Privacy Policy and Procedures

PURPOSE

DG Institute is committed to protecting employee and client privacy and confidentiality to the extent permissible by law. However, to achieve the required outcomes of its operations and services, the organisation collects information about its students and their employers (where applicable). Bound by the Australian Privacy Principles, this policy describes how DG Institute takes reasonable measures to protect the privacy of its staff and students, in line with state and federal legislation.

SCOPE

This document applies to the reasonable measures the organisation takes regarding collection, handling and disclosure of all information that identifies an individual, including both clients and staff of DG Institute. This policy does not cover internal operations or business practices such as billing, financial auditing or planning.

RELEVANT STANDARDS, GUIDELINES, LEGISLATION & REGULATIONS

  • Privacy Act 1988
  • Privacy Amendment (Enhancing Privacy Protection) Act 2012
  • Office of the Australian Information Commissioner’s (OAIC) Australian Privacy Principles Guidelines
  • Guide to developing an APP privacy policy

RELATED DOCUMENTS

  • Client Handbook
  • Staff Induction Manual
  • Consumer Protection Policy
  • Records and Retention Policy and Procedure
  • Complaints and Appeals Policy and Procedures
  • Order Form

DEFINITIONS

Data Breaches

When personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.

Direct Marketing

Direct marketing involves the use or disclosure of personal information to communicate directly with an individual to promote goods and services.

Moderation of Assessments

Moderation is the process of bringing assessment judgements and standards into alignment. It is a process that ensures the same standards are applied to all assessment results within the same Unit(s) of Competency. It is an active process in the sense that adjustments to assessor judgements are made to overcome differences in the difficulty of the tool and/or the severity of judgements.

OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent statutory agency within the Attorney General’s portfolio.

Personal information

Information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable. Common examples are an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.

Reasonable measures

DG Institute has put in place reasonable security safeguards and takes reasonable steps to protect the personal information held from loss and from unauthorised access, use, modification or disclosure, or other misuse.

POLICY

Summary Notice

DG Institute collects personal information to properly and efficiently carry out its functions. DG Institute only collects personal information that is required for the purposes of employment or education, requests for Australian Government fee assistance or to meet government reporting requirements. DGI policies and procedures abide by the Australian Privacy Principles and outline reasonable measures taken to protect the privacy of individuals and staff in line with state and federal legislation. A mechanism exists in which individuals and staff can raise a complaint in relation to how their personal information is handled. All relevant client policies and procedures are available on the DG Institute website.

Rights and Choices of individuals

The rights and choices of individuals and staff:

  1. DG Institute has processes and systems in place that protect personal information and individuals are provided with details to access that information
  2. Information collected is only used for the purpose it is intended
  3. Access to view records and/or to correct personal information is available upon request
  4. Ability to make a complaint, if dissatisfied with how private information has been handled, stored or used
  5. Disclosure of information – information is not disclosed to a third party without the individual’s consent
  6. Information available to individuals that ascertains how breaches to this Privacy Policy and Procedure are managed/regulated
  7. Information on how personal information is stored and destroyed.

Information Collected and how it is used

The type of information collected and held by DG Institute includes personally identifiable information, including sensitive information about clients before, during and after the completion of training. Consent for client’s information is gained at application via the order form.

Information may include;

  • Student Name
  • Current and previous address details
  • Contact information
  • Driver’s Licence or other identification details
  • File notes

DG Institute also collects personal and professional information from staff to meet its obligations with regards to employment, legal requirements and taxation.

How Information is collected

Generally, information is provided to DG Institute by the individuals themselves. Individuals provide personal information over the phone, in person, online, via email and by completing various forms, including:

  • General course enquiry
  • Online enquiry (via the DGI website)
  • Order form
  • Assessment task submission
  • Unit Assessment Record

How we hold information

Depending on the circumstances, we may hold individual’s information in either hardcopy or electronic form, or both. Our client database is held in electronic format. For more information, refer to the Storage, Security and Destruction of Personal Information section of this Policy.

How information is used

DG Institute only uses information for its intended purpose. We use personal information:

  • For data reporting
  • For internal purposes such as assessment policies, procedures and processes, risk management, program and assessment validation and moderation and staff training
  • To identify, and inform individuals of transitioning of courses in which they may be enrolled, and
  • To administer our customer relationship with individuals.

