This policy sets out how CIT manages personal information when performing its functions and activities, and establishes a framework to ensure that all personal information collected, held, used or disclosed by CIT is conducted in accordance with the requirements under the Information Privacy Act 2014 and any other applicable laws.
This policy covers all operations and functions of CIT including the management and disclosure of personal information collected and/or held by CIT of employees, students, contractors, sub‐contractors, service providers, customers, agents or any other parties.
CIT is committed to protecting the personal information of its future, current and past staff, students and other industry and business partners. The specific legal obligations of CIT when collecting and handling personal information are outlined in the Information Privacy Act 2014 and in particular in the Territory Privacy Principles found in Schedule 1 of that Act. This policy is made in accordance with Territory Privacy Principle 1.3 of the Information Privacy Act 2014.
The purposes for which CIT collects, holds, uses and discloses personal information
CIT collects, holds, uses and discloses personal information for the purposes of achieving its functions and activities.
CIT’s functions and activities that encompass privacy aspects include:
- conducting an educational institute to foster excellence in study in the field of technical and further education;
- providing courses and programs to advance and develop knowledge and skills in the fields of technical and further education, including administering Commonwealth funding;
- supporting and assisting in the development of industry and commerce;
- promoting the development of community awareness and appreciation of technical and further education;
- conferring awards to people who have completed courses;
- conferring honorary awards;
- consulting and cooperating with other entities in relation to the provision of technical and further education;
- handling freedom of information (FOI) applications and reviews;
- handling privacy complaints;
- communication with the public, stakeholders and the media including through websites and social media; and
- engaging and administering employees and contractors
CIT will not use personal information for a secondary purpose or disclose personal information to other government agencies, private sector organisations or anyone else without written consent (for reporting and legislative requirements this is obtained at enrolment), unless permitted by the Information Privacy Act 2014.
Kinds of personal information collected and held by CIT
CIT collects and holds information about future, current and past students and future, current and past employees. CIT will collect personal information where that information is reasonably necessary for, or directly related to, one or more of its functions or activities. CIT tries to only collect the minimum information that it needs.
The kinds of personal information collected and held may include:
- name, address and contact details (such as phone and email);
- information about identity (such as date of birth, country of birth, passport details, visa details, drivers licence, and educational qualifications);
- information about personal circumstances (such as age, gender, marital status and occupation);
- evidence of registration with the Working with Vulnerable People (Background Checking) Act 2011;
- information about financial affairs (such as payment details, Tax file number, bank account details, and information about business and financial interests);
- information about employment (such as applications for employment, work history, referee comments and remuneration);
- information about assistance provided under our assistance arrangements.
- CIT may be required to collect personal health information about students or staff. Personal health records are managed in accordance with the Health Records (Privacy and Access) Act 1997.
- information in human resources files including:
- employee, referee and emergency contact details
- applications for employment and supporting documents
- selection committee reports
- employment contracts, and other records relating to terms and conditions of employment
- details of financial and other personal interests supplied by employees and their immediate family members for the purpose of managing perceived or potential conflicts of interest
- proof of Australian citizenship
- certified copies of academic qualifications
- records relating to salary, employment benefits and leave
- medical certificates or health related information supplied by an employee or their
- medical practitioner
- taxation details
- CIT will not collect any personal information it does not need.
How CIT collects personal information
CIT will only collect information by lawful and fair means. The main way CIT collects personal information is when it is provided by the person, which can be collected by CIT in various ways, such as, through paper or online forms, in correspondence, email, over the telephone and by fax.
Personal information can also be collected from a third party. For example, if the person consents to their personal information being collected from someone other than themselves; where the collection of information is required or authorised by or under an Australian law, a court or tribunal; or if it is unreasonable or impracticable for CIT to obtain information from the person.
CIT will not collect sensitive information (such as sexual identity or criminal history information) unless the person consents to the collection of that information and the information is reasonably necessary and directly related to one or more of CIT’s functions and activities. For example, some CIT courses require police checks such as nursing; and the Children’s Services require background checks for registration under the Working with Vulnerable People (Background Checking) Act 2011. Also, all new staff are required to undertake a police check before commencing employment.
CIT may collect sensitive information without the person’s consent if it is required or authorised by or under an Australian law, or court or tribunal order. Territory Privacy Principle 3.4 also provides other basis on which collection of sensitive information is authorised, for example, if it is necessary to prevent a threat to the life, health or safety of one or more persons, or to public health or safety.
Generally when a person deals with CIT (for example when calling on the phone to make an enquiry, that person may remain anonymous or use a pseudonym (a made up name). However, in some situations CIT will require personal information to provide services or assistance.
Personal details and identification are required from all people seeking to enrol into a CIT course. Where CIT collects personal information, it will at or before that time, or as soon as it is practicable after, provide the person with the following information required under the Information Privacy Act 2014:
- How to contact CIT.
