Go to top of page

Complete APP Privacy Policy and Privacy Management Plan

27 June 2018

About this privacy policy 

TEQSA uses a layered approach to presenting its privacy policy. This policy provides you with complete information on how the agency handles personal information, separated into the following different categories of records: 

  • Part A: Personnel 
  • Part B: Financial management system 
  • Part C: Consultancy services 
  • Part D: Higher education provider case management 
  • Part E: Legal services 
  • Part F: Enquiries mailbox 
  • Part G: Complaints
  • Part H: Freedom of Information 
  • Part I: Provider Information Request (PIR) 
  • Part J: Data collected from TEQSA website
  • Part K: Sector engagement contact details 

Below is some general information on the agency’s privacy obligations, how to access and correct your personal information, disclosure of information and how to make complaints about the way the agency handles personal information. 
TEQSA also has a Condensed Australian Privacy Principles (APPs) Privacy Policy which summarises the agency’s approach to handling personal information.

The agency’s Privacy Management Plan can be found at the end of this policy. 

Obligations 

All personal information collected by TEQSA is protected by the Privacy Act 1988. Information on the Commonwealth Privacy Act 1988 can be found on the website of the Office of the Australian Information Commissioner. The agency is committed to protecting personal information. This Privacy Policy embodies this commitment and applies to personal information collected by TEQSA and its contractors and agents. The agency adheres to the requirements of the APPs contained within the Privacy Act 1988, the Privacy (Australian Government Agencies — Governance) APP Code 2017 and the Guidelines for Federal and ACT Government World Wide Websites, issued by the Privacy Commissioner. 

This document also includes the agency’s Privacy Management Plan required under the Privacy (Australian Government Agencies — Governance) APP Code 2017.

Access and Correction 

The agency will allow individuals to have access to their personal information that we hold and we will correct an individual’s personal information if it is inaccurate (subject to restrictions on such access/alteration of records under the applicable provisions of any law of the Commonwealth). The Freedom of Information Act 1982 also provides an opportunity to request access to documents in the possession of TEQSA. An individual who wishes to access the personal information the agency holds about them and to seek correction of that information should see TEQSA’s Freedom of Information page and request access to their personal information via a freedom of information request. 

Disclosure 

It is unlikely the records TEQSA holds that contain personal information will be disclosed to any overseas recipients. 

Complaints 

To make a complaint about the agency’s handling of personal information or compliance with the APPs please write to the address below: 

Privacy Contact Officer 
Tertiary Education Quality and Standards Agency 
GPO Box 1672 
Melbourne VIC 3001 

Email: foi [at] teqsa.gov.au 

If we receive a complaint about the agency’s handling of personal information or compliance with the APPs we will determine what (if any) action we should take to resolve the complaint. If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about. 

We will tell you promptly that we have received your complaint and will endeavour to respond to the complaint within 30 days. 

If you are not satisfied with the agency’s response you can complain to the Commonwealth Ombudsman. You may also make a complaint to the Office of the Australian Information Commissioner.

PART A: Personnel Records 

Collection 

The personal information contained in TEQSA’s personnel records is generally collected from the individual but may be obtained from former employers of individuals on engagement, with the consent of the individual. 

Content 

The content of personnel records may include: name, address, date of birth, occupation, AGS number, gender, qualifications, equal employment opportunity group designation, next of kin, details of pay and allowances, leave details, work reports, security clearance details and employment history. Personnel records include records about current and former employees as well as records about applicants for positions at TEQSA. 

Personnel records may include information which employees may consider sensitive such as: physical and mental health, disabilities, racial or ethnic origin, disciplinary investigation and action, criminal convictions, adverse performance and security assessments, tax file numbers, relationship details and personal financial information. 

Use 

Personnel records are used by TEQSA for the management of Human Resources. The following agency staff have access to personnel records: executive and senior staff with personnel management responsibility, supervisors and members of selection committees (as appropriate), the individual to whom the record relates and, as is relevant to completing their duties, Human Resources staff. 

