Privacy Policy

1. Purpose


Australian Creative Academy (ACA) is a Registered Company with responsibility for delivering non accredited and accredited vocational education and training through Third Party Agreements with Registered Training Organisations. ACA collects and stores personal information on our learners and industry clients. ACA complies with the Privacy Act 1988 (Commonwealth). 


This policy describes how ACA collects, manages, uses, discloses, protects and disposes of personal information in accordance with the Australian Privacy Principles (APP’s).


ACA understands the importance of maintaining the confidentiality of information provided to us and is firmly committed to protecting the privacy of our clients. We support the National Principals for the Fair Handling of Personal Information embodied in the Privacy Amendment (Private Sector) Act 2000 and the Australian Privacy Principles (APPS) as set out in Schedule 1 of the Commonwealth of Australia Privacy Act 1988. Through this policy ACA and it’s Third Party Providers seek to ensure that personal information is handled solely for the purposes for which it was acquired and in ways that are ethical, legal, and secure.




ACA only collects personal information to properly and efficiently carry out its functions or activities under the National Vocational Education and Training Regulator Act 2011 (NVR Act), or the Freedom of Information Act 1982 (FOI Act), and only when it is reasonably necessary or directly related to ACA or its Third Party Providers functions.

ACA will only collect personal information by fair and lawful means that is necessary for the functions of ACA and its Third Party Providers.


ACA generally collects personal information about an individual directly from the individual or their authorised representative. The following types of personal information are generally collected, depending on the need for service delivery:


• Contact details;

• Date of birth;

• Unique Student Identifier (USI)

• Employment details;

• Educational background;

• Demographic information;


If an individual considers the personal information that ACA holds about them to be incorrect, incomplete, out of date or misleading, they can request that the information be amended by contacting us.


ACA and its Third Party Providers will hold personal information only for the period we are legally required to retain the information.


Under the Data Provision Requirements 2012, ACA Third Party Providers are required to collect personal information about learners and to disclose that personal information to the National Centre or Vocational Education Research Ltd (NCVER)


• Course progress and achievement information; and

• Financial billing information.


The following types of sensitive information may also be collected and held:

• Identity details;

• Disability status & other individual needs;

• Indigenous status; and

• Background checks (such as National Criminal Checks).

• Complaint or issue information.

ACA and Third Party Providers enrolment form will gather such information to be used or disclosed by ACA and their Third Party Providers for statistical, regulatory and research purposes. Learners are required to provide consent to such disclosure by signing the declaration contained within the enrolment form.


When collecting personal information, ACA shall take reasonable steps to inform the learner about:


• Our identity and contact details

• The purpose of collection

• The consequences if personal information is not collected

• Their rights to access personal information held by this organisation


In addition to abiding by the Australian Privacy Principles and other relevant legislation, ACA will ensure that the human right of Right to privacy and reputation in accordance with the Queensland Human Rights Act 2019, is adhered to.


Use and disclosure


ACA and its Third Party Providers uses personal information only for the purposes for which it was provided and for directly related purposes (unless otherwise required by or authorised under law). Generally, the type and purpose for which ACA and it Third Party Providers collects personal information will include, but are not limited to:


• Learner enrolment information

• AVETMISS statistical information records (where appropriate)

• Learner information collected to track progress through each course,

subject and class (where applicable)

• Trainer and assessor records about the learner’s progress

• Communications with learners that may impact on the outcome of

assessments or the learner participation in training or assessment

• Qualifications issued, certificate or statements of attainment

• Fees and charges applied, refunds given and other financial dealings with


• Collected stakeholder feedback, opportunity for improvement, systems

inputs, and other feedback on the operation of the organisation

ACA and its Third Party Providers will not disclose an individuals’ personal information to another person or organisation, unless:


• the individual concerned is reasonably likely to have been aware, or made aware, that information of that kind is usually passed to that person or organisation;

• the individual concerned has given written consent;

• ACA and its Third Party Providers believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or of another person;

• the disclosure is required or authorised by or under law;

• the disclosure is reasonably necessary for the enforcement of the criminal

law or of a law imposing a pecuniary penalty, or for the protection of the public revenue


ACA and its Third Party Providers may also delivers services through a range of Commonwealth and State Government funding contract agreement arrangements, which also include various information collection and disclosure requirements. Due to these legal requirements, ACA and its Third Party Providers disclose information held on individuals for valid purposes to a range of entities including:


• School – if you are a secondary student undertaking VET, including a school-based apprenticeship or traineeship;

• Employer – if you are enrolled in training paid by your employer;

• Commonwealth and State or Territory government departments and

authorised agencies;

• National Centre for Vocational Education Research (NCVER);

• Organisations conducting student surveys; and

• Researchers.

