Privacy policy

Privacy policy

1. Introduction

The National Skills Commission (the Commission) is committed to promoting and upholding your right to privacy, and ensuring the proper handling of your personal information in accordance with the Privacy Act 1988 (Cth) (the Privacy Act).

The National Skills Commissioner (the Commissioner) is appointed under the National Skills Commissioner Act 2020 (Cth). The Commission provides advice to government on Australia’s workforce skills needs, efficient prices for vocational education and training (VET) courses, the public and private return on government investment in VET and other matters relating to the VET system. The Commission also publishes an annual report about Australia’s current, emerging and future workforce skills needs.

The Commissioner leads the Commission, and is aided by the staff and infrastructure of the Department of Education, Skills and Employment (the Department).

The Commissioner and staff , as well as contractors and agents, are subject to the Privacy Act and to the requirements of the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act. The APPs regulate how federal public sector agencies and certain private sector organisations can collect, hold, use and disclose personal information and how you can access and correct that information.

This privacy policy has been developed in accordance with APP 1 and our obligation to ensure the open and transparent management of the personal information we collect, hold, use and disclose.

1.1. Purpose of this privacy policy

The purpose of this privacy policy is to:

  • describe the types of personal information that we collect, hold, use and disclose;
  • outline our personal information handling practices;
  • explain our authority to collect your personal information, why it may be held by us, how it is used and how it is protected;
  • notify whether we are likely to disclose personal information to overseas recipients and, if possible, to whom;
  • provide information on how you can access your personal information, correct it if necessary and complain if you believe it has been wrongly collected or inappropriately handled.

This privacy policy has been developed to follow the ‘layered policy’ format, which means that it offers layers of greater or lesser detail so people can read as much as they wish and find what they need fast.

For a snapshot of our personal information handling practices, please go to the Condensed Privacy Policy. This offers an easy to understand summary of:

  • how we collect, use, disclose and store your personal information; and
  • how you can contact us if you want to access or correct personal information we hold about you. 
1.2. Information covered under this privacy policy

This privacy policy is not intended to cover our handling of commercially sensitive information or other information that is not defined in the Privacy Act as personal information.

‘Personal information’ means any information (or an opinion) about an identified individual or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.

‘Sensitive information’ is a subset of personal information and includes information about your health, genetics, biometrics or disability; racial or ethnic origin; religious, political or philosophical beliefs; professional association or trade union memberships, sexuality; or criminal record. Additional requirements apply to the collection and handling of sensitive information.

2. Our Personal Information Handling Practices

2.1. Collection of personal information

Personal information may be collected directly by us, or by people or organisations acting on our behalf (e.g. contracted service providers). It may be collected directly from you, or on your behalf from a representative you have authorised.

We may also obtain personal information collected by other Australian Government agencies, state or territory governments, other third parties, or from publicly available sources. This will only occur where you consent, where it is unreasonable or impractical to collect the information only from you or where we are required or authorised to do so by law.

We are also authorised to collect personal information (which may include sensitive information) under the National Skills Commissioner Act 2020.

We will only collect information for a lawful purpose that is reasonably necessary or directly related to one or more of our functions and activities, or where otherwise required or authorised by law.

When we collect personal information, we are required under the APPs to notify you of a number of matters. These include the purposes for which we collect the information, whether the collection is required or authorised by law, and any person or body to whom we usually disclose the information, including if those persons or bodies are located overseas. We usually provide this notification by including privacy notices on our paper based forms and online portals.

2.2. Types of personal information collected by us

We collect and hold a broad range of personal information in records relating to:

  • employment and personnel matters for our staff and contractors (including security assessments);
  • performance of our legislative and administrative functions;
  • management of contracts;
  • management of fraud and compliance investigations;
  • management of audits (both internal and external);
  • correspondence from members of the public to us or otherwise referred to us by departments or Ministers;
  • complaints (including privacy complaints) made and feedback provided to us;
  • requests made to us under the Freedom of Information Act 1982 (Cth) (FOI Act) or the Privacy Act; and
  • the provision of legal advice by internal and external lawyers.
2.3. Collection of sensitive information

In carrying out our functions and activities we may collect personal information that is sensitive information (see section 1.2 of this privacy policy). The APPs impose additional obligations on us when collecting, using or disclosing sensitive information. We may only collect sensitive information from you:

We also collect sensitive information where authorised to do so, for the purposes of human resource management, detection and investigation of fraud or other misconduct, taking appropriate action against suspected unlawful activity or serious misconduct, and responding to inquiries by courts, tribunals and other external review bodies.

