1300 ART CLASS - 1300 278 252
ENQUIRE NOW

Records and Data Management Policy and Privacy Policy

Records and Data Management Policy and Privacy Policy

Purpose

This policy outlines Sydney Art School’s (SAS) approach to managing records and personal information to ensure compliance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Education Services for Overseas Students Act 2000 (Cth) (ESOS Act), the National Code of Practice for Providers of Education and Training to Overseas Students 2018 (National Code), and the Standards for Registered Training Organisations (RTOs) 2025. It ensures records and data are handled securely, transparently, and lawfully to support SAS’s operations, CRICOS registration obligations, and continuous improvement while protecting the privacy of students, staff, and stakeholders, including international students.

Scope

This policy applies to all records and data created, received, or maintained by SAS, including personal and sensitive information from students (domestic and international), staff, third parties, and stakeholders. It covers academic records (e.g., assessments, qualifications, enrolments), non-academic records (e.g., complaints, financial transactions, feedback), and personal information related to education delivery, CRICOS compliance, and marketing activities.

Definitions

  • Record: Any document, digital or physical, created or received by SAS in the course of its operations, including student records, financial data, and correspondence.
  • Personal Information: Information or an opinion about an identified individual, as defined by the Privacy Act 1988 (Cth).
  • Sensitive Information: A subset of personal information, including health, racial, or ethnic data, as defined by the Privacy Act 1988 (Cth).
  • Data Breach: Unauthorised access, disclosure, or loss of personal information that may result in harm to individuals.
  • Third Party: Any external provider delivering services on behalf of SAS, such as cloud providers, education agents, or assessors.
  • CRICOS: Commonwealth Register of Institutions and Courses for Overseas Students, governing SAS’s delivery of education to international students under the ESOS Act.

Principles

  • Accuracy: Records and personal information are accurate, complete, and up-to-date to ensure reliability for operational, compliance, and CRICOS reporting purposes.
  • Security: Records and personal information are stored securely to protect against unauthorised access, loss, or damage, per APP 11 and National Code Standard 3.
  • Accessibility: Authorised personnel can access records efficiently, while access is restricted to protect privacy, per APPs 12 and 13 and National Code Standard 3.
  • Lawful and Fair Collection: Personal information is collected only when necessary, with consent, and in a lawful, fair manner, per APP 3 and ESOS Act requirements.
  • Transparency: Individuals are informed about how their information is collected, used, and disclosed, including mandatory CRICOS-related disclosures, per APP 1 and National Code Standard 2.
  • Purpose Limitation: Information is used only for the primary purpose of collection (e.g., education delivery, CRICOS compliance) unless consent is obtained for secondary purposes, per APP 6.
  • Retention: Records are retained for the minimum periods required by ASQA (e.g., 7 years for student records, 30 years for qualification records), the ESOS Act, and other legislation, such as the Corporations Act 2001.
  • Confidentiality: Personal and sensitive information is handled in accordance with the Privacy Act 1988 (Cth) and only disclosed as permitted, including for CRICOS compliance.
  • Anonymity: Where lawful and practicable, individuals may interact with SAS anonymously or pseudonymously, per APP 2.
  • CRICOS Compliance: SAS ensures compliance with the ESOS Act and National Code, including accurate record-keeping for international student progress, attendance, and visa compliance.
  • Continuous Improvement: Records and privacy practices are reviewed regularly to identify trends and inform improvements in policies, training, and operations.

Procedures

Collection and Creation

  • Records and personal information are collected lawfully, fairly, and only when necessary for SAS’s functions (e.g., enrolment, assessment, CRICOS compliance).
  • Information includes names, contact details, payment information, academic records, and, for international students, visa details, attendance, and course progress, per National Code Standard 11.
  • Sensitive information (e.g., health data for special considerations) is collected only with explicit consent, per APP 3.
  • Records are created in a consistent format, using SAS’s management system (e.g., aXcelerate for student data), compliant with National Code Standard 3.