 Furthermore, personal information disclosed to NCVER may be used or disclosed for the following purposes:

• populating authenticated VET transcripts;

• facilitating statistics and research relating to education, including surveys

and data linkage;

• pre-populating RTO student enrolment forms;

 Data Quality

• understanding how the VET market operates, for policy, workforce planning and consumer information; and

• administering VET, including program administration, regulation, monitoring and evaluation


ACA and its Third Party Providers shall take all reasonable steps to ensure that personal information it collects is accurate, complete and up-to-date at the time of collection and use. These steps include maintaining and updating personal information when advised by individuals that their personal information has changed, and at other times when necessary.


Data Security


ACA and its Third Party Providers shall take reasonable steps to ensure personal information is safe from misuse, loss, and unauthorised access, alteration or disclosure. Information shall be destroyed or identifiers removed when it is no longer needed for either the primary or approved secondary purpose or the required retention period set by Commonwealth and State legislation.


ACA and its Third Party Providers shall take reasonable steps to ensure the security of physical files, computers, networks and communications are maintained at all times. Only authorised personnel are provided with login information to each computer, with Student 

Management System and financial system access limited to only those relevant to their specific role. 


ACA Third Party Providers Student Management Systems are hosted externally with robust security. Virus protection, backup procedures are in place.




ACA and its Third Party Providers shall make available, on request, our Privacy Policy. We shall also, on request and within reason, inform an individual:


  • What type of personal information we collect and hold

  • For what purpose

  • How it is collected

  • How it is used and disclosed


Privacy Impact Assessment


ACA and its Third Party Providers will conduct a Privacy Impact Assessment (PIA) for all high privacy risk projects. A high privacy risk project is a project that involves or proposes new or changed ways of handling personal information that are likely to have significant impact on the privacy of individuals.


A PIA identifies the potential impact that project might have on privacy and sets out recommendations for managing, minimising or eliminating the impact.


Access and Correction


Under the Privacy Act, individuals may request access to, or correction of personal information that ACA and its Third Party Providers holds about them.

If requested, ACA and its Third Party Providers shall give individuals access to and correction of their personal information held by ACA and its Third Party Providers. When requesting access to personal information, individuals shall:


  • Formally in writing, request to access their personal information

  • Provide two (2) acceptable forms to prove their identity

  • Advise what format they require the information

  • Provide data storage, if necessary

  • •Pay any reasonable associated fees

  • Allow 15 working days for processing (i.e. 3 weeks)


ACA and its Third Party Providers may choose to charge for access to and copy of personal information. Should fees apply, they shall not be excessive, nor shall they apply to lodging a request.


A number of third parties, other than the individual, may request access to an individual’s personal information. Such third parties may include employers, parents, Australian Apprenticeships Centres, Governments (Commonwealth, State or Local), law firms and various other stakeholders.

In all cases where access is requested, ACA and its Third Party Providers will ensure that:


• Parties requesting access to personal information are robustly identified and vetted;

• Where legally possible, the individual to whom the information relates will be contacted to confirm consent (if consent not previously provided for the matter); and


• Only appropriately authorised parties, for valid purposes, will be provided access to the information.

Requests for access to or correction of personal information should be directed to ACA and its Third Party Providers.

Privacy Contact Officer, using the contact details set out below.


Disclosing personal information to other countries


ACA and its Third Party Providers shall not transfer personal information to a foreign company or organisation unless required to do so under relevant legislation and government directive and with the notification being provided to the individual concerned.




If an individual wishes to lodge a complaint about how ACA and its Third Party Providers handles personal information, or if they feel ACA and its Third Party Providers has breached the APPs, they can do so by completing a Complaint form available from ACA administration staff or website.


If an individual is dissatisfied with ACA and its Third Party Providers response, they may submit their complaint to the OAIC for further investigation.

Office of the Australian Information Commissioner GPO Box 5218


1300 363 992


Privacy Contact Officer


If you have any questions about how ACA and its Third Party Providers collects, holds, uses or disclosed your personal information or about requested for access to or correction of your personal information or lodging a privacy complaint, please contact ACA Privacy Contact Officer via:

Privacy Contact Officer ACA 

2, 555 Brunswick Street New Farm QLD 4005

07 31573984


2. Scope


This policy is intended for all internal and external clients of ACA and its Third Party Providers, and includes:


• Personal information

• Client information

• Record keeping


3. Definitions


Key Term – Acronym

Personal Information

The Privacy Act 1988 (C'th)

Privacy Amendment (Private Sector) Act 2000

Australian Privacy Principles


Sensitive information




Information or an opinion about an identified idibidiaual or an individual who is reasonably identifiable (a) whether the information is tru or not and (b) whether the information or opinion is recorded in a material form or not.