2.4. Collecting personal information from children and young people

In carrying out our functions and activities we may collect personal information about children and young people, either directly from them, through their parents or guardians, or from their education or child care providers. Where children and young people are aged 15 or over, our general policy is to collect information directly from them as they are likely to have the capacity to understand any privacy notices provided to them and to give informed consent to the collection. For children under the age of 15, or where capacity to provide consent is at issue, our policy is to notify and seek the consent of a parent or guardian.

2.5. Collection of unsolicited information

Sometimes personal information is not sought by us but is delivered or sent to us by either the individual or a third party without us having requested it. This information is considered ‘unsolicited’.

Where unsolicited information is received by us, we will, within a reasonable period, determine whether that information is directly related to one or more of our functions or activities. If this cannot be determined, we may, as soon as practicable and in accordance with the Archives Act 1983 (Archives Act) and the Privacy Act, destroy or de-identify the information. If this can be determined we will notify you of the purpose of collection and our intended uses and disclosures according to the requirements of the APPs, unless it is impracticable or unreasonable for us to do so.

2.6. How we collect personal information

We collect your personal information through a variety of channels, which may include forms or notices, online portals, social media websites and accounts, electronic or paper correspondence and from data sharing, matching or linkage arrangements with other Australian Government and state and territory agencies, or from other third parties.

We may also collect your personal information if you:

  • communicate with us by telephone, mail, email, fax or SMS;
  • attend a face to face meeting or event conducted by us or by people or organisations acting on our behalf ( e.g. contracted service providers);
  • use our websites;
  • participate in a survey administered by us; or
  • interact with us on our social media platforms.

We also monitor news and media, including social media, in the public domain.

By signing paper documents or agreeing to the terms and conditions and disclaimers for electronic documents you are consenting to the collection of any personal information you provide to us.

For further information on what information we collect online see section 2.12 of this privacy policy.

2.7. Remaining anonymous or using a pseudonym

You may wish not to identify yourself or to use a different name (pseudonym) when interacting with us.

In some cases, you will be able to remain anonymous or use a pseudonym, however, there will be occasions where it will be impractical for you to remain anonymous or use a pseudonym and we will advise you accordingly. For example, the Commission may be unable to investigate and resolve a complaint you have if you do not identify yourself.

There may also be situations where the Commission is required or authorised by law to deal only with an identified individual, in which case it may be necessary for you to identify yourself. For example, it would be difficult for the Commission to give you access to your personal information under the Privacy Act or other legislation such as the Freedom of Information Act 1982 (FOI Act) if you did not provide enough identification to satisfy the Commission that the relevant personal information was related to you.

2.8. Information collected by our contractors

Under the Privacy Act, we are required to take contractual measures to ensure that contracted service providers (including subcontractors) comply with the same privacy requirements applicable to us. When the Commission enters into agreements with contracted service providers, it imposes contractual obligations on providers to ensure they comply with relevant privacy obligations when collecting, using, disclosing and holding personal information relating to the Commission’s programs.

2.9. Storage and data security

2.9.1 Storage

We store personal information in a range of paper-based and electronic records, including records that may be stored in the cloud.

Storage of personal information (and the disposal of information when no longer required) is managed in accordance with the Australian Government’s records management regime, including the Archives Act, records authorities, general disposal authorities and other whole of government policies or standards issued by the National Archives of Australia.

2.9.2 Data security

We take all reasonable steps to protect the personal information held in our possession against loss, unauthorised access, use, modification, disclosure or misuse.

Access to your personal information held by us is restricted to authorised persons who are the Commission, Australian Public Service employees or contractors, on a need to know basis.

Electronic and paper records containing personal information are protected in accordance with Australian Government security policies, including the Attorney-General’s Department’s Protective Security Policy Framework and the Australian Signals Directorate’s Information Security Manual.

We conduct regular audits to ensure we adhere to these policies.

2.10. Data quality

We take all reasonable steps to ensure that the personal information we collect is accurate, up-to-date, complete, relevant and not misleading.

These steps include responding to requests to correct personal information when it is reasonable and appropriate to do so. For further information on correcting personal information see section 3 of this privacy policy.

Audits and quality inspections are also conducted from time to time to ensure the accuracy and integrity of information, and any systemic data quality issues are identified and resolved promptly.

