Privacy Policy and Procedure – EN-ER-HS-IM-Q-RTO
ISMS Classification – INTERNAL
Approved Date: June 29, 2021.
Version: 2.0
Approved by: DR
Pg. 1 of 7
Restricted Derivative Copyright: Star International
Policy.
STAR International is committed to complying with its obligation under the Privacy Act
1988, and the associated Australian Privacy Principles (APPs), specifically in the way it
collects, uses, secures, and discloses personal information. STAR International is committed
to safeguarding any confidential information obtained by the RTO.
STAR International will ensure:
• It maintains and provides a current Privacy Policy and Procedure.
• Information gathered for the express purpose of training and assessment matters
will not be disclosed to a third-party unless prior written consent is provided by
the individual concerned, except that required by law.
• Information gathered for the express purpose of employment will not be
disclosed to a third-party unless prior written consent is provided by the
individual concerned, except that required by law.
• The secure storage of all records.
• The confidentiality of all information maintained on records.
• Respond to data breaches in accordance with legislative requirements.
Definitions.
Personal Information is defined in the Privacy Act 1988 to mean “information or an opinion
about an identified individual, or an individual who is reasonably identifiable:
• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.
Sensitive Personal Information is defined in the Privacy Act 1988 to mean “information or
an opinion about an individual’s” that is also personal information, such as:
• racial or ethnic origin; or
• political opinions; or
• membership of a political association; or
• religious beliefs or affiliations; or
• philosophical beliefs; or
• membership of a professional or trade association; or
• membership of a trade union; or
• sexual orientation or practices; or
• criminal record.
Procedure.
STAR International will:
• Ensure that personal information is managed in an open and transparent way.
• Take reasonable steps to implement practices and procedures that will
facilitate dealing with enquiries or complaints from individuals regarding
compliance with the Australian Privacy Principles (APPs).
• Ensure that it maintains an up-to-date policy and procedure about the
management of personal information.
• Ensure that the Privacy Policy and Procedure contains the following information:
o The kind of information that is collected and held.
o How the information is collected and held.
o Use of the Privacy Disclosure form.
o Use of the Privacy Photo or Image Disclosure Form.
o The purposes for which information is collected, held, used and disclosed.
Privacy Policy and Procedure – EN-ER-HS-IM-Q-RTO
ISMS Classification – INTERNAL
Approved Date: June 29, 2021.
Version: 2.0
Approved by: DR
Pg. 2 of 7
Restricted Derivative Copyright: Star International
o How an individual may access their personal information that is held by
STAR International, and seek correction of such information, as necessary.
o How the individual may make a complaint about a breach of the APPs
and how STAR International will deal with such a complaint.
o Whether STAR International is likely to disclose personal information to
overseas recipients, and if so the countries in which such are likely to be
located.
o How the company will respond to Data Breaches.
• Provide the Privacy Policy and Procedure free of charge and in such form as
appropriate, and as is reasonable.
Administration staff are required to utilise and follow the Privacy Policy and Procedure
Checklist to ensure the required and detailed privacy process is followed in: -
• Allowing individuals to access their own training records,
• Individuals allowing access to their records by a third-party
• Ensuring a controlled and organised legislative response to data breaches.
STAR International will:
• Respect that individuals may not wish to identify themselves when making
enquiries on STAR International products and services.
• Require full personal details as required by law and for identification purposes
from individuals for employment, training, or other purposes.
Reasonable steps will be taken at, or before the time of collection, to ensure that
individuals are aware of:
• Who we are and how to contact us?
• How to gain access to their own information.
• The purpose for which the information is being collected.
• Any organisation to which we would normally disclose information of that kind.
• Any law that requires the information to be collected.
• The main consequences for the individual if all or part of the information is not
provided.
The kind of information that is collected and held.
STAR International will not collect personal information from individuals unless that
information is necessary. We are required by law to collect, hold, use and supply personal
information, in accordance with Employment and National VET Provider Collection Data
Provision Requirements.
How the information is collected and held.
STAR International collects information from individuals in the following ways:
• from on-line registration, application for enrolment, request for certain services or
products, or otherwise conducting business with us.
• Information may be collected from enrolment forms, certified documents,
telephone calls, faxes, emails, letters sent by individuals.
• Information may be collected from third parties, such as other training providers,
regarding confirmation of training and ongoing professional development that an
individual has attended, as authorised by the individual.
Should STAR International collect information about an individual from a third-party, we will
take reasonable steps to ensure that the individual is, or has been, made aware of the
Privacy Policy and Procedure – EN-ER-HS-IM-Q-RTO
ISMS Classification – INTERNAL
Approved Date: June 29, 2021.
