Privacy and compliance with Commonwealth and state privacy acts and principles is fundamental for RTOs in order to meet the requirements of Clause 8.5 in the SRTOs 2015 and other contractual obligations. RTOs collect, store, and use a significant amount of personal information from clients and staff so must ensure they handle these records appropriately and responsibly. The following advice provides guidance for RTO staff in how your organisation can ensure compliance with privacy requirements.

Privacy policy:

RTOs should develop a privacy policy and advise clients and staff of it when collecting their personal information as required by the Australian Privacy Principles. Your policy must be made to individuals free of charge and in the form the individual asks for. If you have a website, it should be published there as well. Your policy must also outline the personal information that your organisation holds and be specific about how that information is managed.

Privacy procedure:

RTOs should implement a privacy procedure and review its effectiveness from time to time to ensure that your organisation is complying with your legal obligations. Your procedure should outline to processes in place for collecting, storing, and handling records that contain personal information of individuals.

Handling personal information:

When RTOs collect personal information, you are required to advise the individual why you are collecting it and what you are going to do with it. This can be in the form of a privacy disclaimer statement on your quality documents. Where possible de-identify personal information of individuals when you collect it. If you need to keep personal information collected longer than strictly necessary, ensure you anonymise it. RTOs must ensure that they use personal information only for the purpose for which it was obtained, or for related reasons the person would reasonably expect. If the information is sensitive information ensure you have obtained written consent to collect, use and disclose the information.

When dealing with third parties you disclose personal information to ensure you have processes in place to confirm that they are reputable businesses, and they will handle the records you provide appropriately.

Privacy breaches:

In responding to privacy breaches RTOs should take steps to contain the breach; evaluate the risks; identify and notify affected individuals and implement preventative measures to avoid any future instances. RTOs should document any privacy breaches that occur and keep records of these incidents for mandatory reporting purposes. Further guidance is provided by the OAIC in the data breach preparation and response page on their website.