Complete privacy policy

December 2025

 

Documents

Complete privacy policy  (PDF, 263 KB)

1. Introduction

The Tertiary Education Quality and Standards Agency (TEQSA) is Australia’s independent national quality assurance and regulatory agency for higher education.

Our purpose is to protect student interests and the reputation of Australia’s higher education sector through a proportionate, risk-reflective approach to quality assurance that supports diversity, innovation and excellence.

The Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act) which established us as an agency, calls for us to:

  • register regulated entities as higher education providers and accredit their courses of study
  • conduct compliance and quality assessments
  • conduct re-accreditation assessments of courses developed by providers without self-accrediting authority
  • provide advice and make recommendations to the Commonwealth Minister responsible for Education on matters relating to the quality and regulation of higher education providers
  • cooperate with similar agencies in other countries
  • collect, analyse, interpret and disseminate information relating to quality assurance practice and quality improvement in higher education
  • to investigate and take action against individuals or organisations offering or advertising commercial academic cheating services to students at Australian higher education providers.

More information is available on the TEQSA website.

1.1. Who should read this privacy policy?

You should read this privacy policy if you are:

  • a student
  • a higher education provider
  • a professional accreditation body
  • a contractor, consultant, or supplier of goods or services to us
  • a person whose information may be given to us by a third party, including other Australian Government agencies
  • a current or past employee
  • a person seeking employment with us, or
  • any other individual whose personal information we may collect, hold, use and disclose from time to time.

1.2. Purpose of this privacy policy

The purpose of this privacy policy is to:

  • describe the types of personal information that we collect, hold, use and disclose
  • outline our personal information handling practices
  • explain our authority to collect your personal information, why it may be held by us, how it is used and how it is protected
  • notify whether we are likely to disclose personal information to overseas recipients and, if possible, to whom
  • provide information on how you can access your personal information, correct it if necessary and complain if you believe it has been wrongly collected or inappropriately handled.

This privacy policy has been developed to follow the ‘layered policy’ format, which means that it offers layers of greater or lesser detail so people can read as much as they wish and find what they need fast.

For a snapshot of our personal information handling practices, please go to the Condensed Privacy Policy. This offers an easy-to-understand summary of:

  • how we collect, use, disclose and store your personal information
  • how you can contact us if you want to access or correct personal information we hold about you or complain if you believe it has been wrongly collected or inappropriately handled.

Full details of these practices are contained in this document.

1.3. Privacy Act 1988

TEQSA, including its employees, contractors and agents, is subject to the Privacy Act 1988 (Cth) (the Privacy Act) and to the requirements of the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act.

The APPs regulate how federal public sector agencies and certain private sector organisations can collect, hold, use and disclose personal information and how you can access and correct that information.

The APPs only apply to information about living individuals, not information about corporate entities such as businesses, firms or trusts. Detailed information and guidance about the APPs can be found on the Office of Australian Information Commissioner website.

1.4. Information covered under this privacy policy

This privacy policy has been developed in accordance with Australian Privacy Principle 1 and embodies our commitment to protecting the personal information we collect, hold, use and disclose.

This privacy policy is not intended to cover our handling of commercially sensitive information or other information that is not defined in the Privacy Act as personal information.

‘Personal information’ means any information (or an opinion) about an identified individual or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.1

‘Sensitive information’ is a subset of personal information and includes information about your health, genetics, biometrics or disability, racial or ethnic origin, religious, political or philosophical beliefs, professional association or trade union memberships, sexuality or criminal record.2 Additional requirements apply to the collection and handling of sensitive information.

2. Our personal information handling practices

2.1. Collection of personal information

Personal information may be collected directly by us, or by people or organisations acting on our behalf (e.g. contracted service providers). It may be collected directly from you, or on your behalf from a representative you have authorised.

We may also obtain personal information collected by other Australian Government departments or agencies, higher education providers, other third parties, or from publicly available sources. This will only occur where you consent, where it is unreasonable or impractical to collect the information only from you, or where we are required or authorised to do so by law.

We will only collect information for a lawful purpose that is reasonably necessary or directly related to one or more of our functions and activities, or where otherwise required or authorised by law.

