RTOs have many different competing priorities to manage and usually ensuring requirements of the Privacy Act 1988 are being addressed is not at the top of the list. The importance of having an effective Privacy Policy in place is often not understood until it’s too late. Complying with the Privacy Act 1988 is an important legal obligation for RTOs to adhere to when handling the personal information of individuals who interact with your business. Here are some considerations for RTOs to be aware of so as to ensure non-compliances are avoided.

They don’t have a Privacy Policy or are not following it

All businesses need an effective Privacy Policy including RTOs. Your policy should address the collection and protection of the data you obtain from various sources such as your website, social media sites or paper forms. In Australia, the Privacy Act 1988 (Privacy Act) is the legislation that sets the obligations for handling personal information about individuals that businesses must comply with. A Privacy Policy means little if it’s on your website or in your other publications such as Student Handbooks and you don’t follow it. RTOs should have a policy that reflects your specific organisation and not something that has been cut and paste from someone else’s website. Don’t risk your compliance by using someone else’s policy.

They neglect to update their Privacy policy or procedure as needed

As your RTO changes and grows over time you should regularly review and update your Privacy Policy, so it reflects current business practices. This is because your RTO would have changed how you use and manage personal information particularly if you have added new products or services, entered into partnerships including third party arrangements, or introduced new technology. Legislative and contractual obligations change over time too so your RTO must stay abreast of these requirements. Review your policy at least annually as part of your yearly policy and procedure library review and update as needed. Get some compliance advice to make it effective for your RTO and remember that your RTO processes should reflect what your Privacy Policy has said it will do.

Releasing information without written consent:

RTO staff are focused on meeting the needs of clients but may inadvertently breach the privacy of an individual by trying to be overly helpful when providing good service. Without proper guidance and documented processes in place a well-intended staff member may release personal information without consent. If information is provided to unauthorized individuals, it may result in a breach of the Privacy Act 1988. This can include providing records to other parties without the consent of the specific individual, disclosing information to other parties without verifying their identity first and disclosing information to students without verifying their identity first.

Releasing information to incorrect recipients:

A very common breach of the Privacy Act 1988 is accidentally sending student personal information to the wrong person e.g. emailing forms populated with other student information. Another example can be disclosing other people’s email addresses and personal information when sending a bulk email to multiple recipients. Proper care needs to be taken when emailing records containing personal information to ensure the correct recipient receives the correspondence.

Updating student records without proper verification:

Another issue RTOs should be aware of when handling individuals’ personal information is to ensure records are only updated after confirming the person providing the changes is authorised to do so. If it is the individual themselves confirm they are who they say they are by checking identification and if contacted by a parent or guardian check their details and confirm their legal status as sometimes delicate family matters can come into play with students.

Loss of records:

Staff losing paperwork or student records on portable devices because they have been taken home is a common breach of the Privacy Act 1988. Theft of computers and laptops from a staff members home can also result in your client’s records being obtained by unauthorised persons. RTOS should have data security measures in place that ensures your client’s records are properly protected and staff are aware of their obligations.