Security and disposal 

Personnel records are kept according to the applicable provisions of the records authorities in relation to personnel functions issued by Australian Archives. Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

Information held in personnel records may be disclosed, as appropriate, to: Comcare in relation to claims and workplace health issues, Commonwealth Medical Officers for the purposes of conducting fitness for duty assessments, Attorney-General's Department, Australian Public Service Commission for the purposes of obtaining policy advice, ComSuper and other superannuation administrators, the Productivity Commission for the purposes of calculating and paying employee entitlements, and the Australian Taxation Office, Centrelink, and the Child Support Agency in relation to payments required to be made. Information held on personnel records is moved to other APS agencies on movement or reengagement of an employee to that agency.

PART B: Financial Management System Records 

Collection 

The personal information contained in TEQSA’s financial management system records is generally collected from the individual or the employer of an individual. 

Content 

Contents may include: name, address, contact information and transaction history with TEQSA over previous and current financial years. Details of vendors and employee bank accounts are also kept in the financial system. 

Use 

Information is collected to maintain complete information relating to all financial transactions of the agency. The purpose of these records is to maintain payment details to allow for payment of invoices and claims from staff members and service providers. 

Within TEQSA this information is only available to relevant staff members of Finance Section and authorised users of interfacing systems responsible for payments by direct credit (ie. staff salary payments via Aurion). 

Security and disposal 

The information in the Financial Management Information System (FMIS) is stored indefinitely. Paper records are destroyed seven years after last action. Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

Information may be disclosed to the Reserve Bank of Australia and the Productivity Commission for the purpose of processing agency payments. The Finance team at the FairWork Ombudsman (FWO) also have access to the FMIS as TEQSA has outsourced certain financial reporting functions to the FWO.

PART C: Consultancy services records 

Collection 

The personal information contained in TEQSA’s consultancy service records is generally collected from the individual or the employer of an individual. 

Content 

The consultancy services records may include name, address, phone number, email address, qualifications, honorifics, languages spoken,  professional memberships, employment history, details of rate, work reports, security clearance details and information on their employment and any employees and subcontractors. Sensitive contents of a consultant’s information may include security assessment details. The consultancy services records include information collected in the course of engaging external subject matter experts.

Use 

The purpose of these records is to assist with the evaluation and engagement of consultancy services. The personal information in these records relates to the employees or subcontractors of the consultancy firm responding to the request. TESQA staff in the business area from which the original request for consultancy services originated have access to these records as well as the Finance Team and senior managers on a need to know basis. 

Security and disposal 

Consultancy service records are kept according to the applicable provisions of the General Records Authority and establishment records issued by Australian Archives. Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

The name of a consultant and the content of their report may be disclosed to higher education providers for the purposes of performing TEQSA’s regulatory functions. TEQSA discloses some details of the consultancy record to the FWO for financial reporting. 

PART D: Higher education provider case management records 

Collection 

The personal information contained in TEQSA’s provider case management records is generally collected from the individual or the employer of an individual. 

Content 

The content includes: name, title, address, phone, email, date of birth, position title, position responsibilities, term of appointment, professional and educational history. Sensitive information may include acts of professional or academic misconduct, financial history, qualifications, gender and criminal convictions. 

Use 

The purpose of these records is to record details relating to higher education provider registration and course accreditation applications and assessments, notifications and general communications relating to providers, to enable TEQSA to carry out its regulatory functions. 

Security and disposal 

Provider case management records are kept according to TEQSA’s Records Authority. Access to these records is restricted. They are kept on premises only accessible via a security pass and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

Personal information in these records may be disclosed to Commonwealth, state or territory bodies responsible for regulating the provision of education, to consultants engaged by TEQSA and to bodies responsible for regulating occupations associated with courses regulated by TEQSA. These disclosures would be made for the purposes of assisting TEQSA to assess applications made to TEQSA, and to otherwise assist TEQSA to perform its regulatory responsibilities.

PART E: Legal services records 

Collection 

The Legal Group does not usually collect personal information but relies on existing records held by TEQSA. 

Content 

The personal information in the legal services records includes but is not limited to: name, address, date of birth, gender, marital status, and occupation. Sensitive content may include financial information, employee records, criminal convictions, physical or mental health details, relationship details and racial or ethnic origin. 

