1.0 Policy Statement
BKI recognises the value information holds and respects that people are open to choosing to whom and how they share personal information about themselves. Equally, BKI recognises the public interest that is served in facilitating transparency in government decision making and how public funds are expended, subject to privacy considerations.
BKI is committed to complying with the Privacy and Data Protection Act 2014 (Vic), the Health Records Act 2001 (Vic) and the Freedom of Information Act 1982 (FOI Act). This involves managing student, industry, staff, contractor and industry in accordance with these laws and associated Information Privacy Principles, mandated by the Office of the Victorian Information Commissioner (OVIC).
2.0 Purpose
This policy facilitates Bendigo Kangan Institute’s (BKI) compliance with Privacy Laws (the Privacy and Data Protection Act 2014 (Vic) and the Privacy Act 1988 (Cth)) and the Freedom of Information Act 1982 (Vic) (FOI Act).
3.0 Scope
This policy sets out how BKI handles personal information and considers requests to access
information.
It applies to current students, parents, guardians, care providers, prospective and current staff
members, volunteers and contractors and relates to collecting, using, storing, accessing or
otherwise managing security of personal information.
This policy provides a:
framework to guide how BKI collects personal information, protects privacy, prevents and
adequately responds to privacy breaches, and mechanism by which people can request
access to information held by BKI
4.0 References
Privacy and Data Protection Act 2014 (Vic)
Privacy Act 1988 (Cth)
Health Records Act 2001 (Vic)
Freedom of Information Act 1982 (Vic)
Public Administration Act 2004 (Vic), Code of Conduct of Victorian Public Sector Employees.
BKI Values (Integrity)
BKI Supplier Code of Conduct
Freedom of Information (Access Charges) Regulations 2014 (Vic)
Freedom of Information Procedure (internal)
5.0 Staff expectations
In conducting their official duties, BKI employees and staff are expected to:
- collect personal information from people only for a legitimate purpose related to BKI’s functions;
- use personal information only for the purpose to which it was collected;
- not misuse personal information acquired in the course of their duties for personal gain.
- not disclose personal information to a third party unless the person to which the information relates consents or unless authorised by law.
6.0 FOI and Privacy Complaints:
Our Part II statement, tells you about the type of information BKI holds and how you can request access to it without making a formal FOI request. That statement also details the procedural requirements associated with making a FOI request.
If you wish to make a formal FOI request, you can do this by contacting us at
informaton@bendigokangan.edu.au. You can also make an enquiry or complaint about a decision made or action taken by BKI in relation to FOI and privacy matters using this email address.
We aim to consider any enquiries and respond to any complaint within 30 days.
When we look at a complaint, we will take into account the circumstances, our statutory
functions and the legislative frameworks that we are required to comply. If you believe we have
not handled a matter appropriately or you wish to appeal the outcome of a FOI or Privacy
decision, you may contact OVIC:
Office of the Victorian Information Commissioner
PO Box 24274
Melbourne VIC 3001
enquiries@ovic.vic.gov.au.
6.0 Information Privacy Principles
The Offices of the Victorian and Australian Information Commissions govern compliance with Privacy Laws. Both mandate similar Privacy Principles that BKI applies, as follows:
Collection of information
- We collect personal information (including sensitive information) about individuals, including employees, students, independent contractors and various representatives of the customers and suppliers we deal with.
- We only collect personal information that is relevant to our dealings with the person to whom that personal information relates.
- Wherever reasonably possible, we collect personal information from the person to whom it relates. In certain instances, we receive information about people from authorised third parties and resources.
- In relation to our employees and students we may collect name and home contact details, including addresses, phone numbers and email addresses. We may also collect details of next of kin for emergency contact purposes.
- We may be required to collect some sensitive information in relation to students for the purposes of providing services as related to our functions under the Education and Training Reform Act 2006 (Vic).
- For customers' and suppliers' representatives, we typically collect name, telephone and email contact details.
- We also collect cookies and IP addresses.
Unique identifiers:
- BKI often collects unique identifiers such as Centrelink numbers, Tax File Numbers or Health Care Card Numbers and Unique Student Identifier (USI). This information is managed in accordance with the Privacy Act 1988 (Cth). When this information is requested, the purposes for collecting this information will be explained.
