Clause 8.5 in the SRTOs 2015 specifically requires RTOs to comply with Commonwealth, state and territory legislation and regulatory requirements relevant to its operations. This includes ensuring compliance with the Privacy Act 1988 and other state or territory legislation relating to privacy as referred to in funding agreements or other contracts that RTOs might have in place. Here are some important points for your staff to remember when dealing with requests for personal information located in RTO records.

Responding to requests for personal information:

RTOs should have a procedure in place outlining how staff are required to respond to requests for access to personal information from clients or staff or their representatives where the records are not able to be accessed by the requestor either online or in person. In these circumstances you need a clear process that enables the requestor to ask for the records either in writing or verbally. Your staff need to ensure they can verify the information being requested correctly and are able to determine where it can be found.

Verifying identities:

When responding to a request for information RTO staff need to verify the identity of the requestor before releasing any information so as to ensure it is not provided to an unauthorised person. In the case of students requesting their own information your staff should verify their identity by sighting appropriate identification documentation such as a student ID card or any other form of photographic ID deemed appropriate by your organisation to confirm it is the right person before releasing information. When the request has come from another party such as a lawyer, job active or other organisation representing the student you should obtain written consent from the student in addition to verifying the requestor’s identity before releasing the information. Identity of parents or guardians should also be verified after confirming parentage or guardianship with the student prior to undertaking the check. Sometimes there are very sensitive family matters at hand, so care and concern is required when processing these requests. Requests from law enforcement or government agencies should be processed once confirming the statutory reason for the request if the information required is needing to be released by law.

Releasing information:

RTO staff processing requests for information from clients should be trained so they ensure they only release information under appropriate circumstances. Your RTO should have a procedure in place that clearly defines the steps required for responding to these requests that includes matters requiring approval by the CEO before being processed. Requests should be processed in a timely fashion and if the request is likely to exceed your standard timeframe the staff member processing the request should advise the client of the expected delay.

Records management:

All records related to requests for personal information (including all requests for personal information, evidence of identity and authority, and released information) should be kept in your RTOs record keeping system (preferably stored electronically). Records should be retained according to your retention and disposal schedules. Some contracts or funding agreements require a specific retention period of certain records so RTOs must ensure they comply with those requirements appropriately.