SECTION 1 – PREAMBLE
- This document sets out a framework for the protection of personal privacy and confidentiality consistent with Cornzal’s obligations and commitment to protecting the privacy of all members of the Cornzal community.
- Cornzal will act responsibly to collect, manage, use and disclose personal information in accordance with the Privacy Act 1988, the Queensland Information and Privacy Act 2009, and all other relevant State and Territory legislation regarding privacy and information management.
SECTION 2 – PURPOSE
3. This policy provides guidance and principles for the protection of personal privacy and information as required by the Privacy Act 1988, the Queensland Information and Privacy Act 2009, and other legislative instruments, including how to handle international responsibilities such as those under the European Union’s General Data Protection Regulation.
SECTION 3 – SCOPE
4. All staff of the RTO and other members of the Cornzal community who are responsible for the collection, handling, storage, disposal and access to personal and confidential information must be aware of their responsibilities under the Privacy Act 1988, the Queensland Information and Privacy Act 2009, and all other relevant State and Territory legislation regarding privacy and information management. This policy also applies to those members of the Cornzal staff and community who incidentally collect such information as part of or outside their normal duties.
SECTION 4 – POLICY
Collection of Personal Information
5. Cornzal will only collect personal information that is necessary for one or more of its functions or activities.
6. Cornzal will only collect personal information in a lawful, fair and not unreasonably intrusive way.
7. When personal information is collected from an individual, Cornzal will take reasonable steps to ensure that the individual is:
a. Aware of Cornzal’s identity and how to contact it;
b. Able to have access to the information;
c. Aware of the purpose for which the information is collected;
d. Aware of the persons or bodies, or classes of persons or bodies, to which Co usually discloses personal information;
e. Aware of any law that requires the collection of the information; and
f. Aware of any consequences for the individual if they do not provide all or part of the information.
8. If it is reasonable and practical to do so, Cornzal will only collect personal information about an individual from that individual. If Cornzal collects personal information about an individual from another person, it will take reasonable steps to ensure the individual is or has been made aware of the matters listed above unless making the individual aware of these matters would pose a serious threat to the life or health of a person.
9. Cornzal may use and disclose personal information only in the following instances, after a written note of the use or disclosure is made:
a. The use or disclosure is related or directly related to the purpose for collecting it and the individual would reasonably expect Cornzal to use or disclose it for that purpose;
b. with the individual’s consent;
c. the use or disclosure is necessary for research or the compilation or analysis of statistics in the public interest, and:
i. only where the research will not be published in identifiable form; and
ii. the individual’s consent cannot be reasonably obtained; and
iii. the recipient of the information will not disclose the personal information; and
iv, where any health information is only used or disclosed in accordance with guidelines issued by the Information Commissioner under the relevant section of any applicable State and/or Territory legislative instrument.
d. to lessen or prevent a serious and imminent threat to a person’s life, health or safety, or of harm to or exploitation of a child, or serious threat to public health or safety;
e. when required in the investigation or reporting of unlawful activity, or assisting a law enforcement agency;
f. where the use or disclosure is required or authorised by law; or
g. in connection with the performance of the functions of the Australian Security Intelligence Office (ASIO) or Australian Secret Intelligence Service (ASIS) where authorised in writing.
Trans-border Data Flows
10. Cornzal will not transfer personal information about an individual to a person (other than the individual) outside Queensland or any other relevant State and/or Territory as it applies to the student enrolment unless:
a. the transfer is required or authorised under a law of Queensland or the relevant State and/or Territory, or the Commonwealth; or
b. Cornzal reasonably believes that the person receiving the information is subject to a law, or a contract or other legally binding arrangement, that requires the person to comply with principles for handling the information that are substantially similar to the Information Privacy Principles and Australian Privacy Principles; or
c. the individual consents to the transfer; or
d. the transfer is necessary for the performance of a contract between the organisation and the individual or for the implementation of pre-contractual measures taken in response to the individual’s request; or
e. the transfer is necessary for the performance or completion of a contract between the organisation and a third party, the performance or completion of which benefits the individual; or
f. all of the following apply:
i. The transfer is for the benefit of the individual;
ii. It is impracticable to obtain the consent of the individual to the transfer;
iii. It is likely that the individual would consent to the transfer; or
11. The organisation has taken reasonable steps to ensure that the information will not be held, used or disclosed by the person to whom it is transferred, in a manner that is inconsistent with the Information Privacy Principles or Australian Privacy Principles.
