The National Skills Commission (the Commission) is committed to promoting and upholding your right to privacy, and ensuring the proper handling of your personal information in accordance with the Privacy Act 1988 (Cth) (the Privacy Act).
The National Skills Commissioner (the Commissioner) is appointed under the National Skills Commissioner Act 2020 (Cth). The Commission provides advice to government on Australia’s workforce skills needs, efficient prices for vocational education and training (VET) courses, the public and private return on government investment in VET and other matters relating to the VET system. The Commission also publishes an annual report about Australia’s current, emerging and future workforce skills needs.
The Commissioner leads the Commission, and is aided by the staff and infrastructure of the Department of Education, Skills and Employment (the Department).
The Commissioner and staff , as well as contractors and agents, are subject to the Privacy Act and to the requirements of the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act. The APPs regulate how federal public sector agencies and certain private sector organisations can collect, hold, use and disclose personal information and how you can access and correct that information.
- describe the types of personal information that we collect, hold, use and disclose;
- outline our personal information handling practices;
- explain our authority to collect your personal information, why it may be held by us, how it is used and how it is protected;
- notify whether we are likely to disclose personal information to overseas recipients and, if possible, to whom;
- provide information on how you can access your personal information, correct it if necessary and complain if you believe it has been wrongly collected or inappropriately handled.
‘Personal information’ means any information (or an opinion) about an identified individual or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.
‘Sensitive information’ is a subset of personal information and includes information about your health, genetics, biometrics or disability; racial or ethnic origin; religious, political or philosophical beliefs; professional association or trade union memberships, sexuality; or criminal record. Additional requirements apply to the collection and handling of sensitive information.
2. Our Personal Information Handling Practices
Personal information may be collected directly by us, or by people or organisations acting on our behalf (e.g. contracted service providers). It may be collected directly from you, or on your behalf from a representative you have authorised.
We may also obtain personal information collected by other Australian Government agencies, state or territory governments, other third parties, or from publicly available sources. This will only occur where you consent, where it is unreasonable or impractical to collect the information only from you or where we are required or authorised to do so by law.
We are also authorised to collect personal information (which may include sensitive information) under the National Skills Commissioner Act 2020.
We will only collect information for a lawful purpose that is reasonably necessary or directly related to one or more of our functions and activities, or where otherwise required or authorised by law.
When we collect personal information, we are required under the APPs to notify you of a number of matters. These include the purposes for which we collect the information, whether the collection is required or authorised by law, and any person or body to whom we usually disclose the information, including if those persons or bodies are located overseas. We usually provide this notification by including privacy notices on our paper based forms and online portals.
We collect and hold a broad range of personal information in records relating to:
- employment and personnel matters for our staff and contractors (including security assessments);
- performance of our legislative and administrative functions;
- management of contracts;
- management of fraud and compliance investigations;
- management of audits (both internal and external);
- correspondence from members of the public to us or otherwise referred to us by departments or Ministers;
- complaints (including privacy complaints) made and feedback provided to us;
- requests made to us under the Freedom of Information Act 1982 (Cth) (FOI Act) or the Privacy Act; and
- the provision of legal advice by internal and external lawyers.
- where you provide your consent; or
- where required or authorised by law; or
- where a permitted general situation exists such as to prevent a serious threat to safety. Permitted general situations are set out in Section 16A of the Privacy Act. (www.legislation.gov.au/Details/C2019C00025/Html/Text#_Toc534973664)
Also, see APP Guidelines – Chapter C for further information on the range of ‘permitted general situations’.
We also collect sensitive information where authorised to do so, for the purposes of human resource management, detection and investigation of fraud or other misconduct, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other external review bodies.
In carrying out our functions and activities we may collect personal information about children and young people, either directly from them, through their parents or guardians, or from their education or child care providers. Where children and young people are aged 15 or over, our general policy is to collect information directly from them as they are likely to have the capacity to understand any privacy notices provided to them and to give informed consent to the collection. For children under the age of 15, or where capacity to provide consent is at issue, our policy is to notify and seek the consent of a parent or guardian.
Sometimes personal information is not sought by us but is delivered or sent to us by either the individual or a third party without us having requested it. This information is considered ‘unsolicited’.