Disclosure (sharing)

Information collected or held by DG Institute will only be disclosed to third parties after written consent has been obtained by the individual using the Information Release Form or where required by law. This may include:

  • The individual’s authorised representative or legal advisors

DG Institute will make all reasonable efforts to secure and protect confidential information from unlawful disclosure. No personally identifiable information will be disclosed by DG Institute without the consent of the individual(s) concerned.

For the purpose of this document, DG Institute does not disclose personal information to overseas recipients. An ‘overseas recipient’ is a person who receives personal information from an APP entity (organisation) and is:

  • not in Australia or an external Territory;
  • not the APP entity disclosing the personal information; and
  • not the individual to whom the personal information relates.

Access and requests for information correction

Individuals may request access to the personal information held and may also make requests to correct personal information if it is not accurate, up-to-date or complete. Individuals may request access to their personal information at any time by calling DG Institute during office hours or sending a written request to DG Institute by email or post (see contact details below). To protect the privacy of our clients and the privacy of others, DG Institute will ask for evidence of identity (refer to procedures) before the business can grant access to information or change it. Once an individual’s identity has been verified, access will be provided in an appropriate manner within 30 days.

In rare circumstances, and only where it is permitted under the Privacy Act 1988 (Cth), we may not be able to provide individuals with access to information; for example, where it will have an unreasonable impact upon the privacy of others, where it relates to legal proceedings between us through which the information would not otherwise be available, where it would be prejudicial to negotiations, where we are required by law to withhold the information or where it would reveal information relating to our commercially sensitive decision making processes. If we are unable to provide individuals with access, we will provide an explanation in writing within five working days.

Complaints

Individuals may make a complaint about how their personal information is handled, without incurring a fee (refer to the contact details below for access to these services). There are three stages in the complaint-handling process:

  1. The complaint is made directly to DG Institute in the first instance
  2. The complaint may be taken to a recognised external dispute resolution scheme (if applicable).
  3. The complaint may be taken to the OAIC.

Individuals can contact DG Institute by phone, email and drop into our office or send a request or complaint to the address below. The business undertakes to respond to the complainant within 30 days. If the request or complaint takes longer to resolve, the business provides individuals with a date by which they can expect a response.

Contact Information

Contact Training Manager

Phone 1300 871 251

Email info@dginstitute.com.au

Website www.dginstitute.com.au

Protecting Personal Information

To help protect the privacy of data and personal information that the business collects and retains, the business uses physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. All employees undergo privacy training at regular staff Operations Meetings or Trainer meetings that emphasises the importance of confidentiality and the maintenance of client/employer privacy and security of personal information. Access to personal information is restricted to employees who need it to provide benefits or services to clients, also refer to ‘How Information is Used’ section of this Policy.

Website

The Privacy Policy and Procedure is published free of charge on our website www.dginstitute.com.au. The DG Institute website may contain links to other websites. Please be aware that the Business is not responsible for the privacy practices of such other sites. If individuals go to other websites, the Business advises caution and to read the related site’s privacy policy.

Direct Marketing

DG Institute practices ethical direct marketing. Where DG Institute is permitted to use or disclose personal information for direct marketing, it must always: allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and comply with that request. The Business will, on request, provide its source for an individual’s personal information, unless it is impracticable or unreasonable to do so.

Storage, security and destruction of personal information

For the purposes of this policy, records include:

  • Client Results
  • Statements of Attainment
  • Completed Assessment Results
  • Assessment Tools
  • Administrative Records
  • Student File

To ensure records are maintained in a safe and suitable condition, the following policy applies:

  • Records are kept securely to prevent them being accessed by any non-authorised personnel.
  • Records are kept confidential to safeguard information and to protect the privacy of clients and DG Institute staff
  • Through effective hazard reduction identification monitoring procedures, records are kept in such a manner to avoid damage by fire, flood, termites or any other pests.
  • Client results and Certificates / Statements of Attainment are backed-up and stored electronically and are available to be retrieved by authorised persons at any time
  • Electronic client records are kept for 30 years
  • Hard copy records are kept for a minimum of three (3) years
  • Where a complaint/appeal has been registered, the client file is kept for three (3) years
  • Records of complaints and appeals are kept in the Complaints and Appeals Register for a period of five (5) years.
  • Electronic data is backed-up and kept off-site.

