Background Information

This policy sets out how RRA manages privacy obligations and reflects the 13 Australian Privacy Principles (APPs) from Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), which amends the Privacy Act 1988 (Cth).

Policy Statement

RRA is committed to managing personal information in an open and transparent way.

Policy Purpose

This Policy sets out how RRA collects, holds, uses and discloses personal information including sensitive information.

Application of Policy

Clause 1. Subject to clause 2 under the Application of Policy section, this Policy applies to all personal information and sensitive information collected and held by RRA.

Clause 2. Despite clause 1 under the Application of Policy section,  any act done or practice engaged in by RRA directly related to:

  • A current or former employment relationship between RRA and an individual, and
  • A current or historical employee record held by RRA relating to an individual.

are exempt from this Policy in accordance with the Act and the APPs.

Clause 3. Employee records are governed by the provisions of RRA’s Employee Records Privacy Policy.

Principles

Personal information collected and held by RRA

RRA collects personal information for the purposes of RRA’s functions and activities. It collects personal information about staff, students and other individuals who have dealings with RRA for administrative need, to conduct its business, for legislative compliance or for research purposes.

The information may include residence and contact details, date of birth, details of next of kin, identifying information, including photographs, records of injuries, criminal checks, enrolment information, staff performance, qualifications and financial information.

Some of the personal information that RRA collects and holds is sensitive information. RRA only collects sensitive information where it is necessary for the purpose for which it is being collected and with the individual’s consent unless the collection is required or authorised by law.

How RRA collects and holds personal information

RRA collects and holds information from a number of sources. Where reasonably possible, RRA will only collect information from the individual to whom it relates. Frequently this will be collected through official administrative processes but it may also be collected from email, letters or other forms of communication.

RRA also holds personal information about individuals that it generates in the course of its operational activities, such as recruitment information, membership information, research grant applications, feedback, etc.

Personal information is held in both paper and electronic form, including databases.

When an individual accesses the RRA website, log files (“cookies”) are created by the web server that contain certain information including the Internet Protocol (IP) address of the visitor, the previous site visited, the time and date of access and pages visited and downloaded. Cookies allow a website, such as the RRA website, to temporarily store information on an individual’s machine for later use. RRA’s website uses cookies to identify unique visitors to the site.

In order to improve RRA’s services and assist the user, RRA may store information about users of its website to create a digital profile and provide them with information specific to them.

RRA also uses Web Analytics to obtain statistics about how its website is accessed. Web Analytics relies upon cookies to gather information for the purpose of providing statistical reports to RRA. The information generated by the cookie about an individual’s use of the RRA website is transmitted to and stored by Web Analytic service providers on servers located within and outside Australia, but it does not include any personally identifying information.

Individual users generally have the option of accepting or rejecting cookies by adjusting the settings in their web browsers. However, rejecting cookies may impact upon the functionality of the RRA website.

The RRA website may contain links to other websites. RRA cannot control the privacy controls of third party websites. Third party sites are not subject to RRA’s Privacy Policy or Procedures.

Notification of collection of personal information

When RRA collects personal information it will advise the individual why it is collecting that information and how it uses it, whether the collection of the information is required or authorised by law and the consequences for the individual if the personal information is not collected. It will also provide information about RRA’s Privacy Policy and about the right of individuals to access and correct personal information. If RRA collects personal information in circumstances where the individual may not be aware of the collection it will seek to advise the individual of the collection.

The purposes for which RRA collects, holds, uses and discloses personal information

RRA collects and uses personal information for a variety of different purposes relating to its functions and activities including:

  • Enrolling, facilitating and graduating members from RRA courses/programs
  • Enhancing and assessing members experience
  • Maintaining contact with its members, sponsors, government, business and with other stakeholders in the community
  • Community engagement
  • Government reporting
  • Commercial application of its intellectual property and professional expertise
  • Undertaking staff (paid and unpaid) recruitment activities
  • Undertaking research
  • Handling complaints
  • Conducting its business and
  • Improving the way in which it conducts its business purposes directly related to the above.

Use for secondary purposes

RRA does not use or disclose personal information for purposes other than the purpose for which it was collected (the primary purpose) unless:

  • The individual has consented to a secondary use or disclosure, or
  • The secondary use or disclosure is related to the primary purpose (in the case of personal information that is not sensitive information) or is directly related to the primary purpose (in the case of sensitive information), or
  • It is otherwise required or authorised by or under an Australian law or a court/tribunal order.

Security

RRA applies both physical and information and communications technology (ICT) security systems to protect personal information.

In relation to electronic records, personal information is collected via RRA’s systems including web-based systems. RRA has put in place measures to protect against loss, misuse and alteration of electronic information. Where necessary, RRA also uses encryption technology to protect certain information and transactions.

Remaining anonymous or using a pseudonym (alias)

RRA understands that anonymity is an important aspect of privacy and that in some circumstances some people may prefer to use a pseudonym when dealing with RRA. People have the right to remain anonymous or to use a pseudonym when dealing with RRA. However for a significant proportion of its activities (e.g. matters relating to enrolment, teaching and assessment of individual students) it is impracticable for RRA to deal with individuals who have not identified themselves or who have used a pseudonym.

