Privacy notice: Australian Privacy Principle (APP)

This document contains materials developed by etas, if any material has been used from other sources it has been referenced or has been licensed for use by etas. Etas retains ownership of the copyright and intellectual property owns the copyright on all other parts of this document.

All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise without the prior written permission of Etas

Preamble

This policy will provide guidelines and procedures to ensure etas (WA) Pty Ltd and any and all of its subsidiaries and trading names meet the requirements of the Standards for Registered Training Organisations 2015 and the Privacy Act 1988.

As a component of our risk management practices, etas (WA) Pty Ltd has conducted a review of all operations. Mitigation actions from this risk assessment have been implemented for the management of privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction and de-identification.

Providing an overall framework for our privacy practices, etas has developed and implemented this APP Privacy Policy.

This policy outlines how we ethically and effectively manage personal information within legislative parameters.

Etas is committed to maintaining the privacy and confidentiality of its RTO personnel and participant records. This policy applies to all Etas personnel and participants.

  • Privacy Act 1988 including the 13 Australian Privacy Principles (APPs) as outlined in the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
  • National Vocational Education and Training Regulator Act 2011
    • 2025 Standards for Registered Training Organisations
      • Outcome Standards 61. & 6.3: RTO’s must comply with all relevant legislation, including maintaining records of compliance with privacy and data protection laws.
      • Outcome Standard 6.6 (Privacy Information): RTO’s are required to inform learners about how their personal information is used, stored and disclosed
      • Secure Data Retention (Standard 8.2 & 8.3): RTO’s must ensure secure data retention and maintain certification records for a minimum of 30 years.
  • Data Provision Requirements and AVETMISS

Include other policies, procedures, forms or documents that impact on or relate to this policy. For Example:

  • Etas Complaints and Appeals Policy

  • Etas Learner Handbook

APP means Australian Privacy Principle. The 13 APPs are summarised as follows:

  • APP 1 — Open and transparent management of personal information
    • Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.
  • APP 2 — Anonymity and pseudonymity
    • Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
  • APP 3 — Collection of solicited personal information
    • Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of ‘sensitive’ information.
  • APP 4 — Dealing with unsolicited personal information
    • Outlines how APP entities must deal with unsolicited personal information.
  • APP 5 — Notification of the collection of personal information
    • Outlines when and in what circumstances an APP entity that collects personal information must notify an individual of certain matters
  • APP 6 — Use or disclosure of personal information
    • Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
  • APP 7 — Direct marketing
    • An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met
  • APP 8 — Cross-border disclosure of personal information
    • Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
  • APP 9 — Adoption, use or disclosure of government related identifiers
    • Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
  • APP 10 — Quality of personal information
    • An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
  • APP 11 — Security of personal information
    • An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
  • APP 12 — Access to personal information
    • Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
  • APP 13 — Correction of personal information
    • Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

Considering all of the definitions, exclusions and exceptions, it is expected that all RTOs would be considered an APP entity and be required to adhere to the APPs as RTOs are:

  • ‘Organisations’ as defined by the Act; and
    • Often engaged in contracts with the Commonwealth Government; or
    • Often engaged in contracts (funding agreements) with State Governments for the delivery of training services, where these contracts are likely to require adherence to the APPs; or
    • May have an annual turnover in excess of $3,000,000.

A RTO that is a small business operator (under $3,000,000 annual turnover) may consider itself excluded from the APPs, despite its government registration as a RTO, if it does not hold any contracts with Commonwealth or State Government departments. Despite this view, due to the nature of the personal information required to be collected by RTOs, it is may be expected that RTOs manage personal information with systems in line with the requirements of the APPs.

Etas will manage personal information in line with the APP requirements as outlined in this policy.

Etas manages personal information in an open and transparent way. This is evident in the implementation of practices, procedures and system we outline in this policy, that ensure our compliance with the APPs and any binding registered APP code and provide suitable procedures for Etas staff to be able to deal with related inquiries and complaints that may be received from time to time.

As a Registered Training Organisation, Etas is required to collect, hold, use and report on a wide range of personal and sensitive information in relation to our clients participating in nationally accredited training. This information requirement is outlined in the National Vocational Education and Training Regulator Act 2011 and associated legislative instruments. In particular, the Standards for RTO’s 2015 and the Data Provision Requirements.