2.11. Purposes for which information is collected, held, used and disclosed

We may collect and hold personal information for a variety of different purposes including:

  • performing our management, employment and personnel functions in relation to staff and contractors;
  • performing our legislative and administrative functions;
  • policy development, research and evaluation;
  • data sharing or data integration with other Australian Government agencies
  • complaints handling;
  • administering requests received by us under the FOI Act or the Privacy Act;
  • preventing, detecting, investigating or dealing with fraud or corruption against the Commonwealth;
  • program management;
  • contract management; and
  • management of correspondence with the public.
2.12. Use and disclosure

We use and disclose personal information for the primary purposes for which it is collected. For example

  • if you make a complaint to us, we may use and disclose your personal information to investigate and respond to the complaint.
  • in relation to staff or persons under contract to the Department, we may use or disclose your personal information to manage your employment, performance and workplace health and safety
  • If you correspond with us, we may use or disclosure your personal information in order to respond to your correspondence, or address matters raised within your correspondence.

We may also use and disclose personal information for a variety of different purposes including those listed at 2.2-2.5 and 2.11 of this policy.

We will only use or disclose your personal information for secondary purposes where we are able to do so in accordance with the Privacy Act. This may include where you have consented to this secondary purpose, or where the secondary purpose is related (or if sensitive information, directly related) to the primary purpose and you would reasonably expect us to use or disclose the information for the secondary purpose, where it is required or authorised by law or where a permitted general situation exists such as to prevent a serious threat to safety.

Likely secondary purposes for which we may use or disclose your personal information include but are not limited to: quality assurance, auditing, reporting, research, evaluation and analysis, investigations of fraud or misconduct, data sharing, data integration, data matching and promotional purposes.

2.13. Our website

2.13.1 Passive collection

Your information—including personal information—is collected by a variety of software applications, services and platforms used by your device and by the Commission to support it to deliver services.

This type of information collection is ‘passive’ as the Commission is not collecting this information directly and it does not directly relate to the Commission’s functions. Your consent for your information to be collected and shared in this way is typically obtained at the time you first use an application or service on your device.

You can opt out of some of these passive data collections, including by:

Additional advice regarding how to protect yourself online can be found at Stay Smart Online.

2.13.2 Active collection

The Commission directly collects some of your information—including personal information—via its website. Generally, this information is collected to enable the Commission to properly and efficiently carry out its functions and deliver services.

No attempt is made to identify you through your browsing other than in exceptional circumstances, such as an investigation into the improper use of the website.

Information may be collected by:

Type of information:

Information collected to:

Internet browser

Cookies

Google Analytics

Social media platforms

Qualtrics

Your browser type

Your browser language

Your server address

Your location (where location services are enabled on your device)

Your top level domain name (e.g. ‘.com’, ‘.gov’, ‘.au’, ‘.uk’)

Date and time you accessed a page on our site

Pages accessed and documents viewed on our site

How our website was accessed (e.g. from a search engine, link or advertisement)

Measure the effectiveness of our content

Better tailor our content to our audience

The Commission

Name

Email address

Phone number

Education history

Employment history

Deliver services to you

Contact you

Identify you

Subscribe you to a service or update you have requested

Evaluate our programs

Inform policy development

2.13.3 Links to External Websites and Social Networking Services

Our website includes links to other websites. We are not responsible for the content and privacy practices of other websites. We recommend that you examine each website’s privacy policy separately.

We may also use social networking services such as Linkedin and Yammer to talk with the public and our staff. When you talk with us using these services we may collect your personal information to communicate with you and the public.

The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for these services on their websites.

2.13.4 Electronic communication

There are inherent risks associated with the transmission of information over the internet, including via email. You should be aware of this when sending personal information to us via email or via our website or social media platforms. If this is of concern to you then you may use other methods of communication with us, such as post, fax or telephone (although these also have risks associated with them).

2.14. Disclosure of personal information to other Commonwealth agencies providing services to the Commission

We may disclose your personal information to other Commonwealth agencies that provide services to the Commission, in particular the Service Delivery Office within the Department of Finance (Finance), which provides a range of corporate services to the Commission. For more information, please refer to the Service Delivery Office.

