17th March 2021 (Version T)
Related Documents and Reference
Privacy Act 1988
Privacy Amendment (Enhancing Privacy Protection) Act 2012
Australian Privacy Principles 2014 (Privacy Amendment (Enhancing Privacy Protection) Act 2012)
Privacy Regulation 2013
Office of the Australian Information Commissioner
Social Security (Administration) Act 1999
NSW Smart and Skilled Contract
Pre-Qualified Supplier Contract – covers both Qld VET Investment Contract and Qld User Choice Contract
Departmental Guidelines and Public Interest Certificates (PICs)
jobactive Employment Services and New Employment Services Trial (NEST)
- Jobactive Deed 2015-2022 and New Employment Services Trial Deed 2019-2022
Social Security (Administration) (Public Interest Certificate Guidelines) (DSS) Determination 2019 https://www.legislation.gov.au/Details/F2015L01267
Disability Employment Services
Disability Employment Services Grant Agreement 2018-2023
Social Security (Public Interest Certificate Guidelines) (DSS) Determination 2015, Disability Employment Services – Class Interest Certificate (No. 2) 2019 (Disability Services Act 1986 – Section 28(5)(a), Social Services (Administration) Act 1999 – Section 208(1)(a) https://www.legislation.gov.au/Details/F2015L01267
Tursa Employment & Training (“TURSA”) is committed to protecting the privacy of an individual’s personal and/or sensitive information (“personal information”). TURSA is bound by the Australian Privacy Principles (Privacy Amendment (Enhancing Privacy Protection) Act 2012) that underpin the Privacy Act 1988.
The Privacy Act applies to the handling of personal information that relates to individuals and to businesses with an annual turnover of $3M or less.
In relation to any programmes operated with funding, an individual’s personal information will be treated in accordance with the Information Privacy Act 2009 (Qld) for funding from the Queensland Government and the Privacy and Personal Information Protection Act 1998 (PPIP Act) for funding from NSW Government and the Data Provision Requirements 2012 as the case may be.
This policy operates across TURSA’s employment and training services.
APP’s – Australian Privacy Principles (January 2014)
The Privacy Act defines ‘personal information’ as:
‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.’
Sensitive Information – Information or an opinion about an individual’s racial or ethnic origin, political opinion, membership of a political association, religious beliefs, memberships of professional or trade associations, sexual preferences or practices, criminal record, medical/health information.
Generally, sensitive information has a higher level of privacy protection than other personal information.
4.1 Personal Information collected by Tursa Employment & Training
In order to provide employment, training and assessment services, TURSA needs to collect an individual’s personal information upon registration for a course/qualification, partaking in a project, program or service to be provided by TURSA.
TURSA will not collect personal information, including sensitive information, unless this information is reasonably necessary for, or directly related to, the organisation’s employment, training and assessment functions and is in line with contractual obligations and legislative requirements.
TURSA only collects personal information by fair and lawful means and not in an unreasonably intrusive manner.
Legislation and government contract conditions require that selected information be reported to government departments and/or agencies. These may include:
- Australian Government departments including the relevant employment services Departments; Services Australia (Centrelink);
- State Governments including NSW Department of Industry and QLD’s Department of Education; and Department of Employment, Small Business and Training (DESBT);
- Australian Training Network;
- Australian Vocational Education and Training Management Information Statistical System (AVETMISS); and
- Police and other agencies in circumstances authorised in the Class Public Interest Certificate (PIC) issued by the Secretary of the relevant employment services Departments
TURSA does not disclose personal information with overseas recipients.
An individual’s personal information that may be collected includes:
- Name, signature
- Address and Contact details (telephone)
- Email address
- Date of Birth
- Country of birth
- Whether Aboriginal or Torres Strait Islander
- Language spoken at home
- Disability information
- Education details
- Employment History
- Employment status – Employer details, pay and hours
- Barriers to employment, including Police and Child Protection checks when required by law or prescribed
- Documents reasonably required to administer Australian Government funding programmes
4.2 Sources of Personal Information Collected
TURSA collects personal information directly from each individual at registration for a course, program or service, or via an automated system of referral from Australian and State Government information sources.
TURSA will collect this information through forms completed and information provided to us. The enrolment form or program contract completed by the individual contains a disclaimer outlining why the personal information is collected and how it is used. Individuals are required to sign the disclaimer as their agreement to the use of their personal information.
All information has been collected by TURSA in accordance with the Australian Privacy Principles and will only be disclosed in accordance with these Principles.
Information collected as a result of people browsing TURSA’s website is used for monitoring and security purposes only. Cookies may be stored on the website user’s computer to assist them to use the website. These are not used for any type of tracking purpose outside of the TURSA website.