Clients and staff should be advised that due to our legislative compliance requirements, Etas will need to report on and disclose some of this information for any valid purpose to a range of organisations/entities such as;

  • Government Agencies; State, Federal and possibly local such as;
    • The Training Accreditation Council of WA
    • Department of Training and Workforce Development
    • Department of Education and Training
    • Apprenticeship office
  • Employers (where necessary only)

The types of information that is typically collected could include but is not limited to;

  • Name
  • Date of Birth
  • Address / Contact Details
  • Employment details
  • Educational background
  • Course progression information
  • Demographical information
  • Financial / Billing information
  • Disability status
  • Individual needs
  • Indigenous status

Generally Etas collect this information directly from our clients, however on occasion some personal information may be provided to us through a third party such as the employer or a Government agency.

Etas retains records both electronically and in hard copy format with appropriate protective measures in place to ensure security of client’s personal information. Retention requirements for information do vary and all records are kept in line with relevant legislative requirements. In the event of Etas ceasing to operate, the required personal information on record for our clients would be transferred to the Training Accreditation Council of WA, as required by law.

All clients and staff have a right to request access to their personal information at any time. We will not disclose any information that we gather about our staff or clients to any third party. We use the information collected only for the services we provide. No staff or client information is shared with another organisation. If staff or client information is required by a third party we will obtain written consent from the relevant staff or client prior to release of any information. In order to request access to personal records, individuals should contact:

Etas RTO Manager

Level 1, 823 Wellington Street, West Perth WA 6005

Etas provides individuals with the option of not identifying themselves, or of using a pseudonym, when dealing with us in relation to a particular matter, whenever practical. This includes providing options for anonymous dealings in cases of general course enquiries or other situations in which an individuals’ information is not required to complete a request.

In relation to nationally registered training, Etas requires and confirms identification – we are authorised by Australian Law to deal only with individuals who have appropriately identified themselves (and their needs).

Etas only collects personal information that is reasonably necessary for our business activities.

We only collect sensitive information in cases where the individual consents to the sensitive information being collected, except in cases where we are required to collect this information by law, such as outlined earlier in this policy.

All information we collect is collected only by lawful and fair means.

We only collect solicited information directly from the individual concerned, unless it is unreasonable or impracticable for the personal information to only be collected in this manner

Etas may from time to time receive unsolicited personal information. Where this occurs we promptly review the information to decide whether or not we could have collected the information for the purpose of our business activities. Where this is the case, we may hold, use and disclose the information appropriately as per the practices outlined in this policy.

Where we could not have collected this information (by law or for a valid business purpose) we immediately destroy or de-identify the information (unless it would be unlawful to do so).

Whenever Etas collects personal information about an individual, we take reasonable steps to notify the individual of the details of the information collection or otherwise ensure the individual is aware of those matters. This notification occurs at or before the time of collection, or as soon as practicable afterwards.

Our notifications to individuals on data collection include:

  • Etas’s identity and contact details, including the position title, telephone number and email address of a contact who handles enquiries and requests relating to privacy matters;
  • The facts and circumstances of collection such as the date, time, place and method of collection, and whether the information was collected from a third party, including the name of that party;
  • If the collection is required or authorised by law, including the name of the Australian law or other legal agreement requiring the collection;
  • The purpose of collection, including any primary and secondary purposes; 
  • The consequences for the individual if all or some personal information is not collected;
  • Other organisations or persons to which the information is usually disclosed, including naming those parties;
  • Whether we are likely to disclose the personal information to overseas recipients, and if so, the names of the recipients and the countries in which such recipients are located.

Where possible, we ensure that the individual confirms their understanding of these details, such as through signed declarations, website form acceptance of details or in person through questioning.

Etas only uses or discloses personal information it holds about an individual for the particular primary purposes for which the information was collected, or secondary purposes in cases where:

  • An individual consented to a secondary use or disclosure;
  • An individual would reasonably expect the secondary use or disclosure, and that is directly related to the primary purpose of collection; or
  • Using or disclosing the information is required or authorised by law.

Requirement to make a written note of use or disclosure for this secondary purpose: If Etas uses or discloses personal information in accordance with an ‘enforcement related activity’ we will make a written note of the use or disclosure, including the following details:

  • The date of the use or disclosure;
  • Details of the personal information that was used or disclosed;
  • The enforcement body conducting the enforcement related activity;
  • If the organisation used the information, how the information was used by the organisation; and
  • The basis for our reasonable belief that we were required to disclose the information.