2.15. Disclosure of personal information overseas

We will, on occasion, disclose personal information to overseas recipients. The situations in which we may disclose personal information overseas include:

  • the publication on the internet of material which may contain personal information, such as reports and other documents; photographs, video recordings and audio recordings; and posts and comments on our social media platforms;
  • the provision of personal information to overseas researchers or consultants (where consent has been given for this or we are otherwise legally able to provide this information);
  • the provision of personal information to recipients using a web-based service where data is stored on an overseas server, for example, the Commission may use Mailchimp for email subscriptions and SurveyMonkey for online surveys (see below for further detail on these services);
  • where recipients of our communications use an email account that stores data on an overseas server; and
  • where people post and comment on our social media platforms.

We will not disclose your personal information to an overseas recipient unless one of the following applies:

  • the recipient is subject to a law or binding scheme substantially similar to the APPs, including mechanisms for enforcement;
  • you consent to the disclosure after being expressly informed that we will not be taking reasonable steps to ensure that the overseas recipient does not breach the APPs;
  • a permitted general situations exists (e.g. to lessen or prevent a serious threat to life, health or safety);
  • disclosure is required or authorised by law, or by an international agreement relating to information sharing to which Australia is a party; or
  • the disclosure is reasonably necessary for an enforcement related activity conducted by, or on behalf of, an enforcement body and the recipient performs similar functions.

It is not practicable to list every country to which we may provide personal information as this will vary depending on the circumstances.

2.15.1 Mailchimp

To provide our news or information the Commissioner may use Mailchimp. Mailchimp provides online platforms that can be used to create, send, and manage emails. In providing this service, Mailchimp may collect personal information, such as distribution lists which contain email addresses, and other information relating to those email addresses. For further information about the type of personal information Mailchimp collects, please refer to Mailchimp's Privacy Policy.

We may use this information to manage emails relating to the work of the Commissioner, measure email news performance and to improve the features of our website and email news service. Mailchimp may transfer this information to third parties where required to do so by law, or where such third parties process the information on Mailchimp’s behalf. Mailchimp uses cookies, Web Beacons and Flash player code to collect information about when you visit the website, when you use the services, your browser type and version, your operating system, and other similar information.

Mailchimp is based in the United States of America (USA) and the information generated by cookies about your use of the website (including your IP address) will be transmitted to and stored by Mailchimp on servers located outside Australia.

You can opt out of our mailing list if you choose the ‘unsubscribe’ service provided by Mailchimp in every email, or contact the Commissioner. You can also disable or refuse cookies or disable Flash player; however, you may not be able to use the services provided by Mailchimp if cookies are disabled. Should you wish to contact Mailchimp, you can find contact details on the Contact Mailchimp page.

If you do not unsubscribe or contact the Commissioner to opt out of the mailing list you:

  • consent to your personal information being collected, used, disclosed and stored as set out in Mailchimp's Privacy Policy and agree to abide by Mailchimp's Terms of Use;
  • understand and acknowledge that this service utilises a Mailchimp platform which is located in the USA and relevant legislation of the USA will apply. This means you will need to seek redress under the laws of the USA for any privacy breaches by Mailchimp; and
  • understand and acknowledge that Mailchimp is not subject to the Commonwealth Privacy Act and the Commissioner will not have an obligation to take reasonable steps to ensure that Mailchimp does not breach the APPs in relation to personal information that is given to Mailchimp.

2.15.2 SurveyMonkey

We use SurveyMonkey to survey respondents voluntarily about a range of matters relevant to our work. Wherever possible, we will not seek your personal information as part of our surveys, but sometimes this is necessary. Further, in providing this service, SurveyMonkey may collect personal information. For further information about the type of personal information SurveyMonkey collects, please refer to SurveyMonkey's Privacy Policy.

The Commissioner will only use this information if you choose to respond to our invitation to participate in a survey, and for the purpose of receiving and analysing your answers.

SurveyMonkey is based in the USA and the EU and the information generated by cookies about your use of the website (including your IP address) will be transmitted to and stored by SurveyMonkey on servers located outside Australia.

If you choose to respond to one of our surveys you:

  • consent to your personal information being collected, used, disclosed and stored as set out in SurveyMonkey's Privacy Policy and agree to abide by SurveyMonkey's Terms of Use;
  • understand and acknowledge that this service utilises a SurveyMonkey platform, which is located in the USA and the EU, and relevant legislation of those countries will apply. This means you will need to seek redress under the laws of the USA or the EU for any privacy breaches by SurveyMonkey; and
  • you understand and acknowledge that SurveyMonkey is not subject to the Commonwealth Privacy Act, and the Commissioner will not have an obligation to take reasonable steps to ensure that SurveyMonkey does not breach the APPs in relation to personal information that is given to SurveyMonkey.
2.16. Unauthorised access, use or disclosure of personal information

We will take seriously and deal promptly with any unauthorised access, use or disclosure of personal information.

