IntelliLearn Pty Ltd (IntelliLearn) ABN 51 145 588 601 is committed to:
- protecting the individual’s right to privacy in relation to the collection, management, storage, use and disclosure of Personal Information; and
- ensuring the accuracy and security of any Personal Information it holds in relation to individuals;
regardless of whether the Personal Information relates to staff, clients, contractors or visitors.
This Policy applies to all use, collection, communication, storage and processing of Personal Information by IntelliLearn and any of its related entities, except for information covered by its “Website Terms and Conditions of Use” (the Website Terms)* in which case this Policy must be read subject to the Website Terms (but noting that this Policy will prevail over the Website Terms to the extent of any inconsistency).
This policy may be amended by IntelliLearn from time to time, and without prior notice. It is a general policy which contains the broad privacy framework in which IntelliLearn operates.
This policy must be read in conjunction with any supplementary privacy policies which IntelliLearn may introduce or vary from time to time. This policy must also be read in conjunction with any procedures that IntelliLearn may introduce from time to time relating to privacy.
Privacy procedures contain the administrative steps necessary for the practical implementation of this policy. This will include matters such as the necessary “form” to be completed to access Personal Information and the fees which are payable in relation to certain requests.
What is “information” or a “record”?
“Information” and “records” are information in electronic or hard copy form. It includes pictures, audio and video files, text records and databases.
Importantly, this policy will not extend to information or records that are publicly available, or would constitute an “employee record” as defined by the Privacy Act.
What is “Personal Information”?
Personal Information is information that identifies (or is capable of identifying) a particular individual. A person does not have to be mentioned by name for information to be “Personal Information”.
A record or information will contain Personal Information if an individual can be “reasonably identified” from the record or information.
Personal Information can include information and opinions, regardless of whether the information is true or not, and whether it is recorded in material form or not.
What is “sensitive information”?
Sensitive information is an important type of Personal Information. Sensitive information is Personal Information relating to an individual’s:
- racial or ethnic origin;
- political opinions;
- membership of a political association;
- religious beliefs or affiliations;
- philosophical beliefs;
- membership of a professional or trade association;
- membership of a trade union;
- sexual orientation or practices; and
- criminal record.
Sensitive information also includes information relating to:
- genetics; and
What are the Australian Privacy Principles (APP)?
IntelliLearn has modelled this policy and its related procedures on the APP. The APP, and how they are applied by IntelliLearn, are set out below.
Collection of Personal and Sensitive Information
IntelliLearn will only collect, use, communicate and hold Personal Information if:
- it is reasonably necessary for IntelliLearn to conduct its functions and activities;
- it is able to do so in a lawful, transparent and non-intrusive way; or
- it is required to do so by law.
It is necessary for IntelliLearn to collect personal and sensitive information in both physical records and electronic files. IntelliLearn collects Personal Information in a number of ways, including:
- directly from the individual for example through email, telephone or by the individual completing forms;
- from third parties such as educational institutions or government departments;
- from IntelliLearn’s own records; and
- through business development and marketing events.
When it is not practicable or reasonable to obtain Personal Information directly from the individual to whom the information relates, Personal Information may be obtained from a related third party. If this occurs, IntelliLearn will take reasonable steps to ensure that the individual is made aware that the Personal Information was obtained from a third-party, and why this was necessary and reasonable in the circumstances.
IntelliLearn will deal with unsolicited personal or sensitive information in accordance with the APP. This will ordinarily involve destroying the information or ensuring it is de-identified where it is reasonable to do so, or informing the individual whose information it is of the fact of receipt and collection of that information.
What types of Personal Information does IntelliLearn collect?
Personal Information collected by IntelliLearn may include:
- name, gender and date of birth;
- email address;
- residential and postal address and telephone numbers;
- student application forms and supporting documentation;
- bank account or financial details;
- government related identifiers; and
- information received as part of the recruitment process if the individual applies for a position in IntelliLearn, which is specifically addressed later in this policy.
An individual has the right to refuse to provide Personal Information to IntelliLearn, and to deal with us anonymously or by use of a pseudonym. However, if an individual exercises this right of refusal, it may affect IntelliLearn’s ability to meet its obligations to the individual or to a third-party, such as a government agency, or to properly provide services or information that reasonably require the use of Personal Information..