Use and Disclosure

  • Personal information is used for primary purposes, such as delivering education, issuing qualifications, and complying with ASQA, ESOS Act, and Department of Home Affairs requirements.
  • Disclosure is limited to authorised purposes, such as to government agencies (e.g., ASQA, Department of Education, Department of Home Affairs for CRICOS reporting) or with consent (e.g., promoting alumni achievements), per APP 6 and National Code Standard 2.
  • International student data (e.g., enrolment status, course progress) is disclosed to the Department of Home Affairs via PRISMS, as required by the ESOS Act.
  • Marketing communications (e.g., newsletters) require opt-in consent, with an option to unsubscribe, per APP 7.

Storage and Security

  • Records and personal information are stored in secure, password-protected systems (e.g., aXcelerate) with access restricted to authorised personnel, per APP 11 and National Code Standard 3.
  • Physical records are kept in locked facilities, and digital records are encrypted with regular backups.
  • SAS implements firewalls, access controls, and staff training to prevent misuse, interference, or unauthorised access, ensuring compliance with ESOS Act security requirements.

Access and Correction

  • Individuals can request access to their records or personal information by emailing [email protected]. Requests are processed within 10 working days, subject to identity verification, per APP 12 and National Code Standard 3.
  • Corrections to inaccurate information can be requested via the same email, with responses within 10 working days, per APP 13.
  • Access may be denied where permitted by law (e.g., legal privilege, third-party confidentiality), with reasons provided in writing.

Retention and Disposal

  • Student assessment records are retained for at least 7 years, and qualification records for 30 years, per ASQA and ESOS Act requirements.
  • Other records (e.g., financial, complaints) are retained as required by legislation, such as the Corporations Act 2001.
  • Disposal is secure (e.g., shredding for physical records, secure deletion for digital records) to prevent unauthorised access, per APP 11.

Data Breach Response

  • Suspected data breaches are investigated immediately, following the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).
  • If a breach is likely to cause serious harm, affected individuals and the Office of the Australian Information Commissioner (OAIC) are notified within 30 days, per APP 11.
  • For international students, SAS ensures compliance with ESOS Act obligations by reporting breaches that may affect visa status to the Department of Home Affairs.
  • SAS documents breaches and implements corrective measures, recorded in a breach register.

Third-Party Arrangements

  • Third parties (e.g., cloud providers, education agents, assessors) handling records or personal information are contractually obligated to comply with APPs, ASQA standards, and National Code Standard 4.
  • SAS monitors third-party compliance through regular audits and data-sharing agreements.

International Students and CRICOS Compliance

  • SAS, as a CRICOS provider, complies with the ESOS Act and National Code, maintaining accurate records of international student enrolment, course progress, attendance, and visa compliance, per Standards 8 and 11.
  • International students are informed of mandatory disclosures (e.g., to the Department of Home Affairs via PRISMS) during enrolment, per National Code Standard 2.
  • Records related to international student support services (e.g., welfare, academic support) are maintained to meet National Code Standard 6.

Complaints

  • Concerns or complaints about records management or privacy can be submitted to [email protected], following the SAS Complaints, Appeals and Feedback Policy.
  • SAS responds within 5 working days and aims to resolve issues within 20 working days. Unresolved complaints may be escalated to the OAIC or, for international students, the Commonwealth Ombudsman, per National Code Standard 10.

Continuous Improvement

SAS conducts quarterly reviews of records and privacy practices to identify trends, errors, or systemic issues, incorporating feedback and data breach findings to improve policies, training, and operations, including CRICOS-related processes.

Feedback on records or privacy practices can be sent to [email protected].

Monitoring and Review

This policy is reviewed annually or following legislative changes to ensure ongoing compliance with the Privacy Act 1988 (Cth), ESOS Act, National Code, and ASQA standards. Last review: August 2025.

For assistance, email [email protected].