4.3 Advice provided to Individuals
At the time TURSA collects personal information we will take all reasonable steps to ensure that the individual is made aware of:
- TURSA’s identity and how to contact us;
- The individual’s rights with regard to accessing their personal information;
- The purpose for which the personal information was collected;
- To whom we usually disclose an individual’s personal information;
- Any law or government contractual obligations that requires us to collect particular personal information;
- The main consequences, if any, for the individual if they do not provide all or part of the information we require; and,
- The individual’s right of access to the Cluster, Site or Programme Manager with respect to Customer Complaints – including Privacy matters of concern; an external Customer Complaints hotline, relevant Ombudsman and State/Federal Privacy Commissioners.
4.4 Use and Disclosure
TURSA staff are bound by a policy that all information is used in accordance with the Commonwealth Privacy Act 1988, incorporating the Australian Privacy Principles. We will endeavour to ensure that the information provided to us remains private and is used only for the purposes agreed (as per completed consent form/s).
TURSA will not reveal, disclose, sell, distribute, rent, license, share or pass personal information on to a third party, other than those that we have a binding agreement with ensuring that the third party affords the personal information similar levels of protection as we do and that allows us to reasonably perform our employment and training and assessment services.
In order to provide an individual with employment, training and assessment services, we are required to disclose personal information to third parties as outlined in 4.1 of this policy.
Further, TURSA may use and disclose personal information to provide employment, training and assessment services specified to the individual at the point of collection or for another purpose if:
- The individual would reasonably expect us to use or disclose it for that purpose;
- That use and disclosure is related to the purpose specified to the Individual at the time of collection;
- The use and disclosure is specifically authorised by Australian Law or a Court/Tribunal Order;
- There is suspected unlawful activity or serious misconduct related to TURSA’s activities and functions; or
- This is authorised under a Public Interest Certificate (PIC.) See 4.4.1 below.
TURSA does not use or disclose personal information for the purposes of direct marketing unrelated products or services.
TURSA does not send or store any personal information offshore either directly or via Cloud storage.
An individual may be encouraged to provide disability information to prospective employers if relevant to potential employment. TURSA staff cannot disclose this information without the individual’s consent.
4.4.1 Disclosure of Information – Police or other specified agencies requesting Individual information
Social Security law governs the use and disclosure of protected information. Should a staff member receive a police enquiry for a Participant’s information (and the Participant is in receipt of a social security benefit/payment), the information is likely to be considered ‘protected’ and subject to Social Security Law.
If the information is protected information, it can usually only be disclosed to the police under a Public Interest Certificate (PIC), issued by the Secretary of the relevant Department, or their delegate under section 208 of the Admin Act. Certain information can usually only be disclosed under a Public Interest Certificate (PIC). The PIC must be issued in accordance with the Social Security (Administration) (Public Interest Certificate Guidelines) (DEEWR) Determination 2013 (https://www.legislation.gov.au/Details/F2013L01553/Html/Text).
TURSA will notify the relevant Department and provide a copy of the request.
TURSA will obtain a separate PIC from the relevant Department for situations that are not covered by the Class PIC.
4.4.2 Threats or Incidents that Warrant Police Attention
The Class PIC issued by the Secretary of the relevant Department identifies:
- who may disclose the information;
- the information that can be disclosed about a person;
- who it can be released to and for what purposes; and
- allows the information to be released.
Disclosure of protected information is authorised only where:
- There is a threat to someone’s life, health or welfare
- An offence or threatened offence occurs on premises occupied by TURSA.
In the case of Threats, the protected information can only be released to:
- Emergency services (including the police); health service Providers; and child protection agencies.
- In the case of Offences on Premises, the protected information can only be released to police officers.
4.5 Data Quality
TURSA will take reasonable steps to ensure that personal information is accurate, complete, up-to-date and relevant. Individuals are encouraged to help TURSA keep their personal information accurate, complete and up-to-date by contacting TURSA through their Employment Adviser or Disability Employment Advocate, attending one of TURSA’s service delivery sites or FREECALL 1800 670 914 to provide any updates to their personal information.
4.6 Data Security and Storage
TURSA is committed to protecting the privacy of an individual’s personal information. We ensure that all information is stored in accordance with the Commonwealth Privacy Act 1988 and the Australian Privacy Principles. We take reasonable steps to protect personal information from misuse, loss interference and from unauthorised access, modification or disclosure. We ensure this by having such security measures as:
- Individual password access to systems and databases;
- Encrypted electronic databases;
- Clear Screen and Clear Desk Policy;
- Secured file cabinets.