- The circumstances in which CIT collects personal information and when it is collected from someone else.
- The name of any law that requires CIT to collect that personal information.
- The purposes for which CIT collects the information and the circumstances in which the information is being or has been collected.
- The effect (if any) if CIT cannot collect the information.
- The details of any entities or types of entities to which CIT usually discloses the personal information of the kind collected.
- Whether CIT is likely to disclose the personal information to overseas recipients; and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries.
Certain information is collected when people visit the CIT website or social media sites. This is detailed in the website privacy statement available on the CIT website. No personal information is collected in this way unless it is voluntarily provided through participation in an activity that asks for information such as: sending an e-mail; participating in a survey; or undertaking a payment or other transaction.
How personal information is held and the purposes for which it is disclosed
CIT is required to take reasonable steps to ensure that personal information it holds is safe and secure. CIT strives to protect personal information from misuse, interference or loss and from unauthorised access, modification or disclosure in accordance with the Information Privacy Act 2014. The Territory Records Act 2002 establishes frameworks for the management of personal information if it is held within the files or data systems of CIT. CIT IT systems employ comprehensive protections to guard against unauthorised access. All paper-based files are stored safely and securely.
All sensitive information collected and held by CIT is stored securely in confidential files with restricted access. As a part of CIT’s general practice, personal information is only available to staff who need access to personal information to perform their roles.
Personal information will not be disclosed to a third party for a secondary purpose without first having obtained the person’s written consent, unless permitted by the Information Privacy Act 2014. Such permitted circumstances include the following circumstances:
- The person would reasonably expect CIT to use or disclose the information for another (secondary) purpose that is related to the original purpose for which the information was collected; or in the case of sensitive information is directly related to the primary purpose.
- The use or disclosure of information is required or authorised by or under an Australian law, or court or tribunal order. For example: to fulfil mandatory reporting requirements under the Children and Young People Act 2008 for people up to the age of 18.
- The use or disclosure is reasonably necessary for enforcement related activities (such as prevention, detection, investigation prosecution or punishment of criminal offences or breaches of the law, or the protection of public revenue) of the enforcement bodies (such as AFP, police, DPP, or other body responsible for administering or exercising a function under a relevant law).
- It is unreasonable or impracticable to obtain the person’s consent and CIT reasonably believes that use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
- CIT has reason to suspect unlawful activity, or misconduct of a serious nature that relates to its functions or activities and reasonably believes that use or disclosure of the personal information is necessary to take appropriate action.
- CIT believes that the use or disclosure is reasonably necessary to help locate a person who has been reported as missing.
- Personal information obtained by CIT that does not become a territory record under the Territory Records Act 2002 will be securely destroyed as soon as practical.
Disclosure of personal information overseas
CIT does not routinely disclose personal information overseas. Where CIT discloses personal information to an overseas recipient, under Territory Privacy Principle 8.1 CIT is required to take reasonable steps to ensure that the overseas recipient does not breach the Territory Privacy Principles. Territory Privacy Principle 8.2 provides for circumstances where CIT is not required to follow steps under Territory Privacy Principle 8.1, for example, where disclosure is required or authorised by or under an international agreement relating to information sharing, and Australia is a party to that agreement; or where CIT believes that the disclosure is reasonably necessary for enforcement of related activities by an enforcement body and the overseas recipient’s functions are similar to those of an enforcement body.
Access to and correction of personal information
CIT staff and students may update or amend their personal information online at any time. CIT Student Services can assist with this if required. A person has the right to request access to their personal information held by CIT, and to request that their personal information be corrected. This is provided for under the Information Privacy Act 2014 and the Freedom of Information Act 2016.
Access to personal information will be provided if it is reasonable and practicable to do so. However, access may not be given where CIT is required or authorised by law to refuse access, such as, under an exception in the Freedom of Information Act 2016.
CIT will not charge any fees for making the request or providing access to personal information or correcting personal information. CIT can refuse to correct the personal information, but it will take reasonable steps to correct the information to ensure that, having regard to the purposes for which it is held, it is accurate, up-to-date, complete, relevant and not misleading. CIT will respond to a request for access to, or correction of, personal information within 30 days, and if the request is refused it will give written notice of its reasons for refusal, and state what further steps the person can take after the refusal.