IntelliLearn will only solicit and collect sensitive information if:
- it is required to do so by law; or
- it has the consent of the individual to whom the information relates, and it is reasonably necessary for IntelliLearn to collect the sensitive information to enable it to carry out a relevant function or activity, including where assessing the suitability of a candidate during the recruitment process.
IntelliLearn will collect sensitive information where the information is necessary for a relevant function or activity. Examples of a relevant function or activity include (are but not limited to):
- to provide a health service to the individual;
- as part of the training that IntelliLearn provides to its students and/or obtained from or on behalf of the institutions at which they enrolled;
- where it is reasonably necessary to obtain sensitive information to assess their suitability for employment with IntelliLearn.
IntelliLearn may also collect sensitive information about an individual in order to comply with IntelliLearn’s obligations under Australian law, including but not limited to:
- language or cultural background;
- citizenship status;
- status as an Indigenous Australian;
- disability status; and
- health information.
Notification of the Collection of Personal Information
At or before the time IntelliLearn collects Personal Information, or if that is not practicable, as soon as practicable after, IntelliLearn will take all reasonable steps to:
- notify the individual of the matters referred to below: or
- otherwise ensure that the individual is aware of the matters below.
The matters which IntelliLearn must notify to the individual are, for the most part, addressed elsewhere in this policy. For completeness, these matters include:
- the identity and contact details of IntelliLearn;
- if IntelliLearn will collect Personal Information from someone other than the individual;
- the fact that IntelliLearn collects, or has collected, the information and the circumstances of that collection;
- if the collection of Personal Information is required or authorised by law;
- the purpose or reason why IntelliLearn needs to collect the Personal Information;
- the main consequences, if any, for the individual if all or some of the Personal Information is not collected by IntelliLearn; and
- any other third-party to which IntelliLearn usually discloses Personal Information of the kind collected by IntelliLearn.
Use and Disclosure of Personal Information
Use of Personal Information
Examples of the way in which Personal Information may be used to carry out IntelliLearn’s functions, activities and statutory obligations may include:
- communication with staff, students, visitors and stakeholders (including educational institutions and prospective staff or students);
- to deliver courses and services to students;
- to provide information in relation to IntelliLearn’s courses and facilities to students or prospective students;
- collating the information necessary for IntelliLearn to review its existing programs, courses, facilities and resources that it provides to staff and students;
- to administer and manage processes which are key to the operations of an educational institution including admission, teaching, enrolment, and examinations;
- to operate and maintain information technology;
- general program and course administration;
- financial management including the collection of fees and charges; and
- mandatory reporting to external government agencies such as Centrelink or the Australian Tax Office.
Disclosure of Personal Information
The primary purpose for using or disclosing an individual’s Personal Information will include:
- to identify an individual and verify their identity;
- to provide services to an individual; and
- to communicate with an individual.
IntelliLearn will take reasonable steps to ensure that Personal Information is not disclosed to a third-party, except in certain permitted situations. These include:
- where IntelliLearn obtains the individual’s consent;
- where it is necessary to provide that information to a third-party who provides services to IntelliLearn. This addressed in further detail below;
- where the disclosure is required or authorised by law or regulatory obligations. Examples of this include disclosing Personal Information to a government department, such as the Australian Tax Office; and
- any other circumstance permitted by the APP.
Where IntelliLearn does provide Personal Information to a third-party within Australia, IntelliLearn will take all reasonable steps to ensure that the third-party is fully compliant with the APP. The obligations relating to Personal Information that is transmitted overseas is set out later in this policy under the heading “Cross-Border Disclosure”.
To avoid doubt, third-parties in Australia may include:
- government departments and agencies; and
- contracted service providers including:
- contracted teaching staff;
- information technology service providers, including cloud service providers;
- counsellors and other health practitioners; and
- external business advisors, including auditors and lawyers.
There are also a limited number of exceptions in which the Privacy Act permits the use or disclosure of information without an individual’s consent. An example of this is where the use or disclosure is necessary to prevent a serious and imminent threat to any person’s life, health or safety or a serious threat to public health or safety, which need not be imminent.
IntelliLearn will, on occasion and where reasonable and appropriate, use Personal Information in direct marketing with individuals. Direct marketing may occur by mail, email, SMS or telephone.
Where the direct marketing is transmitted electronically or by telephone, IntelliLearn will at all times comply with any applicable laws including the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
Direct marketing will ordinarily be directed:
- to current or prospective students; and
- educational institutions who may, or are likely to have, an interest in the services IntelliLearn has to offer,
but may be directed to any other person where the marketing is conducted in accordance with this Policy.
