Policy
The protection of privacy and the confidentiality of personal information is important to the Remote Vocational Training Scheme Limited (‘RVTS’).
Information that RVTS does collect on individual registrars and supervisors, employees and contacts is kept confidential and will only be accessed by authorised persons within the organisation and authorised representatives unless advised otherwise.
RVTS also ensures that any agents, contractors and/or third parties engaged to provide services, are bound by the terms of this Privacy Policy to protect all personal information collected.
RVTS is bound by the Privacy Act 1988 (Cwth) (‘the Privacy Act’) and the Australian Privacy Principles contained within the Privacy Act, which regulate how organisations may collect, store, use and disclose personal information, and how individuals may access and correct information held about them.
RVTS will be guided by the Office of the Australian Information Commissioner (OAIC) in management and protection of Data collected.
Any individual with concerns about privacy, is encouraged to contact the organisation.
‘Personal information‘ means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not, and
- whether the information or opinion is recorded in a material form or not.
Purpose
The purpose of this Privacy Policy is to clearly outline the types of information that RVTS may collect, how RVTS stores and manages that information and how individuals can access their personal information or make a complaint about our handling of the information.
RVTS recognises the essential right of individuals to have their information administered in ways which they would reasonably expect – protected on one hand and made accessible to them on the other.
Types of information that we collect
RVTS will only collect information that is reasonably necessary for or directly related to undertaking our business, trainee membership activities and functions.
1. Personal information
The types of personal information RVTS may ask for can include, but is not limited to, individual’s name, address, date of birth, contact details, qualifications and medical registration numbers. RVTS may also ask for further information, such as opinions, that is necessary for the provision of other services such as topics of interest and professional development activities attended or carried out.
RVTS will not collect, use or disclose information about individuals unless it is reasonably necessary to provide them with a product or service, unless legally required or permitted to collect, use or disclose that information.
2. Sensitive information
RVTS will always explain the purpose for collecting sensitive information.
‘Sensitive information’ includes any information about a person’s racial or ethnic origin, political opinion, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record or health information.
Where nominated by the individual RVTS will collect your nomination of Aboriginal and /or Torres Strait Islander ethnicity to support the development of appropriate services and cultural responsiveness for the organisation. Under the terms of the Australian Government Department of Health contract RVTS reports such information on a quarterly basis. RVTS may report this on a de-identified basis to other entities concerned with indigenous medicine and services.
Anonymity
Individuals may have the option of not identifying themselves when dealing with RVTS when it is lawful and practicable to do so, however, on some occasions the organisation will not be able to do this, and notification will be provided. Individuals may be given the option of not identifying themselves when completing evaluation forms or opinion surveys.
Collection of information
In most cases, RVTS will only collect information from individuals directly, this can include written applications, in person at events or during contact via telephone or electronic means such as the Internet or email. Occasionally, RVTS may collect personal information from other parties when required, such as to register as a trainee, process applications or other such claim. If RVTS does collect details from another party, whenever possible, the organisation will make individuals aware of why this has been done.
1. Openness
RVTS will ensure individuals are aware of the RVTS Privacy Policy and its purposes and make this information freely available in relevant publications.
2. Information collected online
It is the usual practice of the RVTS to collect information about visitors to its online resources. Information that is collected is limited and is used to identify online behavioural patterns. This information does not identify individuals personally.
RVTS online resources include, but are not limited to, RVTS Online, websites and mobile applications ‘apps’.
3. Privacy Statement
RVTS will display a Privacy Statement on data collection points (forms) and online media published and owned by the entity, including:
- RVTS Website (refer RVTS Online Privacy Policy)
- RVTS Online
- RVTS App
- RVTS Registrar Enrolment Form – electronic
- RVTS Registrar Re-Enrolment Form – electronic
The RVTS Online Privacy Statement details further information with regards to monitoring traffic patterns.
Consent
RVTS will only collect and disclose information after obtaining your consent, or where otherwise permitted by law. Registrars will be asked to complete a Privacy Consent Form.
Use of photographs of any person/s external to the organisation will require prior consent before use on any RVTS material or media. Such consent will be by way of a completed Photo Consent Form.
Implied consent is taken when RVTS can reasonably conclude by some action taken by an individual, or if the individual decides to take no action, for example when a registrar participates in a conference call and continues to speak after hearing that calls maybe recorded or when an individual provides RVTS with personal information that has not specifically been requested.
Data Storage, Retention and Security
RVTS will take reasonable steps to protect the personal information it holds from misuse, interference and loss, and from unauthorised access and modification or disclosure.
Data is stored in both electronic IT systems as well as paper files. RVTS uses secure third-party data storage facilities and services to manage this data and maintains strict protocols for the storage of information and ensures that this will only be accessed by people that have the authority to do so.
RVTS maintains physical security (such as locks and security systems) and electronic security (such as firewalls and access controls for computer systems).