2.2. Types of personal information collected by us

We collect and hold a broad range of personal information in records relating to:

  • performance of our legislated regulatory and quality assurance functions
  • employment and personnel matters for our employees, labour hire workers, contractors and consultants
  • management of contracts and consultancy arrangements
  • communication and engagement with the sector
  • requests made to us under the Freedom of Information Act 1982 (Cth) (FOI Act) or the Privacy Act
  • the provision of legal advice by internal and external lawyers.

This personal information may include but is not limited to:

  • your name, address, signature and contact details (e.g. phone, email and fax)
  • photographs, video recordings and audio recordings of you
  • information about your personal circumstances (e.g. marital status, age, occupation, accommodation, social media accounts and relevant information about your partner or children)
  • information about your financial affairs (e.g. payment details, bank account details and information about business and financial interests)
  • information about your identity (e.g. date of birth, country of birth, passport details, visa details, driver licence)
  • information about your employment (e.g. position title, position responsibilities, term of appointment, work history, referee comments, remuneration)
  • information about your background (e.g. educational qualifications and history, honorifics, the languages you speak and your English proficiency)
  • information about your studies and training (e.g. campus of study, scholarships, academic records or testamurs)
  • government or other identifiers (e.g. AGS Number, tax file number, Unique Student Identifier, student identification number or internet protocol address).

2.3. Collection of sensitive information

In carrying out our functions and activities we may collect personal information that is sensitive information (see section 1.4 of this privacy policy). The APPs impose additional obligations on us when collecting, using or disclosing sensitive information. We may only collect sensitive information from you:

  • where you provide your consent and the information is reasonably necessary for, or directly related to, TEQSA’s functions or activities; or
  • where required or authorised by law.3

We may collect sensitive information for the purposes of human resource management and responding to inquiries by courts, tribunals and other external review bodies.

This sensitive information may include but is not limited to:

  • information about your health (e.g. physical and mental health, disabilities, gender, dietary requirements or accessibility needs)
  • information about your racial or ethnic origin, religious beliefs or affiliations, sexual orientation or practices, or criminal record
  • information about your political opinions or membership of any political association(s)
  • information about your membership of any professional or trade association(s) or union(s).

2.4. Collection of unsolicited information

Sometimes personal information is not sought by us but is delivered or sent to us by either the individual or a third party without us having requested it. This information is considered ‘unsolicited’.

Where unsolicited information is received by us, we will, within a reasonable period, determine whether that information is directly related to one or more of our functions or activities. If this cannot be determined, we may, as soon as practicable and in accordance with the Archives Act 1983 (Archives Act) and the Privacy Act, destroy or de-identify the information. If this can be determined we will notify you of the purpose of collection and our intended uses and disclosures according to the requirements of the APPs, unless it is impracticable or unreasonable for us to do so.

2.5. Remaining anonymous or using a pseudonym

You may wish not to identify yourself or to use a different name (pseudonym) when interacting with us.

In some cases, you will be able to remain anonymous or use a pseudonym, however, there will be occasions where it will be impractical for you to remain anonymous or use a pseudonym and, where appropriate, we will advise you accordingly. For example, if you do not identify yourself TEQSA may be unable to investigate and resolve a complaint you have or complete an assessment or investigation related to compliance with its procedures or policies.

There may also be situations where TEQSA is required or authorised by law to deal only with an identified individual, in which case it may be necessary for you to identify yourself.  For example, it would be difficult for TEQSA to give you access to your personal information under the Privacy Act or other legislation such as the FOI Act if you did not provide enough identification to satisfy TEQSA that the relevant personal information was related to you.

2.6. Information collected by our contractors

Under the Privacy Act, we are required to take contractual measures to ensure that contracted service providers (including subcontractors) comply with the same privacy requirements applicable to us. When TEQSA enters into agreements with contracted service providers, it imposes contractual obligations on providers to ensure they comply with relevant privacy obligations when collecting, using, disclosing and holding personal information relating to TEQSA’s activities.

2.7. Storage and data security

2.7.1. Storage

We store personal information in a range of paper-based and electronic records. Some electronic records may be stored in the cloud, including in cloud-based systems provided or utilised by our contractors and third-party providers.