Unsolicited personal information

When RRA receives unsolicited personal information it will assess whether it is personal information that it could legally collect. If it is, it will treat it according to the APPs. If it is not, it will, if lawful to do so, destroy or de-identify it as soon as practicable.

Direct marketing

RRA will only use personal information for direct marketing with the individual’s consent or when authorised by law.

Destruction of information that does not need to be retained

When RRA no longer needs to retain personal information, and is lawfully able to do so, it will destroy or de-identify that information.

How an individual may access personal information about the individual that is held by RRA

Subject to clause 2 under the Application of Policy section, anyone has a right under the Act to access personal information that RRA holds about them. Access to personal information is governed by the Access to and Correction of Personal Information Procedure.

How an individual may seek the correction of personal information about the individual that is held by RRA

Subject to clause 2 under the Application of Policy section, anyone has a right under the Act to request corrections to any personal information that RRA holds about them if they think that the information is inaccurate, out of date, incomplete, irrelevant or misleading. Correction of personal information is governed by the Access Procedure.

How an individual may complain about a breach of the Australian Privacy Principles by RRA

Subject to clause 2 under the Application of Policy section, anyone may complain about a breach of an APP by RRA. Complaints should be made in accordance with the Privacy Inquiries and Complaints Procedure.

How RRA will deal with complaints about breaches of the Australian Privacy Principles

RRA will deal with complaints about breaches of the APPs in accordance with the Privacy Inquiries and Complaints Procedure.

How RRA will manage an actual or suspected breach of this policy

RRA will manage the process of dealing with an actual or suspected breach in accordance with the RRA Privacy Breach Procedure.

Disclosure of personal information to overseas recipients by RRA

RRA may disclose personal information to overseas recipients. For instance, RRA may disclose personal information to an overseas RRA which requires proof of the academic standing of an individual before it permits the individual to enrol or to facilitate staff or student exchange. RRA will only do this at the request of, or with the specific approval of, the individual whose personal information it is.

RRA will disclose personal information in these circumstances to an overseas recipient in any country.

RRA may also disclose personal information to overseas recipients who are service providers for research or purposes, including data storage. Australian law may not apply to those recipients. RRA will ensure that appropriate data handling and security arrangements are in place. Disclosure of personal information to overseas recipients may also be required or authorised by law.

Disclosure of personal information to third parties

RRA may disclose information to third parties to:

  • Provide services;
  • For purposes of research to improve its operations and services;
  • Facilitate national surveys carried out in relation to the higher education sector;
  • Promote its activities;
  • If permitted or required by law; or
  • Otherwise with the consent of the individual.

Where RRA discloses personal information to third parties it will require restrictions on the collection and use of personal information equivalent to those required of RRA by the Privacy Act 1988.

Policy Review

Review

RRA will review this Policy and the Procedure regularly. It may amend the Policy and Procedure from time to time to ensure their currency with respect to relevant legislation and RRA Policy and Procedures and to improve the general effectiveness and operation of the Policy and Procedures.

Further Assistance

Alternative formats

Access to this Policy in alternative formats (e.g. hard copy) is available through the Secretary/President.

Contact details

Contact for all matters related to privacy, including:

  • General inquiries
  • Accessing personal information held about you
  • Requests to correct personal information held about you and
  • Complaints about breaches of privacy

should be directed to the Secretary.

Glossary of Terms

Access Procedure means the Access to and Correction of Personal Information Procedure promulgated under this Policy.

Act means the Privacy Act 1988 (Cth).

Australian Privacy Principles (APPs) means the 13 APPs set out in Schedule 1 of the Act.

Employee record means a record of confidential personal information relating to the employment of a staff member. The employee record comprises information about employment, including health, recruitment and selection, terms and conditions of employment, performance, discipline, and resignation.

Employee records are exempt from the provisions of the Act.

Inquiries and Complaints Procedure means the Privacy Inquiries and Complaints Procedure promulgated under this Policy.

Personal information means information or an opinion in any form about an identifiable individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not.

Privacy Coordinator means the person appointed by RRA from time-to-time to manage and coordinate RRA’s compliance with the Policy and the Procedures at the direction of the Privacy Officer (President).

Privacy Officer (President) means the person appointed by RRA from time-to-time to manage all inquiries and complaints arising under this Policy. The Privacy Officer may delegate the management of any or all of the inquiries and complaints arising under this Policy to the Privacy Coordinator.

Sensitive information means information about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record, or health information, genetic information or biometric information.

Web Analytics means the measurement collection, analysis and reporting of web data for the purpose of understanding and optimising web usage.

Policy Authorisation:

Policy Applies to: All Staff

Version: 1.0

Approval Authority: President

Approval Date: 5 September 2017

Policy Updated: 3 February 2018

Review Date: 18 July 2019