Storage, use, disclosure, security and disposal of tax file number information
CIT must only use or disclose tax file number (TFN) information provided to CIT for the purposes authorised under taxation law; personal assistance law or superannuation law or for the purpose of giving an individual information about the tax file number CIT has about that individual. CIT must take all reasonable steps to protect tax file number information from misuse or loss, and from unauthorised access, use, modification or disclosure and to destroy or de-identify TFN information once it is no longer required for a lawful purpose or function. CIT is required, under the notifiable data breach scheme to notify any individuals to be at serious harm by a data breach of their tax file number information. An eligible data breach arises when the following three criteria are satisfied:
- there is unauthorised access to or unauthorised disclosure of personal information (tax file number information ), that CIT holds;
- this is likely to result in serious harm to one or more individuals, and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
(Notification data breach requirements are detailed at https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach/)
CIT privacy complaints
Complaints about how CIT has managed personal information will be dealt with through the CIT Resolving Workplace Issues Policy (for staff) or the CIT Complaints Policy – Student and Community Members. Complaints should be made in writing to the Privacy Contact Officer via the contact details below. CIT is also able to assist with the lodgement of a complaint if required. CIT will promptly acknowledge receipt of all complaints and seek to satisfactorily resolve each matter within in a timely way.
A review by a more senior CIT officer may be requested if the complainant is not satisfied with the outcome or a formal privacy complaint can be made to the Information Privacy Commissioner under section 34 of the Information Privacy Act 2014. Complaints about possible interference with privacy should be made to CIT in the first instance. If they are not resolved by CIT, privacy complaints may be taken to the Information Privacy Commissioner in accordance with section 34 and 35 of the Information Privacy Act 2014 if it is about a breach of the Territory Privacy Principles.
The role of the Information Privacy Commissioner is currently performed by the Australian Information Commissioner, which is an independent body that will decide whether to deal with a complaint and can consider whether there has been an interference with privacy. If a complaint is upheld by the Commissioner it may be possible to seek a remedy in the Magistrates Court
(More information about making a complaint to the Office of the Australian Information Commissioner can be found on its website www.oaic.gov.au or by calling 1300 363 992).
All inquiries regarding CIT privacy should be made to the Privacy Contact Officer by:
Phone: 02 6207 7051
Post: CIT Privacy Contact Officer
Audit, Risk and Corporate Governance, CIT Reid
GPO BOX 826 Canberra ACT 2601
- Canberra Institute of Technology Act 1987 (ACT)
- Education Services for Overseas Student Act 2000 (Cth)
- Freedom of Information Act 2016 (ACT)
- Health Records (Privacy and Access) Act 1997 (ACT)
- Higher Education Support Act 2003 (Cth)
- Information Privacy Act 2014 (ACT)
- National Vocational Education and Training Regulator Act 2011 (Cth)
- Public Sector Management Act 1994 (ACT)
- Safety, Rehabilitation and Compensation Act 1988 (Cth)
- Student Identifiers Act 2014 (Cth)
- Territory Records Act 2002 (ACT)
- Working with Vulnerable People (Background Checking) Act 2011 (ACT)
- Privacy Act 1998 (Cth)
- Territory Privacy Principles (TPPs 2014)
Personal Information is defined in section 8 of the Information Privacy Act 2014 and essentially means information or an opinion (true or not) about an identified individual, or an individual who is reasonably identifiable. The information or opinion may be recorded in a material form or not. Personal Information does not include personal health information.
Personal health information is defined in section 8 of the Information Privacy Act 2014 and has the same meaning as in the Health Records (Privacy and Access) Act 1997. It includes any personal information, whether or not recorded in a health record relating to the health, an illness or a disability of the consumer. Personal health information is managed in accordance with the Health Records (Privacy and Access) Act 1997.
Sensitive Information is defined in section 14 of the Information Privacy Act 2014 and means personal information that is about a person’s racial or ethnic origin; political opinions; religious beliefs or affiliations; philosophical beliefs; membership of a political association, professional or trade association, or trade union; sexual orientation or practices; or criminal record. Sensitive information also includes genetic information and certain biometric information and biometric templates. Sensitive information is a form of personal information.
Academic information refers to information about a student’s academic progress or academic status (assessment results, subject grades and qualification eligibility) and attendance. Academic information is a form of personal information.
Territory Privacy Principles are the 13 Territory Privacy Principles (TPPs) contained in schedule 1 of the Information Privacy Act 2014 that regulate the management of personal information by ACT public sector agencies. They set out standards, rights and obligations for the handling, holding, accessing and correction of personal information (including sensitive information).
6. Policy Contact Officer
For more information about this policy contact the CIT Manager Corporate Governance.
Contact CIT Student Services on (02) 6207 3188 or email firstname.lastname@example.org.
Policy No: 2017/457
Approved: January 2019
Next Review: January 2023
Category: Student Policies, Staff Policies, Corporate Policies
Policy Owner: Executive Director, Corporate Services
CIT Definition of Terms
Client Service Charter
Student Code of Conduct
|POLICIES LAST UPDATED|
2023-04-01: Asset Management Policy
2023-03-08: Admission and Enrolment Policy
2022-06-01: Corporate Credit Card Policy
2022-12-08: Revenue and Receipting Policy
2022-11-29: Higher Education - Free Intellectual Enquiry Policy