Version: 2.0
Approved by: DR
Pg. 3 of 7
Restricted Derivative Copyright: Star International
matters listed above, except to the extent that making the individual aware of the matters
would pose a serious threat to the life or health of any individual.
STAR International will not use or disclose personal or sensitive information for any purpose
other than for the purpose it was collected, unless the relevant person has provided
written consent to use or disclose that information in circumstances that are different to
those for which it was collected.
The circumstances where an exception may occur are:
• Where the use or disclosure of this information is required or authorised by or under
an Australian law or a court/tribunal order.
• The individual would reasonable expect STAR International to use or disclose the
information for the secondary purpose.
• A permitted health situation exists in relation to the use or disclosure of the
information by STAR International.
• A permitted general situation exists in relation to the use or disclosure of the
information by STAR International.
• STAR International reasonably believes that the use or disclosure of the information
is reasonably necessary for one or more enforcement related activities conducted
by, or on behalf of, an enforcement body.
Privacy Disclosure form.
This form is used by the company to obtain consent from individuals to release private
information to a third party. This relates to the following policy statements: -
• Information gathered for the express purpose of training and assessment matters
will not be disclosed to a third-party unless prior written consent is provided by
the individual concerned, except that required by law.
• Information gathered for the express purpose of employment will not be
disclosed to a third-party unless prior written consent is provided by the
individual concerned, except that required by law.
Privacy Photo or Image Disclosure Form.
This form is used by the company to obtain consent form individuals to use and reproduce
personal images for company marketing purposes in all forms of available media
concepts.
Copyrights will become and remain the property of the company and no compensation
will be paid for use of the photo or image.
Withdrawal of consent can only take effect by providing to Star International, the written
decision to withdraw this permission. The individual withdrawing this consent will agree and
understand, that withdrawal of permission will not impact on the use of images already
marketed or published by STAR International, and that the withdrawal will not be
immediate although it will be affected as soon as is reasonable and possible for the
circumstances.
The purposes for which information is collected, held, used, and disclosed.
STAR International collects your personal information to:
• Process and manage employment requirements for taxation, superannuation, and
other needs.
• Process training applications.
• Manage training enrolment.
Privacy Policy and Procedure – EN-ER-HS-IM-Q-RTO
ISMS Classification – INTERNAL
Approved Date: June 29, 2021.
Version: 2.0
Approved by: DR
Pg. 4 of 7
Restricted Derivative Copyright: Star International
• Record and maintain personal details to permit provision of services and/or training.
• Administering training programs as required by the standards.
• Record and maintain details of ongoing training and assessment as required by
standards.
• Provide details regarding individual services, benefits, and training opportunities.
• Notification of upcoming events and other opportunities.
• Gain feedback on services provided for continual improvement purposes.
• Allow communication with individuals about any of the above listed items.
• Report to relevant authorities as required by law.
STAR International.
• May use personal information (specifically name and relevant address details,
photos, or images) and information about preferences for direct marketing to let
individuals know about our services and benefits, where we have consent.
• Provides an opt-out and/or unsubscribe method that is easily accessible for
individuals to request not to receive direct marketing communications.
STAR International.
• Is required by law (Student Identifier Act) to collect, maintain, and report to
relevant Government agencies the individual’s Unique Student Identifier (USI)
number in accordance with the National VET Provider Collection Data Provision
Requirements.
• Will not disclose the Unique Student Identifier (USI) number for any other purpose,
including on any Certification documents the individual receives.
• Must not adopt the Unique Student Identifier (USI) number as its own identifier of the
individual.
How an individual may access their personal information that is held by STAR International,
and seek correction of such information, as necessary
STAR International provides all individuals with access to their own personal records
provided the individual advises in writing that they wish to view their personal file. Staff
receiving a request for access to an individual’s file will follow the Privacy Policy and
Procedure Checklist.
In some circumstances, STAR International may not permit access to individuals of their
personal information. If this is the case, STAR International will provide full details of the
legal reasons for this decision. The refusal may be because:
• Giving access to the information would pose a serious threat to the life, health, or
safety of the individual, or to public health or public safety; or
• Giving access would have an unreasonable impact on the privacy of other
individuals; or
• The request for access is frivolous or vexatious; or
• The information relates to existing or anticipated legal proceedings between STAR
International and the individual, and would not be accessible by the process of
discovery in those proceedings; or
• Giving access would reveal the intentions of STAR International in relation to
negotiations with the individual in such a way as to prejudice those negotiations; or
• Giving access would be unlawful; or
• Denying access is required or authorised by or under an Australian law or a
court/tribunal order; or
• The following points apply:
Privacy Policy and Procedure – EN-ER-HS-IM-Q-RTO
ISMS Classification – INTERNAL
Approved Date: June 29, 2021.