Etas does not use or disclose the personal information that it holds about an individual for the purpose of direct marketing, unless:

  • The personal information has been collected directly from an individual, and the individual would reasonably expect their personal information to be used for the purpose of direct marketing; or
  • The personal information has been collected from a third party, or from the individual directly, but the individual does not have a reasonable expectation that their personal information will be used for the purpose of direct marketing; and
  • We provide a simple method for the individual to request not to receive direct marketing communications (also known as ‘opting out’).

On each of our direct marketing communications, Etas provides a prominent statement that the individual may request to opt out of future communications, and how to do so. An individual may also request us at any stage not to use or disclose their personal information for the purpose of direct marketing, or to facilitate direct marketing by other organisations. We comply with any request by an individual promptly and undertake any required actions for free. We also, on request, notify an individual of our source of their personal information used or disclosed for the purpose of direct marketing unless it is unreasonable or impracticable to do so. 

Etas does not disclose personal information about an individual to any overseas recipient.

Etas does not adopt, use or disclose a government related identifier related to an individual except:

  • In situations required by Australian law or other legal requirements;
  • Where reasonably necessary to verify the identity of the individual;
  • Where reasonably necessary to fulfil obligations to an agency or a State or Territory authority; or
  • As prescribed by regulations.

Etas takes reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. We also take reasonable steps to ensure that the personal information we use or disclose is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant. This is particularly important:

  • When we initially collect the personal information; and
  • When we use or disclose personal information.

We take steps to ensure personal information is factually correct. In cases of an opinion, we ensure information takes into account competing facts and views and makes an informed assessment, providing it is clear this is an opinion. Information is confirmed up-to-date at the point in time to which the personal information relates.

Quality measures in place supporting these requirements include:

  • Internal practices, procedures and systems to audit, monitor, identify and correct poor quality personal information (including training staff in these practices, procedures and systems);
  • Protocols that ensure personal information is collected and recorded in a consistent format, from a primary information source when possible;
  • Ensuring updated or new personal information is promptly added to relevant existing records;
  • Reminding individuals to update their personal information at critical service delivery points (such as completion) when we engage with the individual;
  • Contacting individuals to verify the quality of personal information where appropriate when it is about to used or disclosed, particularly if there has been a lengthy period since collection; and
  • Checking that a third party, from whom personal information is collected, has implemented appropriate data quality practices, procedures and systems.

Etas takes active measures to consider whether we are able to retain personal information we hold, and also to ensure the security of personal information we hold. This includes reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

We destroy or de-identify personal information held once the information is no longer needed for any purpose for which the information may be legally used or disclosed.

Access to Etas offices and work areas is limited to our personnel only – visitors to our premises must be authorised by relevant personnel and are accompanied at all times. With regard to any information in a paper based form, we maintain storage of records in an appropriately secure place to which only authorised individuals have access.

Regular staff training and information bulletins are conducted with Etas personnel on privacy issues, and how the APPs apply to our practices, procedures and systems. Training is also included in our personnel induction practices.

We conduct ongoing internal audits (at least annually and as needed) of the adequacy and currency of security and access practices, procedures and systems implemented.

Where Etas holds personal information about an individual, we provide that individual access to the information on their request. In processing requests, we:

  • Ensure through confirmation of identity that the request is made by the individual concerned, or by another person who is authorised to make a request on their behalf;
  • Respond to a request for access:
    • Within 14 calendar days, when notifying our refusal to give access, including providing reasons for refusal in writing, and the complaint mechanisms available to the individual; or
    • Within 30 calendar days, by giving access to the personal information that is requested in the manner in which it was requested.
  • Provide information access free of charge.

Etas takes reasonable steps to correct personal information we hold, to ensure it is accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held.

On an individual’s request, we:

  • Correct personal information held; and
  • Notify any third parties of corrections made to personal information, if this information was previously provided to these parties.

In cases where we refuse to update personal information, we:

  • Give a written notice to the individual, including the reasons for the refusal and the complaint mechanisms available to the individual;
  • Upon request by the individual whose correction request has been refused, take reasonable steps to associate a statement with the personal information that the individual believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading;
  • Respond within 14 calendar days to these requests; and
  • Complete all actions free of charge.

We take reasonable steps to correct personal information we hold in cases where we are satisfied that the personal information held is inaccurate, out-of-date, incomplete, irrelevant or misleading (that is, the information is faulty). This awareness may occur through collection of updated information, in notification from third parties or through other means.

Individuals or third parties may at any stage request access to records held by Etas relating to their personal information. The following procedure is followed on each individual request for access:

  • A request for access is provided by the requester, with suitable information provided to be able to:
    1. Identify the individual concerned;
    2. Confirm their identity; and
    3. Identify the specific information that they are requesting access to.