- We will not use these unique identifiers for any other purposes than those for which they were collected.
- If we assign a unique identifier to you for our internal use that identifier will not be shared with any other body or person without your consent.
Third party collection
Some of the services we provide include the delivery of educational services to employers and/or in collaboration with other training organisations. Under these circumstances, we are frequently provided with personal information which has been collected by an employer or
external training provider. In all situations where we obtain personal information from a third party, we are careful to confirm that the:
- information is accurate and was acquired in accordance the Privacy and Data Protection Act 2014 (Vic)
- third party, is permitted to provide the information to us, and
- third party is authorised to use the information it for the purposes for which they are
supplying it.
Anonymity
So far as is reasonably possible we are happy to deal with you anonymously or under a pseudonym, if you prefer. Generally, we are happy to provide information about our services without requiring you to provide contact details.
If you do deal with us under a pseudonym, we would prefer to know, so we avoid collecting inaccurate information. Similarly, if you have provided us with your contact details, and those details subsequently change, we would appreciate your informing us so that we can ensure our records are kept up to date.
Use of information
BKI uses the personal information it collects for its public purposes of its statutory functions. In some cases, BKI stores information in Cloud-based software, hosted by third-party providers.
BKI uses information to:
- (a) communicate with and promote its services to students and potential students;
- (b) enable BKI to provide services to the individuals to whom the information relates;
- (c) assess applications (both for enrolment and for employment) where the information relates to an applicant; and
- (d) deal with its customers and suppliers in relation to the provision of its services.
Where BKI has been engaged by an employer to provide educational services to you, or is delivering a course in which you are enrolled in collaboration with another training provider, BKI may share any personal information it obtains from you with your employer or the other training provider to the extent reasonably necessary to deliver its services.
As a training services provider, BKI may be required by the Victorian State Government to collect personal information, including sensitive information, relating to students on behalf of the State Government. In such cases, the collection of information will be identified as being for the purposes of the State Government and BKI will collect that information as agent of the State Government. Bendigo Kangan will not retain or use such information for its own purposes.
All BKI employees, contractors and volunteers are only use personal information insofar as it relates to their official duties and not for personal interest.
Disclosure
BKI will not divulge any personal or health information to a third party for any reason other than the primary purpose for which it was collected, except where it is required or authorised. Information may be disclosed to the Commonwealth and tuition assurance scheme operators in accordance with the law.
We may also, in carrying out that primary purpose, engage third parties to act on our behalf. For example, we may engage information technology suppliers, marketing and advertising agencies, mailing and logistics providers and professional advisors. When we do so, we take steps to ensure any contracts governing these arrangements pass on obligations to third party organisations to require that they adopt the same Privacy Principles BKI does.
BKI will not disclose any personal information it collects to any person located outside Australia
unless:
- (a) we have obtained the consent of the person to whom the information relates to that disclosure;
- (b) the recipient of the information is subject to a law or binding scheme, that provides at least a substantially similar level of protection in respect of the use of personal information to that available under Australian law and the person to whom the information relates is directly able to enforce their rights in respect of that protection; or
- (c) the disclosure is otherwise in compliance with our obligations under the law.
If BKI intends to disclose any personal information it collects from you in any other manner
than those contemplated above, we will inform you at the time the information is collected.
Data Quality and Security
We take reasonable steps to ensure the information that is collected is complete, accurate and current. We also take steps to ensure that information is protected from misuse, unauthorised access, inappropriate modification or disclosure. All information not required will be destroyed in accordance with Privacy Laws or as required by other legislation or as required under guidance from the Public Records Office.
Access and Correction
If you wish to obtain a copy of any personal information we hold which relates to you, request that we correct that information, request that we delete that information or make a complaint relating to our collection or use of your personal information, please contact Bendigo Kangan Institute's Privacy Officer at privacy@bendigokangan.edu.au, together with relevant identifying
information, such as; your name, date of birth, applicable residential address, relevant unique identifiers (e.g. student number) and any other relevant information. Where you request the correction of any information, we aim to consider such requests within 5 days of receiving your written request to do so.