Storage of personal information (and the disposal of information when it is no longer required) is managed in accordance with the Australian Government’s records management regime, including but not limited to the Archives Act, records authorities, general disposal authorities and other whole-of-government policies or standards issued by the National Archives of Australia.

2.7.2. Data security

We take all reasonable steps to protect the personal information held in our possession against loss, unauthorised access, use, modification, disclosure or misuse.

Access to your personal information held by us is restricted to authorised persons who are TEQSA employees or contractors, on a need-to-know basis.

Electronic and paper records containing personal information are protected in accordance with Australian Government security policies, including the Australian Government’s Protective Security Policy Framework and the Australian Signals Directorate’s Information Security Manual.

2.8. Data quality

We take all reasonable steps to ensure that the personal information we collect is accurate, up-to-date, complete, relevant and not misleading.

These steps include responding to requests to correct personal information when it is reasonable and appropriate to do so. For further information on correcting personal information see section 3 of this privacy policy.

Audits and quality inspections may be conducted from time to time to ensure the accuracy and integrity of information, and any systemic data quality issues are identified and resolved promptly.

2.9 Purposes for which information is collected, held, used and disclosed

We collect, hold, use and disclose personal information for a variety of different purposes including to:

  • perform our legislated regulatory and quality assurance functions
  • perform our management, employment and personnel functions and responsibilities in relation to our staff and contractors
  • manage contracts and consultancy arrangements
  • administer requests received by us under the FOI Act or the Privacy Act
  • manage correspondence and engagement with stakeholders, members of the higher education sector and the public
  • obtain legal advice from internal and external lawyers.

Our legislated functions under the TEQSA Act include, but are not limited to:

  • assessing applications of higher education providers for registration, renewal of registration, course accreditation, and renewal of course accreditation
  • conducting assessments of compliance
  • notifying and generally communicating with prospective and registered higher education providers in relation to TEQSA’s regulatory functions
  • collecting and retaining student records following a provider ceasing to operate (and to allow students and providers to request access).

Our legislated functions under the Education Services for Overseas Students Act 2000 (ESOS Act) include, but are not limited to:

  • assessing applications for Commonwealth Register of Institutions and Courses for Overseas Students (CRICOS) registration and renewal of CRICOS registration
  • assessing applications to make changes to CRICOS registration, including making changes or adding courses, locations, student capacity and third-party arrangements
  • monitoring compliance with all requirements under the ESOS Act and related legislation, and acting where there is non-compliance or risks of non-compliance.

We use and disclose personal information for the primary purposes for which it is collected.

We will only use your personal information for secondary purposes where we are able to do so in accordance with the Privacy Act. This may include where you have consented to this secondary purpose, or where the secondary purpose is related (or if sensitive information, directly related) to the primary purpose and you would reasonably expect us to use or disclose the information for the secondary purpose, where it is required or authorised by law or where a permitted general situation exists such as to prevent a serious threat to safety.

Likely secondary purposes for which we may use or disclose your personal information include but are not limited to quality assurance, auditing and reporting.

2.10. Our online services

When you use TEQSA’s online services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your server address, your top-level domain name, the date and time of the visit to the site, the pages accessed and documents viewed, the previous sites visited, and the browser type, browser language, and one or more cookies that may uniquely identify your browser. The information does not contain anything that identifies individuals.

2.11. Disclosure of personal information overseas

It is unlikely the records we hold that contain personal information will be disclosed to any overseas recipients. However, where TEQSA does so, we will ensure that appropriate steps are taken to comply with Australian Privacy Principle 8.4

2.12. Unauthorised access, use or disclosure of personal information

We will take seriously and deal promptly with any unauthorised access, use or disclosure of personal information.

The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, which commenced on 22 February 2018, generally requires agencies and organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm to those individuals. These entities are also required to notify the Office of the Australian Information Commissioner. We comply with the NDB scheme when dealing with these types of data breaches.

TEQSA also has regard to relevant guidance material issued by the Office of the Australian Information Commissioner, including the ‘Data breach preparation and response - a guide for organisations and agencies to help them prepare for and respond to a data breach in line with their obligations under the Privacy Act’, when responding to any incidents involving the unauthorised access of, use or disclosure of personal information.