12. Cornzal will ensure that any contracts with third parties where personal information may be transferred, contain privacy clauses requiring compliance with the Privacy Act 1988, the Queensland Information and Privacy Act 2009, and all other relevant State and Territory legislation regarding privacy and information management and the Information Privacy Principles and the Australian Privacy Principles.
Data Quality
13. Cornzal will take all reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date.
Data Breaches
14. The Notifiable Data Breach Scheme, as detailed in the Privacy Act 1988 requires regulated entities to notify affected individuals and the Australian Information Commissioner about the occurrence of eligible data breaches.
15. As soon as possible after the breach has occurred, all suspected eligible data breaches must be referred to Cornzal’s Privacy Officer for actioning and reporting as they deem appropriate.
Information Security
16. Cornzal will protect all personal information it holds from misuse, loss, unauthorised access, modification or disclosure by:
a. Implementing industry standards for the security and protection of personal information; and
b. Storing information in either electronic and/or hard copy forms with access restricted to authorised personnel only.
17. Security, integrity and accuracy of information is governed by the Cornzal’s Information and Communication Technologies Security Policy and Records Management Policy and related procedures.
18. Cornzal will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose in accordance with the Records Management – Retention and Disposal of RTO Records Procedure and Disposal Schedules.
Privacy and Confidentiality Obligations
19. Staff members, students, researchers, contractors and any other third party who collect use or disclose personal information on behalf of Cornzal have a responsibility to act consistent with the Information Privacy Principles and Australian Privacy Principles and to take appropriate measures to avoid a breach of confidence.
20. Under the Higher Education Support Act 2003, it is an offence (punishable by fine or imprisonment), if a staff member of Cornzal discloses, copies or records personal information otherwise than in the course of official employment, or causes unauthorised access to or modification of personal information held by Cornzal.
21. At any time during and after employment with Cornzal, staff members must not use, divulge, copy or communicate any confidential information to any person without Cornzal’s consent, regardless of whether the other person is an employee of Cornzal or not, except as required in the ordinary performance of the staff member’s duties.
22. Unauthorised access to personal information must be reported to Cornzal’s Privacy Officer and, where relevant, to the responsible owner of the information system concerned. Failure to comply with this Policy may necessitate disciplinary action.
23. Cornzal matters relating to individuals or non-public information must not be discussed, except where directly related to the staff member’s role, as this may constitute a breach of confidence and therefore misconduct.
Information and Communication Technologies Facilities
24. Users of Cornzal’s Communication Technologies (ICT) facilities are reminded that anything that is written or recorded is potentially subject to subpoena or Freedom of Information requests or other authorised access. Inappropriate use of Cornzal’s Information and Communication Technologies (ICT) facilities may be subject to disciplinary action.
General Data Protection Regulation (GDPR)
25. The General Data Protection Regulation (GDPR) is the privacy law of the European Union (EU) that took effect from 25 May 2018 and applies to all EU and European Economic Area (EEA) member states. It also applies to the United Kingdom post-Brexit, as the UK has retained the GDPR in UK law and will continue to be read alongside the Data Protection Act 2018 (UK).
26. The GDPR covers the personal data of all-natural persons within the EU/EEA and UK (“EU/EEA and UK data subjects”). The GDPR makes no distinctions based on an individual’s permanent place of residence or nationality. The GDPR applies to all such individuals’ personal data.
27. The GDPR also applies to the processing of personal data by data controllers or data processors who are not based in the EU/EEA and UK, where they process personal data of individuals in the EU/EEA and UK in connection with the offering of goods/services.
28. EU/EEA and UK data subjects have additional rights under the GDPR, including that they are entitled (subject to the requirements and constraints of the GDPR) to:
a. access the personal data Cornzal holds about them, and to receive that personal data in a structured, commonly used and machine-readable format;
b. raise an objection to decisions made by Cornzal based on automated processing of personal data, where the processing of personal data Cornzal about them is likely to significantly affect him or her;
c. request either the rectification of any incorrect, incomplete or outdated personal data or restrict further processing of that individual’s personal data;
d. request erasure of their data (right to be forgotten) and this must be undertaken by Cornzal without undue delay; and
e. require that their personal data not be processed for the purpose of direct marketing.
Access and Correction
29. On the request of an individual, Cornzal will take reasonable steps to inform the individual of the kind of personal information it holds, why it holds the information and how it collects, holds, uses and discloses the information.
