to correct personal information if it is not accurate, up-to-date or complete. Individuals may request access to their personal information at any time by calling DG Institute during office hours or sending a written request to DG Institute by email or post (see contact details below). To protect the privacy of our clients and the privacy of others, DG Institute will ask for evidence of identity (refer to procedures) before the business can grant access to information or change it. Once an individual’s identity has been verified, access will be provided in an appropriate manner within 30 days.
In rare circumstances, and only where it is permitted under the Privacy Act 1988 (Cth), we may not be able to provide individuals with access to information; for example, where it will have an unreasonable impact upon the privacy of others, where it relates to legal proceedings between us through which the information would not otherwise be available, where it would be prejudicial to negotiations, where we are required by law to withhold the information or where it would reveal information relating to our commercially sensitive decision making processes. If we are unable to provide individuals with access, we will provide an explanation in writing within five working days.
Individuals may make a complaint about how their personal information is handled, without incurring a fee (refer to the contact details below for access to these services). There are three stages in the complaint-handling process:
Individuals can contact DG Institute by phone, email and drop into our office or send a request or complaint to the address below. The business undertakes to respond to the complainant within 30 days. If the request or complaint takes longer to resolve, the business provides individuals with a date by which they can expect a response.
Contact Training Manager
Phone 1300 871 251
Protecting Personal Information
To help protect the privacy of data and personal information that the business collects and retains, the business uses physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. All employees undergo privacy training at regular staff Operations Meetings or Trainer meetings that emphasises the importance of confidentiality and the maintenance of client/employer privacy and security of personal information. Access to personal information is restricted to employees who need it to provide benefits or services to clients, also refer to ‘How Information is Used’ section of this Policy.
DG Institute practices ethical direct marketing. Where DG Institute is permitted to use or disclose personal information for direct marketing, it must always: allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and comply with that request. The Business will, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.
Storage, security and destruction of personal information
For the purposes of this policy, records include:
To ensure records are maintained in a safe and suitable condition, the following policy applies:
Destruction of Records
The CEO is the only person who can authorise the destruction of records. The CEO identifies records for destruction from the Archive Box Records. The CEO provides the approved external storage provider with a work order to destroy identified documents. Records will only be authorised for destruction by the CEO after the retention period has lapsed. To ensure confidentiality, an external approved provider is employed to destroy records.
The Business audits and monitors internal staff on a regular basis to ensure the correct procedures are undertaken for access, handling and destruction of personal information.
Security is a basic element of information privacy. In Australia, this principle is reflected in the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Benchmark College takes reasonable steps to protect the personal information held from misuse and loss and from unauthorised access, modification or disclosure.
Depending on the circumstances, those reasonable steps may include the implementation of a data breach procedures contained within this policy; notification of the individuals who are or may be affected by a data breach; and notification to the OAIC, may also be a reasonable step.
Appropriate security safeguards for personal information need to be considered across a range of areas. This includes maintaining physical security, computer and network security, communications security and personnel security. To meet information security obligations, DG Institute undertakes the following activities:
Policy and Procedure Review
For information regarding records retention, please refer to the Records Retention Policy and Procedures
Requests for personal information
Students may request access to their personal information by calling DG Institute during office hours or sending a written request to DG Institute by email, facsimile or post (see contact details below). To protect the privacy of our clients and the privacy of others, DG Institute will ask for evidence of identity by requesting the following information:
The staff person taking the enquiry will confirm this information is correct by accessing the student database system.
Once an individual’s identity has been verified, access will be provided in an appropriate manner within 30 days.
Step 1: Contain the breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the breach
To determine what other steps are immediately necessary, the risks associated with the breach are assessed. The following factors are considered when assessing the risk(s):
Step 3: Notification
The particular circumstances of the breach are considered, and;
Notification to the OAIC of a data breach occurs where the circumstances indicate that it is appropriate to do so:
Step 4: Prevent future breaches
Endorsed by: Continuous Improvement and Management Committee
Date approved: August 2019
Review Date: August 2020