Use 

These records are used to enable the Legal Group to perform its functions in relation to the delivery of legal services to TEQSA. Only officers of the Legal Group involved in the provision of legal services for which the information is relevant have access to these records, and on a need-to-know basis, senior managers. 

Security and disposal 

The records are kept in accordance with the Administrative Functions Disposal Authority issued by the National Archives of Australia. The records are kept for specified periods that relate to the contents and have a wide range, e.g. records of breaches of mandatory standards are destroyed seven years after action completed, records of claims are destroyed seven years after settlement or withdrawal. 

Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

This information may be disclosed to Commonwealth departments and agencies for the purposes of seeking legal advice or consulting on such requests, external legal advisers, and Courts and Tribunals.

PART F: Enquiries mailbox 

Collection 

The personal information contained in these records is usually sent by the individual.

Content 

The personal information contained in these records may include: name, address, occupation and phone number. 

TEQSA staff who manage the mailbox have access to this information. In addition, personal information contained in the enquiries are sometimes forwarded to Provider Case Managers or other staff in order to respond to the enquiries. Some of the enquiries are treated as complaints. See the complaints section of this Privacy Policy for information on who has access to personal information contained in complaints.

Use 

These records contain details of email enquiries received by the TEQSA enquiries mailbox. TEQSA uses the personal information in these records to respond to the enquiry. These emails are kept by TEQSA as a record of TEQSA having responded to the query. 

Security and disposal 

The records will be kept for five years. Access to these records is restricted. They are kept on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff.

Disclosure 

The personal information in these records is not usually disclosed to other persons or organisations.

PART G: Complaints 

Collection 

The personal information contained in these records is usually sent by the individual.

Content 

The records may contain personal information of a complainant’s name, educational history, citizenship /visa status, address, occupation and phone number. 

Use 

These records contain details of complaints received by TEQSA about higher education providers. The complaints are kept for consideration when TEQSA performs its regulatory functions in determining if a provider is meeting its obligations under the Tertiary Education Quality and Standards Agency Act 2011

TEQSA staff who manage the complaints mailbox and provider case managers have access to this information. 

Security and disposal 

Complaints records are kept according to TEQSA’s Records Authority. 

Access to these records is restricted. They are kept on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

The personal information in these records is not usually disclosed to other persons or organisations without the consent of the individual.

PART H: Freedom of Information records 

Collection 

The personal information contained in these records is usually sent by the individual.

Content 

The records may include a freedom of information applicant’s name, address, phone number, date of birth, gender and occupation. 

Use 

The purpose of these records is to process and maintain a record of requests for access to documents under the Freedom of Information Act 1982. The following TEQSA staff have access to these records: the freedom of information coordinator and freedom of information officer, the Legal Group and senior managers on a need-to-know basis 

Security and disposal 

The records are kept for seven years. 

Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

Some of this information may be disclosed to Commonwealth agencies or departments concerned with the particular application, or to other entities required to be consulted under the Freedom of Information Act 1982.

PART I: Provider Information Request (PIR) Data

Collection 

PIR data is collected from higher education providers and from the Commonwealth Department of Education. 

Content 

The personal information contained in the PIR data includes student and staff numerical identifiers, courses studied by students and students’ outcomes, as well as students’ educational history, citizenship /visa status, fee-paying status,  and in some cases the salaries and work contract description of staff. 

Use

This data enables TEQSA to regulate the higher education sector in line with its regulatory principles (relating to regulatory necessity, risk and proportionality). Through access to a core data set across all providers, TEQSA is able to employ a risk-based approach to regulation and thus can reduce regulatory burden on the sector and focus regulatory effort on potential risks to students. The data is used to calculate risk indicators which inform TEQSA’s assessments of providers and allow relevant application processes to be tailored. TEQSA also uses the data to prepare high level analysis across the higher education sector, though this information is only published or disclosed in a de-identified form. 

Security and disposal 

PIR data records are kept according to TEQSA’s Records Authority. Records are held in an isolated electronic data vault, with access limited to a small number of specially authorised personnel from the Information Management staff at TEQSA, who are responsible for managing these records. 