Potential Data Breach
A data breach occurs when personal information that is held by an organisation is accessed or disclosed in a way that it shouldn’t have been (e.g. where it is lost, stolen, or given to the wrong person).
Examples of data breaches include:
- When an employee takes paper records, an unencrypted USB stick or laptop out of the office and the information is lost or stolen.
- When an organisation mistakenly provides personal information to the wrong person.
- When an organisation’s database is illegally accessed by staff members or by individuals
outside of the organisation.
In the event of a suspected data breach, BKI has a ‘Data Breach Response Plan’ procedure BKI Data Breach Response Plan which is informed by the OVIC’s four recommending steps for responding to a data breach (or suspected breach).
In compliance with the Notifiable Data Breaches scheme under the Privacy Laws BKI will report certain data breaches to OVIC and to the Office of the Australian Information Commissioner.
7.0 Freedom of Information Requests
Under the Freedom of Information Act 1982 (Vic) (the FOI Act), you can request access to documents held by BKI about its functions and activities.
Where your request is voluminous or extends beyond your own personal information, you may be required to submit your request under the Freedom of Information Act.
Fees
Personal information requests that relate to the person requesting the information, generally do not require an FOI application.
BKI may impose an application fee and access charges associated with processing a FOI request and providing access to documents, in accordance with section 22 of the Act and the Freedom of Information (Access Charges) Regulations 2014 (Vic) (Regulations). The fees are
calculated using a ‘fee unit’ and may be multiple units.
The value of a fee unit is set by the Government and increases with indexation each year. Refer to the website of the Department of Treasury and Finance for the current value of a fee unit. The application fee is 2 fee units and the access charges vary. In determining access fees, BKI takes into consideration the volume of information, age and accessibility of information, and the purpose of the request prior to setting the fee.
8.0 Definitions
|
Term
|
Definition
|
|
Personal information
|
Information about or related to an identifiable individual, while "sensitive information" is personal information about the relevant individual which is subject to additional controls. It includes details such as ethnic origin, political and religious affiliations, sexual preferences, criminal record and union membership.
|
|
Sensitive information
|
Sensitive information is also considered personal information; it includes racial or ethnic origin, political, philosophical and religious beliefs and affiliations, sexual preferences, criminal record and membership of professional or trade associations, and union membership.
|
|
Health information
|
Health information is any form of data that relates to a person physical or mental health, welfare or wellbeing and is governed by the Health Complaints Commissioner.
|
|
Unique Identifiers
|
Is an identifier (usually a number) assigned by an organisation to an individual uniquely to identify that individual for the purposes of the operations of the organisation but does not include an identifier that consists only of the individual’s name and does not include an identifier within the meaning of the Health Records Act 2001 (Vic).
|
9.0 Version Control and Change History
|
Ver.
|
Approved By
|
Approval Date
|
Issue Date
|
Description of Change
|
Next Scheduled Review Date
|
Document Owner
|
|
1.0
|
Board
|
27/10/2014
|
04/12/2014
|
The content of this policy originated from Bendigo TAFE BT Privacy Policy, POL 1.5, version 5
|
31/12/2015
|
Chief Business Performance and Assurance Officer
|
|
2.0
|
N/A
|
|
02/03/2015
|
Editorial change: Removal of logos from template
|
31/12/2015
|
Chief Business Performance and Assurance Officer
|
|
3.0
|
CEO
|
01/12/2015
|
12/12/2015
|
Major review
|
31/12/2017
|
Chief Operations Officer
|
|
3.1
|
CEO
|
15/01/2018
|
15/01/2018
|
No change
|
15/01/2019
|
Chief Operations Officer
|
|
3.2
|
LRPS
|
12/12/2018
|
12/12/2018
|
Update re privacy principles and disclosures
|
12/12/2019
|
Chief Operations Officer
|
|
3.3
|
PPEC
|
24/02/2021
|
19/03/2021
|
BKI FOI and Privacy policies merged, updated and revised. Minor amendment to include definition of sensitive information and staff expectations
|
20/02/2022
|
Chief Governance and Quality Officer
|
10.0 BKI Policy and Procedure Portal / BT BMS Requirements
|
Category
|
Key Words
|
|
Legal
|
Privacy, personal information
|