The Notifiable Data Breaches (NDB) scheme in Part IIIC of the Privacy Act, which commenced on 22 February 2018, generally requires agencies and organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm to those individuals. These entities are also required to notify the Office of the Australian Information Commissioner. We comply with the NDB scheme when dealing with these types of data breaches.

 

The Commissioner also has regard to relevant guidance material issued by the Office of the Australian Information Commissioner, including the ‘Data breach preparation and response — A guide to managing data breaches in accordance with the Privacy Act 1988 (Cth), when responding to any incidents involving the unauthorised access of, use or disclosure of personal information.

3. Accessing and Correcting Your Personal Information

3.1. How to seek access to and correction of personal information

You have a right under the Privacy Act to access personal information we hold about you.

You also have a right under the Privacy Act to request corrections of any personal information that we hold about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

To access or seek correction of personal information we hold about you, please contact us using the contact details set out at section 6.1 of this privacy policy.

3.2. Our access and correction process

If you request access to or correction of your personal information, we must respond to you within 30 calendar days.

While the Privacy Act requires that we give you access to or correct your personal information on request, it does set out circumstances in which we may refuse you access or decline to correct your personal information.

If we refuse to give you access or decline to correct your personal information we will provide you with a written notice which, among other things, gives our reasons for refusing your request.

It is also possible to access and correct documents held by us under the FOI Act. For information on this, please contact our FOI Coordinator (contact details are available on the Freedom of Information page of our website).

3.3. If you are not satisfied with our response

If you are unsatisfied with our response, you may make a complaint, either directly to us (see section 5 below), or you may wish to contact:

  • the Office of the Australian Information Commissioner at enquiries@oaic.gov.au or telephone 1300 363 992; or
  • the Commonwealth Ombudsman by lodging a Complaint Form online or telephone 1300 362 072.

4. Privacy Impact Assessments

4.1. What is a Privacy Impact Assessment

A privacy impact assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

4.2. When we conduct Privacy Impact Assessments

The Privacy (Australian Government Agencies — Governance) APP Code 2017[1] (Privacy Code) requires us to undertake a PIA in certain instances and to maintain a register of those PIAs from 1 July 2018. In accordance with the Privacy Code, we publish a version of our PIA register on our website.

5. Complaints

5.1. How to make a complaint

If you think we may have breached your privacy you may contact us to make a complaint using the contact details set out at section 6.1 of this privacy policy. In order to ensure that we fully understand the nature of your complaint and the outcome you are seeking, we prefer that you make your complaint in writing.

Please be aware that it may be difficult to investigate or respond to your complaint if you provide insufficient detail. You may submit an anonymous complaint, however if you do it may not be possible for us to provide a response to you.

5.2. Our complaint handling process

We are committed to quick and fair resolution of complaints and will ensure your complaint is taken seriously and investigated appropriately.

If you have a complaint about our privacy practices, you should submit a written complaint using the contact details set out in this policy. We will respond to your complaint within 30 days.

If you are in the EU, you can lodge a complaint with the supervisory authority for the GDPR in your country.

5.3. If you are not satisfied with our response

If you are not satisfied with the way we have handled your complaint in the first instance, you may contact the Office of the Australian Information Commissioner to refer your complaint for further investigation. Please note that the Information Commissioner may not investigate if you have not first brought your complaint to our attention.

Office of the Australian Information Commissioner

Telephone:            1300 363 992

Email:                   enquiries@oaic.gov.au

Post:                     GPO Box 5218

                            Sydney NSW 2001

 

6. Contact Us

6.1. General enquiries, complaints, requests for access or correction

If you wish to:

  • query how your personal information is collected, held, used or disclosed by us;
  • ask us questions about this privacy policy;
  • request access to or seek correction of your personal information; or
  • make a privacy complaint;

please contact us:

By mail:

Privacy Officer

National Skills Commissioner  
GPO Box 9880  
Canberra ACT 2601  
Australia 

By email: privacy@skillscommission.gov.au

By telephone: 02 6240 0393

6.2. Availability of this privacy policy

If you wish to access this privacy policy in an alternative format (e.g. hard copy) please contact us using the contact details set out at section 6.1 above. This privacy policy will be made available free of charge.

This privacy policy will be reviewed annually and updated as required.

Date policy last updated: May 2021