Direct marketing will only occur if:
- IntelliLearn has the consent of the individual or where otherwise permitted by law (including where the use or disclosure is necessary to meet a contractual obligation to the Commonwealth);
- the individual would reasonably expect IntelliLearn to use or disclose the Personal Information for that purpose, being direct marketing in relation to the services offered by an educational institution such as IntelliLearn;
- IntelliLearn provides a simple and readily identifiable means by which the individual may refuse to receive direct marketing from IntelliLearn, such as a refusal request;
- IntelliLearn provides a simple and readily identifiable means by which the individual may opt out from receiving direct marketing from IntelliLearn which they had previously consented to receiving, such as an opt out request; and
- the individual has not made an opt out or refusal request to IntelliLearn.
Direct marketing, as it relates to sensitive information, will be identical to that set out above for broader Personal Information, except that IntelliLearn will obtain the express consent of the individual concerned to use or disclosure the sensitive information for a particular purpose.
Quality and Security of Personal Information
IntelliLearn will take all reasonable steps to ensure the Personal Information it collects, uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the collection, use or disclosure.
The individual providing the Personal Information, to IntelliLearn, must also ensure that the Personal Information is both relevant and accurate.
IntelliLearn will take reasonable steps to protect Personal Information it holds from:
- misuse, interference and loss; and
- unauthorised access, modification or disclosure.
IntelliLearn has in place computer software and hardware that provides reasonable electronic protection of and/or reasonable prevention of access to Personal Information from unauthorised persons, particularly from those individuals who are external to IntelliLearn. Electronic protection will include:
- mandatory password protection on computers; and
- firewall and antivirus software.
IntelliLearn also has in place documented record management procedures in relation to the collection, physical security and storage of hard copy records.
IntelliLearn has in place systems to manage all Personal Information so that it is able to destroy or permanently de-identify Personal Information, wherever reasonable and practicable, that is no longer needed for any reason.
Security of Personal Information is further addressed later in this Policy, under the heading “Data Breach Considerations”.
The Recruitment Process and Job Applicants
Although past and present employees of Intellilearn are subject to the employee records exemption, prospective employees are not, and will be covered by this Policy.
The majority of Personal Information we collect will be directly from job applicants. We will use all reasonable endeavours to only collect sensitive information directly from that applicant and/or with their consent.
We may collect Personal Information including but not limited to your:
- resume and covering letters;
- telephone discussions;
- forms used during the recruitment process, including job applications; and
- information obtained during written and/or verbal interviews;
We may also collect information about applicants from other sources, including but not limited to:
- websites such as LinkedIn or Seek;
- enquiries of your former employers and/or other referees;
- enquiries of professional associations or professional regulatory bodies; and/or
- criminal record checks or related criminal history considerations.
We may collect from you sensitive health information, including but not limited to medical records and related medical information that is reasonably necessary for us to assess that you are able to perform the inherent requirements of any proposed role (or reasonable variation thereto) in a safe manner.
Access to Personal Information
IntelliLearn will deal with requests for access or correction, by an individual, of their Personal Information held by IntelliLearn, in accordance with this policy.
All requests must be made in writing, and in the appropriate “Application to Access Information” form as specified by IntelliLearn from time to time.
On receipt of an application, and within a reasonable timeframe, IntelliLearn will take reasonable steps to inform the individual who made the request:
- what Personal Information IntelliLearn holds in relation to that individual;
- why the Personal Information is held;
- how IntelliLearn collects (or collected), holds (or held), uses (or used) and discloses (or disclosed) the Personal Information.
IntelliLearn will confirm with the individual whether they wish to have access to the Personal Information in question.
IntelliLearn will ordinarily give an individual access to their Personal Information unless an exception applies. Exceptions include where:
- giving access would have an unreasonable impact on the privacy of other individuals;
- the request for access is frivolous or vexatious; or
- the access would be unlawful.
IntelliLearn reserves the right to charge a reasonable fee for providing access to the Personal Information, but not for making the application or correcting Personal Information held by IntelliLearn. IntelliLearn may withhold access to the Personal Information until the fee is paid.