This Act gives rights to individuals in relation to how personal information is handled by the Commonwealth and ACT government agencies. ACT government agencies must comply with the 11 Information Privacy Principles set out at section 14 of the Privacy Act.


From 21 December 2001 the private sector amendments to the Privacy Act 1988 (Cth) (the "Act") became operative. The new provisions provide for ten National Privacy Principles (NPPs), found in Schedule 3 of the Act, which apply to the private sector.

These principles which came into effect on the 12th March replaced the 11 Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) and will apply to all agencies

Clients are defined as participants, staff, contractors, and the community.


(a) Information or an opinion about an individual’s (i) racial or ethnic origin. Or (ii) political opinions or (iii) membership of a political association, or (iv) religious beliefs or affiliations, or (v) philosophical beliefs, or (vi) membership of a professional or trade association, or (vii) membership of a trade union, or (viii) sexual preferences or practices or (ix) criminal record, that is also personal information or

(b) health information about an individual or

(c) genetic information about an individual that is not

otherwise health information, or

(d) biometric information that is to be used for the

purposes of automated biometric verification or

biometric identification; or

(e) biometric templates.


4. Procedure


Only staff directly involved in the delivery of training and assessment, student administration and student data and statistical information have access to relevant student information as appropriate.


Learner files


• All new Learners enrolling in full qualifications shall have a ‘learner’ file which is securely stored in lockable filing cabinets within the relevant classroom or designated storage area.

• All learners must sign the acknowledgement on enrolment form regarding the disclosure of personal information during their course of study

• Learner files or documents relating to a learner must not be left in plain sight

• Learner files or documents relating to a learner must not be left out of a lockable filing

cabinet overnight

Request for copy/reprint of an award

Learners who contact ACA and its Third Party Providers for a copy of re-print of a previously issued Certificate or Statement of Attainment must provide the following information before the request will be actioned:

• Full name

• Date of birth

• Address

• Contact phone number

The Learner may be asked the following as further means to determine correct identity:

• USI or LUI

• Course enrolled

Request to access file/personal information

Learners who contact ACA and its Third Party Providers for access to their file/personal information held must request so in writing (Learner file Authorised Access form). The form includes information such as:

• Full name

• Date of birth

• Address

• Contact phone number



Destruction of files


Where a learner’s paper-based file/training documentation has been held for the required retention period, the file must be discarded in the document destruction bin, with a note made in the Student Management System that such records have been confidentially destroyed. Please note, Learners enrolled in Commonwealth or State Government funded programs will have specific retention periods, please refer to Records Management Policy.


Back up


ACA and its Third Party Providers Manager is responsible for the timely back up of ACA and its Third Party Providers server records and the financial system.


5. Responsibility


5.1 The CEO of ACA is responsible for:

5.1.1. The implementation of and ongoing compliance of this policy;

5.2 The Manager of ACA is responsible for:

5.2.1 The communication and marketing of this policy to all students and staff;

5.2.2 Ensure that all staff/contracts are trained and aware of the procedures outlined

in this policy.

5.3 Staff,

5.3.1 Maintaining and updating information to ensure accuracy of records

5.3.2 Taking all reasonable steps to ensure personal information remains secure

5.3.3 Providing access to participants to information relating to themselves

5.4 Learners of ACA are responsible for:

5.4.1 Providing correct information and to inform us in a timely manner of any changes to the details lodged.

5.4.2 Providing necessary supporting documentation to change or update details as required.

5.4.3 Providing written consent where personal information can be disclosed to third parties.

5.4.4 Making application through the Administration of ACA and its Third Party Providers to access personal records kept by them


Associated Documents/Forms/Registers


• Further Education and Training Act 2014

• The National Vocational Education and Training Regulator ACT 2011

• VET Quality Framework

• Standards for Registered Training Organisations (RTOs) 2015

• Student consent

• Enrolment form

• Learner file authorised access form

• Australian Privacy Principles

• Queensland Human Rights Act 2019


• Qld Legislation

• Federal Privacy Laws



ACA and are responsible for:       



1. Learner handbook

2. Learner agreement/enrolment form

3. Staff Inductions and handbook

4. Website to alert the ACA and its Third Party Providers community of the approved Policy.