|Effective date||11 March 2019||Review Date||March 2022|
|Document Type||Policy||Document Number||HRPON06|
|Policy Owner||General Manager, People and Capability||Board Approval Date||November 2018|
This policy outlines how NORTEC protects the privacy of Personal Information and explains how people can access and correct their Personal Information.
2. Why we collect, hold, use and disclose Personal Information
NORTEC collects, holds, uses and discloses Personal Information for a variety of purposes relating to our functions and activities, including:
- all client services, including employers, volunteers, service participants and trainees; and
- relationships with suppliers of goods or services.
NORTEC will not collect or hold Personal Information unless it is reasonably necessary for a service we provide or one of our functions or activities. NORTEC employees and contractors must ensure that all information is used in accordance with the Privacy Act 1988 (Cth) and Australian Privacy Principles.
NORTEC will endeavour to ensure that the information provided to us remains private and is used only for the purposes that an individual or organisation has agreed to in the privacy consent disclaimers on enrolment forms, job plans and similar.
3. Kinds of information we collect
In performing the functions and services of our business, NORTEC may collect and hold the following kinds of Personal Information (which will vary depending on the context of the collection):
- name, address and contact details (e.g. phone, email and fax), and next of kin contact details;
- photographs, video recordings and audio recordings of you;
- information about your personal circumstances (e.g. marital status, age, gender, occupation);
- financial information (e.g. bank account details);
- information about your identity (e.g. date of birth, country of birth, citizenship, passport, visa, drivers’ licence, birth certificates);
- information about your employment (e.g. job seeking efforts, work history, referee comments, remuneration);
- information about your background (e.g. educational qualifications, the languages you speak and your English proficiency);
- government identifiers (e.g. Centrelink Reference Number);
- complaints (including privacy complaints) made and feedback provided to NORTEC; and
- information about assistance provided to you under government funding arrangements.
Occasionally Sensitive Information (refer definitions) may also be collected, including:
- barriers to employment (including Police Checks and Child Protection Checks when required to deliver the inherent requirements of a role, or as required by law);
- racial or ethnic origin, including whether Aboriginal or Torres Strait Islander; and
- health information and medical history (including disability or injury information).
Sensitive Personal Information is only collected with consent and where it is necessary for NORTEC’s employment, training, business and service functions.
4. How we collect information
NORTEC collects information directly from people through registrations, events, programs and services. We only use lawful and fair means to collect Personal Information, including through:
- face to face contact, telephone conversations, visitor books;
via an automated system of referral from Australian and State Government information sources;
- forms, correspondence, emails, registrations;
- social media, our website, online surveys and browser cookies; and
- video conferences, webinars, promotional events and services.
NORTEC may collect information about people from other parties such as Australian and State Government bodies, Skill and Apprenticeship Centres, Registered Training Organisations, Host Activity and Work Placement Organisations, employers, other jobactive and Disability Employment Service (DES) Providers; and from organisations completing criminal history checks, Working with Children/Vulnerable People checks and Visa Entitlement Verification Online (VEVO) right to work in Australia checks.
Where sensitive information is to be collected, NORTEC will seek the party’s consent to collect and use their sensitive information by asking them to sign relevant Privacy Notification and Consent documentation. If the party refuses to sign, this may limit the types of services NORTEC can offer. The party will be made aware of this at the time.
5. How we store information
NORTEC takes reasonable steps to ensure the security of the Personal Information held and to protect it against loss, misuse or unauthorised access, destruction, modification or disclosure.
IT systems are password protected, with access restricted to NORTEC-authorised persons. Firewalls and virus scanning tools are used to protect against unauthorised access and viruses entering our systems. Our physical records are also stored securely.
6. How we disclose information
NORTEC will not rent, distribute, license, sell, share or pass Personal Information to a third party without their consent, the written consent of the relevant Government Agency (where relevant), and only to those that we have a binding agreement to ensure the third party meets privacy protections required by the Privacy Act.