Where unsolicited information is received by us, we will, within a reasonable period, determine whether that information is directly related to one or more of our functions or activities. If this cannot be determined, we may, as soon as practicable and in accordance with the Archives Act 1983 (Archives Act) and the Privacy Act, destroy or de-identify the information. If this can be determined we will notify you of the purpose of collection and our intended uses and disclosures according to the requirements of the APPs, unless it is impracticable or unreasonable for us to do so.
We collect your personal information through a variety of channels, which may include forms or notices, online portals, social media websites and accounts, electronic or paper correspondence and from data sharing, matching or linkage arrangements with other Australian Government and state and territory agencies, or from other third parties.
We may also collect your personal information if you:
- communicate with us by telephone, mail, email, fax or SMS;
- attend a face to face meeting or event conducted by us or by people or organisations acting on our behalf ( e.g. contracted service providers);
- use our websites;
- participate in a survey administered by us; or
- interact with us on our social media platforms.
We also monitor news and media, including social media, in the public domain.
By signing paper documents or agreeing to the terms and conditions and disclaimers for electronic documents you are consenting to the collection of any personal information you provide to us.
You may wish not to identify yourself or to use a different name (pseudonym) when interacting with us.
In some cases, you will be able to remain anonymous or use a pseudonym, however, there will be occasions where it will be impractical for you to remain anonymous or use a pseudonym and we will advise you accordingly. For example, the Commission may be unable to investigate and resolve a complaint you have if you do not identify yourself.
There may also be situations where the Commission is required or authorised by law to deal only with an identified individual, in which case it may be necessary for you to identify yourself. For example, it would be difficult for the Commission to give you access to your personal information under the Privacy Act or other legislation such as the Freedom of Information Act 1982 (FOI Act) if you did not provide enough identification to satisfy the Commission that the relevant personal information was related to you.
Under the Privacy Act, we are required to take contractual measures to ensure that contracted service providers (including subcontractors) comply with the same privacy requirements applicable to us. When the Commission enters into agreements with contracted service providers, it imposes contractual obligations on providers to ensure they comply with relevant privacy obligations when collecting, using, disclosing and holding personal information relating to the Commission’s programs.
We store personal information in a range of paper-based and electronic records, including records that may be stored in the cloud.
Storage of personal information (and the disposal of information when no longer required) is managed in accordance with the Australian Government’s records management regime, including the Archives Act, records authorities, general disposal authorities and other whole of government policies or standards issued by the National Archives of Australia.
2.9.2 Data security
We take all reasonable steps to protect the personal information held in our possession against loss, unauthorised access, use, modification, disclosure or misuse.
Access to your personal information held by us is restricted to authorised persons who are the Commission, Australian Public Service employees or contractors, on a need to know basis.
Electronic and paper records containing personal information are protected in accordance with Australian Government security policies, including the Attorney-General’s Department’s Protective Security Policy Framework and the Australian Signals Directorate’s Information Security Manual.
We conduct regular audits to ensure we adhere to these policies.
We take all reasonable steps to ensure that the personal information we collect is accurate, up-to-date, complete, relevant and not misleading.
Audits and quality inspections are also conducted from time to time to ensure the accuracy and integrity of information, and any systemic data quality issues are identified and resolved promptly.
We may collect and hold personal information for a variety of different purposes including:
- performing our management, employment and personnel functions in relation to staff and contractors;
- performing our legislative and administrative functions;
- policy development, research and evaluation;
- data sharing or data integration with other Australian Government agencies
- complaints handling;
- administering requests received by us under the FOI Act or the Privacy Act;
- preventing, detecting, investigating or dealing with fraud or corruption against the Commonwealth;
- program management;
- contract management; and
- management of correspondence with the public.
- if you make a complaint to us, we may use and disclose your personal information to investigate and respond to the complaint.
- in relation to staff or persons under contract to the Department, we may use or disclose your personal information to manage your employment, performance and workplace health and safety
- If you correspond with us, we may use or disclosure your personal information in order to respond to your correspondence, or address matters raised within your correspondence.
We may also use and disclose personal information for a variety of different purposes including those listed at 2.2-2.5 and 2.11 of this policy.