Version: 2.0
Approved by: DR
Pg. 5 of 7
Restricted Derivative Copyright: Star International
o STAR International has reason to suspect that unlawful activity, or
misconduct of a serious nature, that relates to STAR International
functions or activities has been, is being or may be engaged in.
o Giving access would be likely to prejudice the taking of appropriate
action in relation to the maters; or
• Giving access would be likely to prejudice one or more enforcement related activities
conducted by, or on behalf of, an enforcement body; or
• Giving access would reveal evaluative information generated within STAR
International about a commercially sensitive decision-making process.
When dealing with requests for access to personal information, STAR International will:
• Respond to request for access within 30 days of the request, if from an individual, and
within a reasonable time, if the request is from an organisation: and
• Provide access to the information in the manner requested if it is reasonable and
practicable to do so.
STAR International does not charge a fee for access to personal information. The
exception is re-prints of certification documentation previously supplied.
How the individual may make a complaint about a breach of the APPs and how STAR
International will deal with such a complaint.
Whether STAR International is likely to disclose personal information to overseas recipients,
and if so the countries in which such are likely to be located.
STAR International does not disclose personal information to overseas recipients unless prior
written approval is received by the individual who the personal information relates.
How the company will respond to Data Breaches.
STAR International will take steps, as are reasonable in the circumstances to:
• Protect the information from misuse, interference, and loss as well as unauthorised
access, modification, or disclosure.
• Destroy the information or to ensure that the information is de-identified.
The passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 established
the Notifiable Data Breaches (NDB) scheme in Australia. The NDB scheme applies to all
agencies and organisations with existing personal information security obligations under
the Australian Privacy Act 1988 (Privacy Act) from 22 February 2018.
Examples of an eligible data breach include when:
• a device containing customers’ personal information is lost or stolen.
• a database containing personal information is hacked.
• personal information is mistakenly provided to the wrong person.
The NDB scheme introduced an obligation to notify individuals whose personal information
is involved in a data breach that is likely to result in serious harm to any individual. This
notification must include recommendations about the steps individuals should take in
response to the breach. The Australian Information Commissioner (Commissioner) must
also be notified of eligible data breaches.
Privacy Policy and Procedure – EN-ER-HS-IM-Q-RTO
ISMS Classification – INTERNAL
Approved Date: June 29, 2021.
Version: 2.0
Approved by: DR
Pg. 6 of 7
Restricted Derivative Copyright: Star International
Star International will conduct a quick risk assessment of a suspected data breach to
determine whether it is likely to result in serious harm, and as a result require notification to
the Commissioner using the Notifiable Data Breach Statement Form available at
https://www.oaic.gov.au. The individuals impacted must also be notified promptly with
the following information: -
• the identity and contact details of the organisation.
• a description of the data breach.
• the kinds of information concerned and.
• recommendations about the steps individuals should take in response to the data
breach.
Complete and up to date information
STAR International will take reasonable steps to ensure that the personal information it:
• Collects is accurate, up to date and complete.
• Uses or discloses accurate, up to date, complete and relevant data, having regard
to the purpose of the use or disclosure.
Should STAR International be satisfied that information is inaccurate, out of date,
incomplete, irrelevant or misleading, STAR International will take such steps as is
reasonable to correct the information to ensure that, having regard to the purpose for
which it is held, the information is accurate, up-to-date, complete, relevant and not
misleading.
If STAR International refuses to correct individual information, written notice will be
provided to the individual that sets out:
• The reason for refusal.
• The mechanisms available to complain about the refusal; and
• Any other matter prescribed by the regulations.
Complaint Procedure.
The Complaints Policy and Procedure is to be followed for any complaints to be made by
an individual in relation to this Privacy Policy and Procedure.
A copy of the Complaints Policy and Procedure and associated forms is available on
request.
Procedure for suspected or known data breach.
The following flow chart depicting the information governance and security process
provided by business.gov.au will be utilised by management to ensure legislative
compliance with government requirements.
Privacy Policy and Procedure – EN-ER-HS-IM-Q-RTO
ISMS Classification – INTERNAL
Approved Date: June 29, 2021.
Version: 2.0
Approved by: DR
Pg. 7 of 7
Restricted Derivative Copyright: Star International