RVTS will destroy or permanently de-identify the personal information if it is no longer needed: for the purposes for which we collected it; or for the purposes of meeting legal and regulatory requirements, as documented within the RVTS Records Management Policy. All information stored in electronic form that is no longer required will be deleted from RVTS systems and/ or those of third party data storage.
How information is used and Disclosure of information to third parties
RVTS will only use the personal information for the primary purpose for which it was collected in providing services, benefits and products to stakeholders.
In order to do this RVTS may need to disclose some of personal information to external service providers and other organisations. This may include, but is not limited to: supervisors, educators and education contractors, government agencies, colleges or organisations that RVTS have an alliance or arrangement with. For example, personal information is disclosed by RVTS to meet its responsibilities for the discharge of its accountability, administrative, reporting, management, personnel and financial functions, and as required by other authorised entities or departments such as the Department of Health.
RVTS may also use or disclose personal information for other purposes where it is reasonably expected to do so and where the purpose is related to the purpose of collection, or where otherwise permitted by law.
The use of information for any other purpose must be with the individual’s consent. For example: the RVTS Registrar Enrolment and Re-Enrolment process will include measures to seek express permission from individuals for their personal information to be released. Similarly, RVTS external providers of services that where you have engaged us to act as your agent, such as booking flights, hotels tours etc.
We take such steps as are reasonable to ensure that these organisations and/or parties are aware of the provisions of this Privacy Policy in relation to your personal information.
Access to personal information
RVTS will ensure individuals have a right to seek access to information held about them and to correct any information that is inaccurate, incomplete, misleading or not up-to-date.
Upon request an individual will be provided a summary of any personal information held about them in accordance with our obligations under the Privacy Act.
Any requests for information will be processed within a reasonable timeframe (usually within 10 business days). If the retrieval of information involves accessing archived information and will take longer than normal, RVTS will endeavour to provide an estimated timeframe.
Under some circumstances, RVTS may refuse access to personal information where denying access is required or authorised by law, where the request for access is regarded as frivolous or vexatious, or where information relates to anticipated or legal proceedings. Where an individual is denied access to their own personal information, RVTS will explain why.
Currency of information
RVTS will take reasonable steps to ensure that personal information is accurate and up to date and will make any correction required as soon as it comes to light. Individuals have the right to ask RVTS to correct their information.
If an individual learns that their information needs to be updated, they should contact RVTS as soon as possible to enable the request to be processed. Should RVTS refuse to correct information, an explanation will be given.
Management of Incidence of Data Breach
RVTS will manage the incidence of any data breach according to the RVTS Data Breach Management procedure which is based on guidelines set out by the Office of Australian Information Commissioner.
It is acknowledged that Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.
There are four key steps to consider when responding to a breach or suspected breach*:
- Step 1: Contain the breach to prevent further compromise of personal information and do a preliminary assessment
- Step 2: Assess – evaluate the risks associated with the breach and if possible, take action to remediate any risk of harm
- Step 3: Notification – notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB** scheme, it may be mandatory for the entity to notify.
- Step 4: Review and Prevention – take action to prevent future breaches.
*OAIC Data breach preparation and response (February 2018): A guide to managing data breaches in accordance with the Privacy Act 1988 (Cwth), Office of the Australian Information Commissioner
**Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Privacy Act) NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. Not all data breaches are eligible. For example, if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner.
Communication of Changes to this policy
RVTS constantly reviews its policies, statements and procedures to keep up to date with relevant legislation. As a result, RVTS may update and change this Privacy Policy as directed by law. Any changes will be updated on the RVTS website. Any concern or query about this process should be directed to the Operations Manager [email protected].
Complaints
Should any individual believe that RVTS has not fulfilled its obligations under the Privacy Act or they do not agree with a decision made by the organisation in relation to the access or update of their personal information, they should lodge a complaint in writing. RVTS will resolve any privacy complaints as quickly as possible in accordance with the RVTS Complaints Policy. RVTS may also exercise its right to deny access to particular information in certain circumstances, such as when legal proceedings may have commenced.
Responsibility
The CEO is responsible for adopting this Policy.
All RVTS personnel and contractors are responsible for the implementation of this policy.
The Operations Manager is responsible for monitoring changes in Privacy legislation and for reviewing this policy as and when the need arises.
Resources
Australian Privacy Principles contained in schedule 1 of The Privacy Amendment (Enhancing Privacy Protection) Act 2012 which amends the Privacy Act 1988 (Cwth).
Data breach preparation and response (February 2018): A guide to managing data breaches in accordance with the Privacy Act 1988 (Cwth), Office of the Australian Information Commissioner found at: www.oaic.gov.au/resources/agencies-and-organisations/guides/data-breach-preparation-and-response.pdf
Related documents
- RVTS Records Management Policy
- RVTS Online Privacy Policy
- RVTS Complaints Policy
- RVTS Privacy Consent form
- RVTS Photo Consent form
- RVTS controlled procedure: Data Breach Management