This request must be in writing.

  • Upon receiving a request for access, Etas then:
    1. Confirms the identity of the individual or party requesting access;
    2. Confirms that this individual or party is appropriately authorised to receive the information requested;
    3. Searches the records that we possess or control to assess whether the requested personal information is contained in those records; and
    4. Collates any personal information found ready for access to be provided.

Etas personnel must be satisfied that a request for personal information is made by the individual concerned, or by another person who is authorised to make a request on their behalf. The minimum amount of personal information needed to establish an individual’s identity is sought, which is generally an individual’s name, date of birth, last known address and signature.

When meeting the requesting party in person, identification may be sighted. If confirming details over a telephone conversation, questions regarding the individual’s name, date of birth, last known address or service details may be confirmed before information is provided.

  • Once identity and access authorisation is confirmed, and personal information is collated, access is provided to the requester within 30 calendar days of receipt of the original request. We will provide access to personal information in the specific manner or format requested by the individual, wherever it is reasonable and practicable to do so, free of charge.
  • Where the requested format is not practical, we consult with the requester to ensure a format is provided that meets the requester’s needs.
  • If the identity or authorisation access cannot be confirmed, or there is another valid reason why Etas is unable to provide the personal information, refusal to provide access to records will be provided to the requester, in writing. Our notification will include reason(s) for the refusal, and the complaint mechanisms available to the individual. Such notifications are provided to the requester within 30 calendar days of receipt of the original request.

Individuals or third parties may at any stage request that their records held by Etas relating to their personal information be updated. The following procedure is followed on each individual request for records updates:

  • A request for records update is provided by the requester, with suitable information provided to be able to:
  1. Identify the individual concerned;
  2. Confirm their identity; and
  3. Identify the specific information that they are requesting be updated on their records.

This request must be in writing.

  • Upon receiving a request for records update, Etas then:
  1. Confirms the identity of the individual or party to whom the record relates;
  2. Searches the records that we possess or control to assess whether the requested personal information is contained in those records; and
  3. Assesses the information already on record, and the requested update, to determine whether the requested update should proceed.

Etas personnel assess the relevant personal information we hold, and the requested updated information, to determine which version of the information is considered accurate, up-to-date, complete, relevant and not misleading, having regard to the purpose for which it is held. This may include checking information against other records held by us, or within government databases, in order to complete an assessment of the correct version of the information to be used.

  • Once identity and information assessment is confirmed, personal information is:
  1. Updated, free of charge, within 14 calendar days of receipt of the original request; and
  2. Notified to any third parties of corrections made to personal information, if this information was previously provided to these parties.
  • If the identity of the individual cannot be confirmed, or there is another valid reason why Etas is unable to update the personal information, refusal to update records will be provided to the requester in writing, free of charge, within 14 calendar days.

Our notification will include the reasons for the refusal and the complaint mechanisms available to the individual.

  • Upon request by the individual whose correction request has been refused, we will also take reasonable steps to associate a ‘statement’ with the personal information that the individual believes it to be inaccurate, out-of-date, incomplete, irrelevant or misleading. This statement will be applied, free of charge, to all personal information relevant across Etas systems within 30 calendar days of receipt of the statement request.

If an individual believes that Etas has breached its obligations in the handling, use or disclosure of their personal information, they may raise a complaint. We encourage individuals to discuss the situation with their Etas representative in the first instance, before making a complaint. The complaints handling process is as follows:

  • The individual should make the complaint including as much detail about the issue as possible, in writing to Etas: Etas, RTO Manager, Level 1,823 Wellington Street, West Perth, WA 6005
  • Etas will investigate the circumstances included in the complaint and respond to the individual as soon as possible (and within 30 calendar days) regarding its findings and actions following this investigation.
  • Should after considering this response, if the individual is still not satisfied they make escalate their complaint directly to the Information Commissioner for investigation:

Office of the Australian Information Commissioner, www.oaic.gov.au, Phone: 1300 363 992

  • When investigating a complaint, the OAIC will initially attempt to conciliate the complaint, before considering the exercise of other complaint resolution powers.
  • Alternatively, if the complaint relates to a non-privacy matter, or should individuals choose to do so, a complaint may also be lodged with TAC:

Training Accreditation Council, Complaints Handling Policy, Phone: 08 9441 1910

Any person who is found to have breached this policy or the legislation to which this policy applies will be disciplined and may be subject to further criminal prosecution.

Confirmed current as at: 13TH June 2025