RTOs collect personal information about clients and staff while conducting their business and are required to comply with the Privacy Act 1988 and Australian Privacy Principles. Breaches of privacy legislation can occur when RTO staff are not properly trained in how to respond appropriately to a request for personal information and the processes regarding the collection, use and storage of these records. Here are some important considerations that RTOs must be aware of when handling individual’s personal information and maintaining these records.

Releasing information:

RTOS should ensure when releasing personal information of students or staff to other parties that it must not be done without written consent of the individual. If consent has been obtained by your RTO the staff handling the request for information must verify identity of both parties before releasing any records. Information can be released to incorrect recipients easily when care is not taken by staff handling personal information. Examples of this include accidently sending clients personal information to the wrong person e.g. emailing forms populated with other students information. This can also occur when emailing lists disclose other people’s email addresses. Staff should be trained appropriately to ensure they are aware of privacy requirements and how to process requests for personal information correctly.

Updating records:

When RTO staff update student records it should not be done without proper verification. This process must include confirmation of parent/guardian details of U18 students before amending any information by confirming with the student their parentage and verifying identification of parties involved. Similarly, when responding to requests for the updating of information about students over the age of 18 from their parents you must first obtain consent from the student to respond and confirm their parent is authorised to act on their behalf.

Losing records:

Staff should be discouraged from keeping student or staff records on portable devices as they can be misplaced or stolen which potentially could result in a notifiable data breach for your organisation. Sometimes trainers take assessments home to mark and the movement of these records increases the risks of paperwork being lost or not securely retained by the training provider. RTOs have an obligation to ensure personal information collected is maintained securely and protected from misuse, interference and loss as well as unauthorised access, modification or disclosure. RTOs should have strict processes in place that ensure staff are aware of how to appropriately handle both physical and digital records.

Rectifying breaches:

RTOs can rectify and prevent breaches of privacy requirements by providing training and development opportunities for staff in privacy, information handling and records management. Using technology or maintaining digital records also reduces the risk of breaches occurring as security of data is more effective. RTOs can assign privacy leads in teams and champion the importance of correct handling and processing of personal information. Implementing organisational controls e.g. policies; procedures and guidelines related to information privacy and recordkeeping ensures staff have awareness of the RTOs obligations and how to adhere to requirements.