Disclosure 

Responsibility for the collection of PIR data was transitioned to the Department of Education and Training (the Department) on 1 January 2016. However, the authority for the collection of this data remains with TEQSA, through the TEQSA Act. As such, the Department specifies in its Privacy Policy, that the collection of personal information on behalf of TEQSA (through the Higher Education Information Management System (HEIMS) and the Help IT System (HITS)) will only be released directly to TEQSA for the purposes of undertaking its regulatory functions. 

TEQSA may disclose this information to Information Technology contractors and to the Productivity Commission for the purposes of maintaining Information Technology systems (including databases) associated with this information. This is consistent with provisions specified to the privacy commissioner in TEQSA’s original Privacy Impact Assessment relating to the collection of PIR data. 

PART J: Data collected from TEQSA website 

When you use TEQSA’s online services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your server address, your top level domain name, the date and time of the visit to the site, the pages accessed and documents viewed, the previous sites visited, and the browser type, browser language, and one or more cookies that may uniquely identify your browser.  The information does not contain anything that identifies, or may be used to identify, individuals.

PART K: Sector engagement contact details

Collection

Sector engagement contact details are collected from the relevant individual or their employer. 

Content 

The personal information contained in the sector engagement contact details may include individuals’ names, email addresses, job titles, employers, phone numbers, employers’ address, and state/territory/location of residence.

Use

This data enables TEQSA to keep members of the higher education sector up to date with news and events about the agency. It also allows the agency to maintain contact with peak bodies and organisations relevant to TEQSA’s functions.  

Security and disposal 

Sector engagement contact records are kept according to TEQSA’s Records Authority. Access to these records is restricted. MOU and Peak body contact details are kept on premises only accessible via a security pass and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. Contact details for Subscribers to TEQSA’s newsletters are kept on MailChimp and only accessible to a small number of authorised staff in the Engagement Group. 

Disclosure 

TEQSA may disclose this information to Information Technology companies (such as MailChimp) for the purposes of maintaining databases associated with this information.

Privacy Management Plan

Compliance

The agency will ensure compliance with its privacy obligations by:

  • maintaining an up to date privacy policy
  • embedding privacy requirements in relevant policies and procedures, which are regularly reviewed 
  • keeping senior management informed about relevant privacy issues
  • undertaking privacy impact assessments when necessary
  • maintaining an up to date Data Breach Management Plan
  • responding promptly to complaints and inquiries about how the agency handles personal information
  • using established processes to allow individuals to access and correct their personal information
  • training staff on privacy obligations; and 
  • directing staff to seek advice on privacy obligations when required. 

As required under the Privacy (Australian Government Agencies — Governance) APP Code 2017 agency staff will receive annual privacy training as well as training on induction. 

Complaints and inquiries

The agency’s privacy officer will review and respond to any complaints or inquiries about the way the agency handles personal information. More information can be found in the complaints section earlier in this document.

Privacy goals and target

The agency’s privacy goals are to handle personal information in a responsible manner, consistent with its obligations under the Privacy Act 1988 and to ensure staff are aware of the agency’s privacy obligations.

The agency’s privacy target is to receive no complaints in relation to the way it handles personal information.

Measuring performance

The agency will measure and record its performance against its privacy target and goals annually. Any instances in which the agency falls short of its goals and target will be assessed and action taken in order to improve privacy processes.

Reporting

The agency’s privacy officer will report to senior management at least annually about relevant privacy issues, including performance against privacy targets, through a scheduled review of this privacy management plan.
The privacy officer will report to senior management as soon as practicable any substantiated complaint about the agency’s handling of an individual’s personal information, a data breach or any other privacy event which substantially affects TEQSA’s capacity to meet its obligations under the Privacy Act 1988, the Privacy (Australian Government Agencies — Governance) APP Code 2017 or this policy and plan.

Regular reviews

The agency will regularly review and update its privacy practices, procedures and systems, to ensure their currency and adequacy for the purposes of compliance with the APPs. The scope of the review will include:

  • the agency’s privacy policy; and
  • any privacy notice prepared for the purposes of APP 5.