Destruction of Records

The CEO is the only person who can authorise the destruction of records. The CEO identifies records for destruction from the Archive Box Records. The CEO provides the approved external storage provider with a work order to destroy identified documents. Records will only be authorised for destruction by the CEO after the retention period has lapsed. To ensure confidentiality, an external approved provider is employed to destroy records.

Monitoring

The Business audits and monitors internal staff on a regular basis to ensure the correct procedures are undertaken for access, handling and destruction of personal information.

Data Breaches

Security is a basic element of information privacy. In Australia, this principle is reflected in the Privacy Act 1988 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Benchmark College takes reasonable steps to protect the personal information held from misuse and loss and from unauthorised access, modification or disclosure.

Depending on the circumstances, those reasonable steps may include the implementation of a data breach procedures contained within this policy; notification of the individuals who are or may be affected by a data breach; and notification to the OAIC, may also be a reasonable step.

Appropriate security safeguards for personal information need to be considered across a range of areas. This includes maintaining physical security, computer and network security, communications security and personnel security. To meet information security obligations, DG Institute undertakes the following activities:

  • Risk assessment – Identifies security risks to personal information held by the organisation and the consequences of a breach of security.
  • Privacy impact assessments – Evaluates, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations.
  • Policy development – Reviews and updates the policy that implements measures, practices and procedures to reduce the identified risks to information security.
  • Staff training – Trains staff and managers in security and fraud awareness, practices and procedures and codes of conduct.
  • The responsible person or position – The CEO is the designated position within the organisation to deal with data breaches. This position has responsibility for establishing policy and procedures, training staff, coordinating reviews and audits and investigating and responding to breaches.

Policy and Procedure Review

The Privacy Policy and Procedure is reviewed annually and/or more frequently in line with legislation or regulation changes. The most recent version of the Privacy Policy and Procedure is uploaded and available on our website www.dginstitute.com.au free of charge. Individuals can request a copy of the document to be printed, posted or emailed. Where policy reviews occur, the Business will send all current clients an SMS alerting them of the updated policy and where to access it. Effectiveness of this policy and procedure is monitored by the organisation’s Continuous Improvement Committee and Management Committee.

PROCEDURES

Records Retention

For information regarding records retention, please refer to the Records Retention Policy and Procedures

Requests for personal information

Students may request access to their personal information by calling DG Institute during office hours or sending a written request to DG Institute by email, facsimile or post (see contact details below). To protect the privacy of our clients and the privacy of others, DG Institute will ask for evidence of identity by requesting the following information:

  1. The student’s first name and last name (surname);
  2. Address, including post code; and
  3. Date of Birth.

The staff person taking the enquiry will confirm this information is correct by accessing the student database system.

Once an individual’s identity has been verified, access will be provided in an appropriate manner within 30 days.

Data Breaches

Step 1: Contain the breach and do a preliminary assessment

  • Immediately contain the breach. Stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, revoke or change computer access privileges or address weaknesses in physical or electronic security.
  • Assess whether steps can be taken to mitigate the harm an individual may suffer as a result of a breach.
  • The CEO is made aware of the breach. The CEO determines who else needs to be made aware of the breach (internally and potentially externally) at this preliminary stage. Appropriate records of the suspected breach are maintained, including the steps taken to rectify the situation and the decisions made.
  • Critical Incident Form is completed.

Step 2: Evaluate the risks associated with the breach

To determine what other steps are immediately necessary, the risks associated with the breach are assessed. The following factors are considered when assessing the risk(s):

  • The type of personal information involved.
  • The context of the affected information and the breach.
  • The cause and extent of the breach.
  • The risk of serious harm to the affected individuals.
  • The risk of other harms.

Step 3: Notification

The particular circumstances of the breach are considered, and;

  • Who should be notified and notify affected individuals
  • What information should be included in the notification, and
  • Who else (other than the affected individuals) should be notified.

Notification to the OAIC of a data breach occurs where the circumstances indicate that it is appropriate to do so:

  • Contact CEO

Step 4: Prevent future breaches

Once the immediate steps are taken to mitigate the risks associated with the breach, an investigation into the cause is initiated and a comprehensive report written including a prevention plan to ensure the breach does not re-occur. A review of the data breach procedure and this privacy policy and procedure forms part of the investigation process.

  • Monitoring of outcomes of critical review occurs via through the Continuous Improvement Committee.

Endorsed by: Continuous Improvement and Management Committee

Date approved: August 2019

Review Date: August 2020