30. On the request of an individual, Cornzal will provide access to their personal information, except to the extent that:
a. providing access would pose a serious threat to the life or health of the individual or another individual; or
b. providing access would prejudice measures for the protection of the health or safety of the public; or
c. providing access would unreasonably interfere with the privacy of another individual; or
d. the request for access is frivolous or vexatious; or
e. the information relates to existing or anticipated legal proceedings between Cornzal and the individual and the information would not be accessible by the process of discovery or subpoena in those proceedings; or
f. providing access would reveal the intentions of Cornzal in relation to negotiations with the individual in such a way that would prejudice the negotiations; or
g. providing access would be unlawful; or
h. denying access is required or authorised by law; or
i. providing access would be likely to prejudice an investigation of possible unlawful activity; or
j. providing access would be likely to prejudice one or more of the following by or on behalf of a law enforcement agency:
i. preventing, detecting, investigating, prosecuting or punishing an offence or a breach of a prescribed law;
ii. enforcing a law relating to the confiscation of proceeds of crime;
iii. protecting public revenue;
iv. preventing, detecting, investigating or remedying seriously improper conduct or prescribed conduct;
v. preparing for or conducting proceedings in a court or tribunal or implementing the orders of a court or tribunal; or
k. providing access would prejudice:
i. the security or defence of the Commonwealth or a State or Territory of the Commonwealth; or
ii. the maintenance of law and order in Queensland and any other relevant State and/or Territory.
31. However, where providing access would reveal evaluative information generated within Cornzal in connection with a commercially sensitive decision-making process, Cornzal may give the individual an explanation for the commercially sensitive decision rather than access to the decision.
32. If Cornzal holds personal information about an individual and the individual establishes that the information is not accurate, complete or up to date, Cornzal will take reasonable steps to correct the information so that it is accurate, complete and up to date.
33. If an individual and Cornzal disagree about whether personal information about the individual held by Cornzal is accurate, complete, or up to date; and
a. The individual requests Cornzal to associate with the information a statement to the effect that, in the individual’s opinion, the information is inaccurate, incomplete or out of date;
b. Cornzal will take reasonable steps to comply with that request.
34. Cornzal will provide reasons for refusing to provide access to or correct personal information.
35. If an individual requests Cornzal for access to, or to correct personal information held by Cornzal, then Cornzal will, within a reasonable time:
a. Provide access or reasons for refusing access; or
b. Make the correction or provide reasons for refusing to make it; or
c. Provide reasons for the delay in responding to the request;
36. If Cornzal charges a fee for providing access to personal information, the fee will not be excessive. Access and amendment requests should be directed to Cornzal’s Privacy Officer.
Notification of correction to third parties
37. If Cornzal corrects personal information that Cornzal previously disclosed to another entity, and the individual requests Cornzal to notify the other entity of the correction, Cornzal will take such steps as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.
Sensitive Information
-
- Cornzal will not collect sensitive information about an individual unless:
a. the individual consents to the collection; or
b. Cornzal is authorised or required by law to collect the information; or
c. the individual is:
i. physically or legally incapable of giving consent to the collection; or
ii. physically unable to communicate his or her consent to the collection; and
iii. collecting the information is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual or another individual; or
d. collecting the information is necessary to establish, exercise or defend a legal or equitable claim.
-
- However, Cornzal may collect sensitive information about an individual if:
a. the collection:
i. is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services; or
ii. is of information relating to an individual’s racial or ethnic origin and is for the purpose of providing government funded targeted welfare or educational services; and
b. there is no other reasonably practicable alternative to collecting the information for that purpose; and
c. it is impracticable for the organisation to seek the individual’s consent to the collection.
SECTION 5 – NON-COMPLIANCE
40.Non-compliance with Governance Documents is considered a breach of the Code of Conduct – Staff or the Code of Conduct – Students and is treated seriously by Cornzal. Reports of concerns about non-compliance will be managed in accordance with the applicable disciplinary procedures. outlined in the Enterprise Management Agreement Cornzal and the Code of Conduct – Students.
41.Complaints may be raised in accordance with the Code of Conduct – Staff and Code of Conduct – Students.
42.All staff members have an individual responsibility to raise any suspicion, allegation or report of fraud or corruption in accordance with the Fraud and Corruption Control Policy and Whistleblower Reporting (Improper Conduct) Procedure.
|
Date |
Document Title |
Review Date |
|
13 October 2023 |
Privacy & Confidentiality Policy |
03 October 2024 |
Approved by:
RNMC Group Principal Executive Officer
RNMC Group Corporate Director
