RTOs are required to protect the personal information of their clients as required by Privacy Act 1988 (Privacy Act) and Clause 8.5 of the SRTOs 2015. The legislation requires that an individual’s personal information cannot be divulged to other parties without their consent and that these records must be kept in a secure place. There is a total of 13 Australian Privacy Principles which outline the Privacy Act obligations for organisations to manage personal information. The following information provides RTOs with some advice on how to ensure the personal information of clients is managed appropriately.

Privacy procedure:

You need to have a clear and up to date privacy procedure that outline the processes your RTO has in place for ensuring the information you collect, what you use it for and how you protect it complies with privacy requirements. Your staff should also undertake regular privacy training to ensure they are implementing your procedure correctly. Following internal processes and procedures will help you manage and mitigate privacy risks, including the risks posed by human error. Make sure you provide privacy notices to clients and that you handle their personal information in accordance with your procedure.

Collecting personal information:

RTOs should only collect personal information that you actually need. You should not collect personal information just because it may become necessary or useful at a later date. RTOs can conduct business activities without collecting personal information in certain circumstances.

Handling personal information:

You must ensure that the sensitive information you collect from individual’s is given the most secure level of privacy protection under the Privacy Act. Sensitive information is a specific set of personal information that includes an individual’s racial or ethnic origin, religious beliefs or affiliations and sexual orientation or practices. It also includes information about health, genetics and biometrics. In general terms, sensitive information can only be collected with an individual’s consent.

Storing personal information:

RTOs must ensure they have appropriate processes in place to protect personal information from unauthorised access, modification, or disclosure and against misuse, interference, and loss. You must also take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose permitted under the Privacy Act. This requirement does not apply if you are required or authorised by law to keep it.