TURSA takes privacy of information very seriously and will at all times take steps to ensure that an individual’s information is stored and disposed of securely through the use of and adherence to protected IT systems, filing systems, security procedures, secure offsite storage and records management policies.
Archived personal information is stored in secured premises for time periods as specified by legislation, regulations or Government contractual obligations.
TURSA will also take reasonable steps to destroy or permanently de-identify personal information if it is no longer required for any purpose and is not required by law to be held for any given period.
All TURSA staff are not to remove from, or store outside, TURSA’s secure network any client/student personal information using portable storage devices (i.e. USB sticks, portable hard drives), wireless transfers, uploads to personal emails or storage clouds, without express permission from a Chief Officer.
4.7 Use of the Internet
Tursa Employment & Training uses a variety of secure technologies to transmit Individual personal information from our delivery sites to our head office, and vice versa, and also to transmit details to Australian Government registering bodies.
All information transmitted by delivery sites to TURSA is encrypted. The security of data transmitted to Australian Government registering bodies is managed by these bodies.
TURSA complies with the requirements of the government’s Information Security Registered Assessors Program (IRAP), i.e. system security measures to protect personal information security when using the Internet, and takes all reasonable steps to protect personal information when using the Internet but is aware that no transmission of information by email or via a registering body website can be guaranteed secure.
4.8 Access and Correction
Individuals are provided with the opportunity to access the personal information TURSA holds on them and to seek to correct that information if they determine that it is incorrect. TURSA will allow any person on whom records are maintained to have access to those records unless Government contractual requirements or legislation (e.g. Freedom of Information Act) requires or authorises the refusal of access. In some circumstances, such as directions under an Australian law or a court/tribunal order, in cases of serious threat to public or individual health and safety, exceptions to allowing access may be made. These are detailed in the Australian Privacy Principle 12.3.
To obtain access to personal information, the individual is required to make a request at their nearest TURSA service delivery site or make a request in writing. Before giving access to information, TURSA will require that the individual provides proof of identification, and this along with details of the request will be recorded on the individual’s file.
Correction of personal information/details can be undertaken by the individual contacting their local delivery site or providing details in a written request.
4.9 Confirming Identity, retaining Anonymity and Government Identifiers
In most instances, it is impractical for TURSA to provide a full service to individuals who have not identified themselves or choose to use a pseudonym. It may also be a requirement of law or an Australian Government contract to confirm an individual’s identity before providing a full service to them.
TURSA is required to use government related identifiers to confirm an individual’s identity for the purposes of providing services to the individual and where it is a requirement of a State, Territory or Commonwealth authority. These government identifiers may include state drivers licence, passport, Job Seeker Identification Number, Training Contract Identification Number, Centrelink Client/Student Reference Number, Unique Student Identifier, Tax File Number, Australian Business Number etc.
Where practicable TURSA will not use or disclose an identifier assigned to an individual by a government agency. TURSA will not adopt as its own identifier, an identifier that has been assigned by a government agency.
4.10 Complaints / Feedback
An individual has the right to complain if they believe TURSA has not protected their information in line with the Privacy Act 1988 and the Australian Privacy Principles. In relation to the potential breach, the complaint can be to the Cluster, Site or Programme Manager:
- on FREECALL 1800 670 914;
- via the TURSA Internet page; or
- via the Customer Feedback Form (available at the Reception Desk of all TURSA sites); or
- in writing to:
TURSA Management Centre
PO Box 241
TWEED HEADS NSW 2485
TURSA staff can provide contact details for the external Customer Complaints hotline.
If not satisfied with the response from TURSA, individuals may be referred to the relevant Ombudsman or the Office of the Australian Information Commissioner, phone: 1300 363 992 or on-line to the Office of Australian Information Commissioner (OAIC).
4.11 Policy Breach
All TURSA staff, managers, Board Directors and contractors acting on behalf of TURSA, must comply with the requirements of this policy.
Any breach of this policy may result in disciplinary action which may include, but is not limited to, issuing a warning, suspension, termination of employment (or, for Persons other than employees, the termination or non- renewal of contractual arrangements).
TURSA has developed a Data Breach Response Plan (DBRP) based on the OAIC’s Data Breach Preparation and Response – A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth). The purpose of the DBRP is that it outlines the procedures to be followed by TURSA staff in the event that TURSA experiences a data breach (or suspects that a data breach has occurred) and is essential to facilitate a swift response, ensuring that any legal obligations are met following the data breach. It outlines TURSA’s strategy for containing, assessing and managing a data breach incident from start to finish, setting out clear lines of authority for staff.