Purpose and Scope
Excelsia College is committed to safeguarding personal information in accordance with the Privacy Act 1988 (Act). This policy describes the ways in which Excelsia College deals with personal information.
Personal Information is defined in the Act as being information or an opinion about an identified individual or an individual who is reasonably identifiable, whether the information opinion is: (a) true or not; (b) recorded in a material form or not.
Personal Information includes, for example, names, addresses, telephone numbers, email addresses, dates of birth and passport numbers.
Sensitive information means personal information about you that is of a sensitive nature, including information about health, genetics, biometrics or disability; racial or ethnic origin; religious, political or philosophical beliefs; professional association or trade union memberships, sexuality; or criminal record. Special requirements apply to the collection and handling of sensitive information.
The Australian Privacy Principles
Excelsia College complies with the Australian Privacy Principles set out in the Privacy Act 1988 in respect of students’ personal information. These principles are designed to protect your privacy. Therefore, Excelsia College employees will:
1. only collect personal information about you that is needed for us to offer you higher education services;
2. normally inform you if we are collecting information about you, why we need to do this, and who we would usually give that sort of information to;
3. do our best to ensure the information we collect from you is relevant, up to date and complete;
4. protect your information against any form of misuse, and prevent unauthorised use or disclosure;
5. maintain a statement of the types of personal information we hold and why we hold it, how long it is kept for, who can access it, and how people should go about getting access to it;
6. give you access to your personal information as held by Excelsia College, subject to restrictions in other government legislation;
7. update and amend our records of your personal information when you request such amendment;
8. take reasonable care to check that your information is accurate, up to date and complete, before using it;
9. only use your personal information for the purpose(s) for which it was collected;
10. not use your personal information for any purpose other than that for which it was collected, unless you consent, or the use is necessary to protect you against serious threat, or the use is required by law; and
11. in the case of 10 above, use or best endeavours to ensure that the recipient only use or disclose your information for the purpose for which it was given.
Collection and Use of Personal Information
Excelsia College collects information necessary to enable Excelsia College to:
• provide services to students and to people enquiring about study at Excelsia College
• process applications for admission
• communicate with students
• maintain appropriate academic and financial records
• perform other internal administrative functions
• maintain contact with alumni
• provide statistical and other information required by the government.
Personal information provided by you to Excelsia College will be used by us for the primary purpose for which you provided it and for other secondary purposes directly related to that primary purpose.
Disclosure of Personal Information
Excelsia College does not disclose personal information to third parties without the owner’s consent, unless required or permitted by law.
We may be required by law to disclose some personal information to Australian government organisations and to the Manager of the Tuition Protection Service.
Personal information may be disclosed for the prevention, detection or investigation of criminal or proscribed conduct, or in certain circumstances in the interest of public health or public safety.
We are required by law to inform the Australian Department of Immigration and Border Protection if an overseas student visa holder:
• changes the course of study for which s/he is enrolled
• changes the duration of his/her course of study
• breaches a student visa condition relating to attendance or satisfactory academic performance.
It may sometimes be necessary for Excelsia College to provide personal information to others with whom it conducts business, e.g. insurers, companies developing and providing educational software systems.
Lessen or prevent a serious threat
This permitted general situation applies to a serious threat to the life, health or safety of any individual, or to public health or safety. The permitted general situation would not apply after the threat has passed. A ‘serious’ threat is one that poses a significant danger to an individual or individuals. The likelihood of a threat occurring as well as the consequences if the threat materialises are both relevant. A threat that may have dire consequences but is highly unlikely to occur would not normally constitute a serious threat. On the other hand, a potentially harmful threat that is likely to occur, but at an uncertain time, may be a serious threat, such as a threatened outbreak of infectious disease. This allows the College to take preventative action to stop a serious threat from escalating before it materialises.
The permitted general situation applies to a threat to life, health or safety. This can include a threat to a person’s physical or mental health and safety. It could include a potentially life threatening situation or one that might reasonably result in other serious injury or illness. The permitted general situation would not ordinarily extend to a threat to an individual’s finances or reputation.
The threat may be to an individual the College is dealing with or to another person. It may also be a threat of serious harm to an unspecified individual, such as a threat to inflict harm randomly.
A ‘serious threat to public health or safety’ relates to broader safety concerns affecting a number of people. Examples include:
· the potential spread of a communicable disease
· harm, or threatened harm, to a group of people due to a terrorist incident
· harm caused by an environmental disaster.
If time permits, attempts could be made to seek the consent from the relevant individuals for the collection, use or disclosure, before relying on this permitted general situation.
Any intended use of sensitive student information on the basis to lessen or prevent a serious threat should be made through a formal application.
Applications would include:
• substantive evidence provided to allow an assessment of the specific threat
• outline of the information to be released
– information to be released
– authorised recipients of the information (internal or external)
• intended use of the information.
A “cookie” is a small text file which placed on your hard drive by some websites to store information about your visit to a website.
A cookie only identifies your computer to a web server when you visit the site; they do not identify users.
A web beacon is an image that originates from a third party site to track visitor activities. We may use web beacons to track the visiting patterns of individuals accessing our website.
What is a data breach?
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost.
Personal information is information about an identified individual, or an individual who is reasonably identifiable. Entities should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.
A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.
Examples of eligible data breaches include:
• loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
• unauthorised access to personal information by an employee
• likely to result in serious harm to any of the individuals to whom the information relates
• the entity has been unable to prevent the likely risk of serious harm with remedial action
• inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
• disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.
Consequences of a data breach
Data breaches can cause significant harm in multiple ways.
Individuals whose personal information is involved in a data breach may be at risk of serious harm, whether that is harm to their physical or mental well-being, financial loss, or damage to their reputation. Examples of harm include:
• financial fraud including unauthorised credit card transactions or credit fraud
• identity theft causing financial loss or emotional and psychological harm • family violence
• physical harm or intimidation.
The Notifiable Data Breaches scheme in Part IIIC of the Privacy Act 1988 (Cth) requires entities to notify affected individuals and the Commissioner of certain data breaches.
Below is the process map and guide in responding to data breaches.