NORTEC does not use or disclose information for the purposes of direct marketing unrelated products or services.
We may disclose your information to:
- Training providers;
- A contracted third party, government department or agency;
- Comply with an authorised law or court/tribunal order; or
- Source additional support services for candidates.
NORTEC does not disclose Personal Information to overseas recipients.
NORTEC uses several data management and software programs to transmit client Personal Information between our sites and government departments. The security of the data is managed by these bodies.
NORTEC takes all reasonable steps to protect Personal Information when using the Internet.
7. Anonymity and pseudonymity
Where possible, NORTEC will allow a party to interact with us anonymously or using a pseudonym. Clients have an option of usinga pseudonym or not identifying themselves when making enquiries about our services.
In most instances, however, it is impractical for NORTEC to provide a full service to clients who have not identified themselves, or otherwise perform our functions and activities without sufficient information about the particular matter to enable the function or activity to be undertaken. It may also be a requirement of law or a Commonwealth or State contract to confirm a client’s identity before providing
a service to them.
8. Government-related identifiers
In certain circumstances we may be required to collect government-related identifiers such as Centrelink Reference Number, Job Seeker Identification Number, Training Contract Identification Number, Centrelink Client Reference Number or Unique Student Identifier. We will not disclose this information unless we are authorised by law, nor will we adopt it as our own identifier.
9. Police requesting client information
NORTEC is governed by Social Security laws regarding the use and disclosure of protected information regarding our clients. A police request for client information (when the client is receiving a social security benefit/payment) is likely to be considered ‘protected’ and subject to social security law. This asserts that such information can only be disclosed under a Public Interest Certificate (PIC), issued by the Secretary of Employment or their delegate under s.208 of the Social Security (Administration) Act 1999.
Any such requests from police must be in writing and forwarded to the Operations Co-ordination Unit (OCU) for follow up with the Department of Employment.
10. How to access and correct your Personal Information
Under the Privacy Act, you have the right to ask for access to Personal Information that NORTEC holds about you, and ask that we correct that Personal Information. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your Personal Information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to. Verified proof of identification will be required beforehand.
In some circumstances such as directions under an Australian law or a court/tribunal order, in cases of serious threat to public or individual health and safety, exceptions to allowing access may be made. These are detailed in the Australian Privacy Principle 12.3. If we refuse to give you access to, or correct, your Personal Information, we must notify you in writing setting out the reasons.
11. Breach of privacy complaint
People who use our services have the right to complain if they believe a breach of their privacy has occurred regarding how NORTEC has collected or managed their information.
This is done by either contacting a NORTEC Site Manager (for clients) or submitting a Privacy Complaint Form for action. A copy of the Privacy Complaint Form can be found here: Privacy Complaint Form
We will respond to your complaint or request promptly if you provide your contact details. We are committed to quick and fair resolution of any complaints and will ensure your complaint is taken seriously. You will not be victimised or suffer negative treatment if you make a complaint.
If you are not satisfied with the response, you may contact the Office of the Australian Information Commissioner (OAIC) for assistance with your complaint. You can make a complaint directly to the OAIC rather than to NORTEC first. However, OAIC may recommend that you try to resolve the complaint directly with NORTEC in the first instance.
12. Notifiable Data Breaches
In the event of a notifiable data breach of a type contemplated by Part IIIC of the Privacy Act 1988 (Cth), it will be handled in accordance with the Privacy Amendment (Notifiable Data Breaches) Act 2017. This includes giving a breach notification to affected individuals which includes recommendations about the steps the individual should take in response to the breach.
The Privacy Act 1988 defines Personal Information as information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable.
Common examples include an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person.
The Privacy Act 1988 defines sensitive information as information or an opinion about an individual’s:
that is also Personal Information; or
15. Supporting Information
|Related Legislation||This policy supports NORTEC’s compliance with the following legislation:|