We will only use or disclose your personal information for secondary purposes where we are able to do so in accordance with the Privacy Act. This may include where you have consented to this secondary purpose, or where the secondary purpose is related (or if sensitive information, directly related) to the primary purpose and you would reasonably expect us to use or disclose the information for the secondary purpose, where it is required or authorised by law or where a permitted general situation exists such as to prevent a serious threat to safety.
Likely secondary purposes for which we may use or disclose your personal information include but are not limited to: quality assurance, auditing, reporting, research, evaluation and analysis, investigations of fraud or misconduct, data sharing, data integration, data matching and promotional purposes.
2.13.1 Passive collection
Your information—including personal information—is collected by a variety of software applications, services and platforms used by your device and by the Commission to support it to deliver services.
This type of information collection is ‘passive’ as the Commission is not collecting this information directly and it does not directly relate to the Commission’s functions. Your consent for your information to be collected and shared in this way is typically obtained at the time you first use an application or service on your device.
You can opt out of some of these passive data collections, including by:
- Disabling / refusing cookies;
- Opting-out of Google Analytics; and
- Disabling location services on your device.
Additional advice regarding how to protect yourself online can be found at Stay Smart Online.
2.13.2 Active collection
The Commission directly collects some of your information—including personal information—via its website. Generally, this information is collected to enable the Commission to properly and efficiently carry out its functions and deliver services.
No attempt is made to identify you through your browsing other than in exceptional circumstances, such as an investigation into the improper use of the website.
Information may be collected by:
Type of information:
|Information collected to:|
Social media platforms
Your browser type
Your browser language
Your server address
Your location (where location services are enabled on your device)
Your top level domain name (e.g. ‘.com’, ‘.gov’, ‘.au’, ‘.uk’)
Date and time you accessed a page on our site
Pages accessed and documents viewed on our site
How our website was accessed (e.g. from a search engine, link or advertisement)
Measure the effectiveness of our content
Better tailor our content to our audience
Deliver services to you
Subscribe you to a service or update you have requested
Evaluate our programs
Inform policy development
2.13.3 Links to External Websites and Social Networking Services
We may also use social networking services such as Linkedin and Yammer to talk with the public and our staff. When you talk with us using these services we may collect your personal information to communicate with you and the public.
The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for these services on their websites.
2.13.4 Electronic communication
There are inherent risks associated with the transmission of information over the internet, including via email. You should be aware of this when sending personal information to us via email or via our website or social media platforms. If this is of concern to you then you may use other methods of communication with us, such as post, fax or telephone (although these also have risks associated with them).
We may disclose your personal information to other Commonwealth agencies that provide services to the Commission, in particular the Service Delivery Office within the Department of Finance (Finance), which provides a range of corporate services to the Commission. For more information, please refer to the Service Delivery Office.
We will, on occasion, disclose personal information to overseas recipients. The situations in which we may disclose personal information overseas include:
- the publication on the internet of material which may contain personal information, such as reports and other documents; photographs, video recordings and audio recordings; and posts and comments on our social media platforms;
- the provision of personal information to overseas researchers or consultants (where consent has been given for this or we are otherwise legally able to provide this information);
- the provision of personal information to recipients using a web-based service where data is stored on an overseas server, for example, the Commission may use Mailchimp for email subscriptions and SurveyMonkey for online surveys (see below for further detail on these services);
- where recipients of our communications use an email account that stores data on an overseas server; and
- where people post and comment on our social media platforms.
We will not disclose your personal information to an overseas recipient unless one of the following applies:
- the recipient is subject to a law or binding scheme substantially similar to the APPs, including mechanisms for enforcement;
- you consent to the disclosure after being expressly informed that we will not be taking reasonable steps to ensure that the overseas recipient does not breach the APPs;
- a permitted general situations exists (e.g. to lessen or prevent a serious threat to life, health or safety);
- disclosure is required or authorised by law, or by an international agreement relating to information sharing to which Australia is a party; or
- the disclosure is reasonably necessary for an enforcement related activity conducted by, or on behalf of, an enforcement body and the recipient performs similar functions.
It is not practicable to list every country to which we may provide personal information as this will vary depending on the circumstances.
Mailchimp is based in the United States of America (USA) and the information generated by cookies about your use of the website (including your IP address) will be transmitted to and stored by Mailchimp on servers located outside Australia.
