45. Handling students’ information

You must have processes and procedures for handling student information.

On this page:

The processes and procedures must:

  • provide for the management of students’ personal information in accordance with the Australian Privacy Principles (APPs)
  • provide for students to access their personal information
  • provide for students to have incorrect personal information corrected
  • provide accurate information about the use and disclosure of personal information collected by the provider, including that the information may be disclosed to the Commonwealth.

45.1 - Retaining information

You must retain documents and information related to the operation of the Act and the Rules for 7 years or as otherwise specified in the Rules. Documents and information relating to student entry procedures, eligibility, academic suitability, enrolment must be kept for a period of 5 years [part 52].

45.2 - Dealing with personal information

You must comply with the APPs in relation to collecting and managing personal information.

If you fail to comply with the APPs, this constitutes an act or practice involving an interference with the privacy of the individual concerned for the purposes of section 13 of the Privacy Act 1988. This may be the subject of a complaint under section 36 of the Privacy Act.

You must have a procedure for students enrolled with you to apply for and receive a copy of personal information you hold in relation to them.

There are offences under the Act in relation to the misuse of personal information.

45.3 - Notification of data breaches

You must notify the department, within one business day, if you suspect that personal information you (or your subcontractors) hold in connection with the VSL program may have been subject to a data breach.

Data breaches include unauthorised access or unauthorised disclosure, or personal information having been lost in circumstances where the loss is likely to result in the personal information being subject to unauthorised access or unauthorised disclosure.

You must ensure that, in respect of any data breach reported to the department, you:

  • promptly update the department in respect of any developments about the data breach
  • promptly provide all information and assistance requested by the department in relation to the data breach and
  • comply with any reasonable direction of the department in relation to the management of that data breach.

You can notify the department via email to vetstudentloans@dewr.gov.au.

45.4 - Use of information

The following VET officers may use VET information in their capacity as:

  • a Commonwealth officer or an officer of a Tertiary Admission Centre
  • an officer of an approved course provider
  • an officer of an approved external dispute resolution scheme operator.

A VET officer may disclose VET information to another VET officer if they believe on reasonable grounds that the disclosure is reasonably necessary for the purposes of exercising their powers or performing their functions or duties in relation to VSL.

Commonwealth officers (which includes the VSL Tuition Protection Director) and the Secretary have broader powers to use or disclose VET information.

Legislation: Act s 51, s 54, Rules s 91–95, s 105