3. Accessing and correcting your personal information

3.1. How to seek access to and correction of personal information

You have a right under the Privacy Act to access personal information we hold about you.

You also have a right under the Privacy Act to request corrections of any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

To access or seek correction of personal information we hold about you, please contact us using the contact details set out at section 6.1 of this privacy policy.

3.2. Our access and correction process

If you request access to, or correction of, your personal information, we must respond to you within 30 calendar days.

While the Privacy Act requires that we give you access to, or correct, your personal information on request, it does set out circumstances in which we may refuse you access or decline to correct your personal information.

If we refuse to give you access or decline to correct your personal information we will provide you with a written notice which, among other things, gives our reasons for refusing your request.

It is also possible to access and correct documents held by us under the FOI Act. Further information about how to make an FOI application is available on the Freedom of Information page of our website. You can also contact our FOI team at foi@teqsa.gov.au.

3.3. If you are unsatisfied with our response

If you are unsatisfied with our response, you may make a complaint, either directly to us (see section 5 below), or you may wish to contact:

  • the Office of the Australian Information Commissioner at enquiries@oaic.gov.au or phone 1300 363 992
  • the Commonwealth Ombudsman by lodging a Complaint Form online or phone 1300 362 072.

4. Privacy impact assessments

4.1. What is a privacy impact assessment

A privacy impact assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

4.2. When we conduct privacy impact assessments

The Privacy (Australian Government Agencies — Governance) APP Code 2017 (Privacy Code) requires us to undertake a PIA in certain instances and to maintain a register of those PIAs from 1 July 2018. In accordance with the Privacy Code, we publish a version of our PIA register on our website.

5. Privacy complaints

5.1. How to make a privacy complaint

If you think we may have breached your privacy you may contact us to make a complaint using the contact details set out at section 6.1 of this privacy policy. In order to ensure that we fully understand the nature of your complaint and the outcome you are seeking, we prefer that you make your complaint in writing.

Please be aware that it may be difficult to investigate or respond to your complaint if you provide insufficient detail. You may submit an anonymous complaint, however if you do it may not be possible for us to provide a response to you.

5.2 Our privacy complaint handling process

We are committed to quick and fair resolution of complaints and will ensure your complaint is taken seriously and investigated appropriately. You will not be victimised or suffer negative treatment if you make a complaint.

For further information about our complaint handling process please read our Complaints about TEQSA policy.

5.3. If you are unsatisfied with our response

If you are not satisfied with the way we have handled your complaint in the first instance, you may contact the Office of the Australian Information Commissioner to refer your complaint for further investigation. Please note that the Information Commissioner may not investigate if you have not first brought your complaint to our attention. 

Office of the Australian Information Commissioner

Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5288, Sydney NSW 2001

6. Contact us

6.1. General enquiries, complaints, requests for access or correction

If you wish to:

  • query how your personal information is collected, held, used or disclosed by us
  • ask us questions about this privacy policy
  • request access to or seek correction of your personal information
  • make a privacy complaint

please contact us:

By mail:
Privacy Contact Officer
Tertiary Education Quality and Standards Agency
GPO Box 1672
Melbourne VIC 3001

By email:
foi@teqsa.gov.au

By phone:
1300 739 585

6.2. Availability of this privacy policy

If you wish to access this privacy policy in an alternative format (e.g. hard copy) please contact us using the contact details set out at section 6.1 above. This privacy policy will be made available free of charge.

7. Privacy policy updates

This privacy policy will be reviewed at least annually and updated as required.

Date policy last updated: December 2025

Notes

  1. See section 6 of the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) Guidelines issued by the Office of the Australian Information Commissioner.
  2. As above.
  3. Australian Privacy Principle 3.4 provides for specific circumstances in which the collection of sensitive personal information is authorised.
  4. For further information on cross-border disclosure of personal information, see Chapter 8 of the APP Guidelines issued by the Office of the Australian Information Commissioner.

Document control information

Document Name: Privacy Policy
Document owner: General Counsel
Version: 4
Approval date: 11 December 2025
Next review date: 11 December 2026
Approver: Accountable Authority

Related links