If a request for access or correction is denied by IntelliLearn it will, within a reasonable time period, provide the individual who made the request with a general, written explanation as to why the request was refused. IntelliLearn must also take such steps, if any, as are reasonable in the circumstances to give access in a way that meets the needs of IntelliLearn and the individual.
Accuracy and Correction of Personal Information
IntelliLearn will be obliged, without an individual’s request for correction, to correct inaccurate, out-of-date, incomplete, irrelevant or misleading Personal Information if IntelliLearn is satisfied that, having regard to the purpose for which the Personal Information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If this occurs, IntelliLearn must take all reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
If an individual is of the view that their Personal Information requires correction, they should contact the Privacy Officer listed below. The individual will ordinarily be required to complete an “Application to Correct Personal Information” form.
DATA BREACH CONSIDERATIONS
Security of data
IntelliLearn is obliged under the APP to take such steps as are reasonable to protect Personal Information:
- from misuse, interference and loss
- from unauthorised access, modification or disclosure
We are also obliged to ensure the security of credit eligibility information. We will adhere to the data security requirements and procedures for client information. A failure to provide adequate security may lead to an interference with the privacy of an individual. Should we suspect or believe that a data breach has occurred we will undertake the following 5 steps:
We will maintain systems and procedures to ensure that any suspected or actual data breach can be identified, reported and escalated to management responsible for the implementation of the Data Breach Response Plan. Any person within IntelliLearn who suspects a data breach has occurred must ensure that a Data Breach Report Form is completed and sent promptly to the Privacy Officer.
Once identified, IntelliLearn will take all reasonable steps that can be taken to contain that breach.
Any Data Breach Response Plan must provide for the proper assessment of the breach including:
- the type of information involved
- whether the breach can be remedied and the information recovered
- the identity and number of individuals affected or likely to be affected
- the possible financial, economic, social and emotional impact on any individual;
- the nature of the breach (i.e. – was it loss, access or disclosure of electronic or paper-based data and was it accidental or deliberate)
- the perpetrator of the breach (i.e. internal staff, contractors, third parties whether local or overseas)
- the risk of further breaches if remedial action not taken (i.e. is systemic problem or one-off)
- whether criminality is evident (i.e. theft or hacking)
- whether the information was encrypted, de-identified or difficult to access
If IntelliLearn believes (not just suspects) on reasonable grounds that a data breach is likely to result in serious harm to any of the individuals concerned it will:
(a) prepare the statement required by the Privacy Act 1988 including the following information:
- our contact details;
- a description of the breach we believe has occurred;
- the kind of information involved in the breach;
- recommendation about the steps the individuals should take in response and
- if the data breach was caused by a third party service provider we engage, we will include their name and contact details;
(b) provide a copy of the statement to the Office of the Australian Information Commissioner; and
(c) provide a copy of the statement to each affected individual affected by means determined to communicate effectively and include additional information such as:
- our response to contain the data breach and prevent its recurrence
- any assistance we can offer to the individuals
- that we have reported the breach to the Office of the Australian Information Commissioner and if relevant any law enforcement agency/ies
- how individuals can make a complaint to the Office of the Australian Information Commissioner
To prevent future breaches of the same kind, the Data Breach Response Plan must include a requirement for us to conduct a review of our policies, systems and procedures which may include the following:
- a post-investigation audit of physical and technical security controls;
- a review of policies and procedures;
- additional training of staff members including scenario practices;
- identify external resources that may assist in to prevent future breaches, i.e. auditing firms; public relations firms, legal advisers;
- review authority levels for access to and transfer of electronic data; and
- whether a previous Data Breach Response Plan was adequate.
If an individual believes IntelliLearn has breached this policy, please contact our Privacy Officer:
Suite 304 / 147 Pirie Street
Adelaide SA 5000
If you have any questions or require further information please contact the Privacy Officer at IntelliLearn by email at firstname.lastname@example.org with the subject heading ATTN: PRIVACY OFFICER.
^ Not all “Personal Information” is covered by this Policy. Like the exemption in the Privacy Act for non-government organisations, current employee records are exempt from this Policy. This means that Personal Information relating to a current or former employee of IntelliLearn, or information that would otherwise be an “employee record” within the meaning of the Privacy Act, will be exempt from this Policy. However, the employee record exemption does not apply to information obtained from contractors or prospective employees and job-applicants. This policy will apply in those cases, notwithstanding the fact that the Privacy Act would not apply.
* Website Terms are accessible from here