If you do not unsubscribe or contact the Commissioner to opt out of the mailing list you:
- understand and acknowledge that this service utilises a Mailchimp platform which is located in the USA and relevant legislation of the USA will apply. This means you will need to seek redress under the laws of the USA for any privacy breaches by Mailchimp; and
- understand and acknowledge that Mailchimp is not subject to the Commonwealth Privacy Act and the Commissioner will not have an obligation to take reasonable steps to ensure that Mailchimp does not breach the APPs in relation to personal information that is given to Mailchimp.
The Commissioner will only use this information if you choose to respond to our invitation to participate in a survey, and for the purpose of receiving and analysing your answers.
SurveyMonkey is based in the USA and the EU and the information generated by cookies about your use of the website (including your IP address) will be transmitted to and stored by SurveyMonkey on servers located outside Australia.
If you choose to respond to one of our surveys you:
- understand and acknowledge that this service utilises a SurveyMonkey platform, which is located in the USA and the EU, and relevant legislation of those countries will apply. This means you will need to seek redress under the laws of the USA or the EU for any privacy breaches by SurveyMonkey; and
- you understand and acknowledge that SurveyMonkey is not subject to the Commonwealth Privacy Act, and the Commissioner will not have an obligation to take reasonable steps to ensure that SurveyMonkey does not breach the APPs in relation to personal information that is given to SurveyMonkey.
We will take seriously and deal promptly with any unauthorised access, use or disclosure of personal information.
The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, which commenced on 22 February 2018, generally requires agencies and organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm to those individuals. These entities are also required to notify the Office of the Australian Information Commissioner. We comply with the NDB scheme when dealing with these types of data breaches.
The Commissioner also has regard to relevant guidance material issued by the Office of the Australian Information Commissioner, including the ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth), when responding to any incidents involving the unauthorised access of, use or disclosure of personal information.
3. Accessing and Correcting Your Personal Information
You have a right under the Privacy Act to access personal information we hold about you.
You also have a right under the Privacy Act to request corrections of any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If you request access to or correction of your personal information, we must respond to you within 30 calendar days.
While the Privacy Act requires that we give you access to or correct your personal information on request, it does set out circumstances in which we may refuse you access or decline to correct your personal information.
If we refuse to give you access or decline to correct your personal information we will provide you with a written notice which, among other things, gives our reasons for refusing your request.
It is also possible to access and correct documents held by us under the FOI Act. For information on this, please contact our FOI Coordinator (contact details are available on the Freedom of Information page of our website).
If you are unsatisfied with our response, you may make a complaint, either directly to us (see section 5 below), or you may wish to contact:
4. Privacy Impact Assessments
A privacy impact assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
The Privacy (Australian Government Agencies — Governance) APP Code 2017 (Privacy Code) requires us to undertake a PIA in certain instances and to maintain a register of those PIAs from 1 July 2018. In accordance with the Privacy Code, we publish a version of our PIA register on our website.
Please be aware that it may be difficult to investigate or respond to your complaint if you provide insufficient detail. You may submit an anonymous complaint, however if you do it may not be possible for us to provide a response to you.
We are committed to quick and fair resolution of complaints and will ensure your complaint is taken seriously and investigated appropriately.
If you have a complaint about our privacy practices, you should submit a written complaint using the contact details set out in this policy. We will respond to your complaint within 30 days.
If you are in the EU, you can lodge a complaint with the supervisory authority for the GDPR in your country.
If you are not satisfied with the way we have handled your complaint in the first instance, you may contact the Office of the Australian Information Commissioner to refer your complaint for further investigation. Please note that the Information Commissioner may not investigate if you have not first brought your complaint to our attention.
Office of the Australian Information Commissioner
Telephone: 1300 363 992
Post: GPO Box 5218
Sydney NSW 2001
6. Contact Us
If you wish to:
- query how your personal information is collected, held, used or disclosed by us;
- request access to or seek correction of your personal information; or
- make a privacy complaint;
please contact us:
National Skills Commissioner GPO Box 9880 Canberra ACT 2601 Australia
By email: firstname.lastname@example.org
By telephone: 02 6240 0393
Date policy last updated: May 2021