Complete APP privacy policy and privacy management plan

About this privacy policy 

TEQSA uses a layered approach to presenting its privacy policy. This policy provides you with complete information on how the agency handles personal information, separated into the following different categories of records: 

  • Part A: Personnel 
  • Part B: Financial management system 
  • Part C: Consultancy and contracted services records
  • Part D: Higher education provider case management 
  • Part E: Legal services 
  • Part F: Enquiries mailbox 
  • Part G: Complaints
  • Part H: Freedom of Information 
  • Part I: Provider Information Request (PIR) 
  • Part J: Data collected from TEQSA website
  • Part K: Sector engagement contact details
  • Part L: Academic cheating services

Below is some general information on the agency’s privacy obligations, how to access and correct your personal information, disclosure of information and how to make complaints about the way the agency handles personal information. 
TEQSA also has a Condensed Australian Privacy Principles (APPs) Privacy Policy which summarises the agency’s approach to handling personal information.

The agency’s Privacy Management Plan can be found at the end of this policy. 

Obligations 

All personal information collected by TEQSA is protected by the Privacy Act 1988. Information on the Commonwealth Privacy Act 1988 can be found on the website of the Office of the Australian Information Commissioner. The agency is committed to protecting personal information. This Privacy Policy embodies this commitment and applies to personal information collected by TEQSA and its contractors and agents. The agency adheres to the requirements of the APPs contained within the Privacy Act 1988, the Privacy (Australian Government Agencies — Governance) APP Code 2017 and the Guidelines for Federal and ACT Government World Wide Websites, issued by the Privacy Commissioner. 

This document also includes the agency’s Privacy Management Plan required under the Privacy (Australian Government Agencies — Governance) APP Code 2017.

Access and correction 

The agency will allow individuals to have access to their personal information that we hold and we will correct an individual’s personal information if it is inaccurate (subject to restrictions on such access/alteration of records under the applicable provisions of any law of the Commonwealth). The Freedom of Information Act 1982 also provides an opportunity to request access to documents in the possession of TEQSA. An individual who wishes to access the personal information the agency holds about them and to seek correction of that information can email their request to foi@teqsa.gov.au

Access to and correction of information

If you make a request to access your personal information under the FOI Act, TEQSA will process it in line with the FOI Act. Part H below sets out what TEQSA does with Freedom of Information request documents.

If you make a request to correct personal information, TEQSA will:

  • Acknowledge your request within 5 days,
  • Inform you of the outcome of your request within 30 days, having considered it in line with APP 13.

Anonymity and pseudonymity

For the purposes of APP 2.2(b), in most circumstances, it is impracticable for TEQSA to deal with individuals who have not identified themselves or who have used a pseudonym.

TEQSA may consider dealing with individuals who have not identified themselves or used a pseudonym in getting information in relation to the exercise of its regulatory powers, on a case-by-case basis.

Individuals who wish to deal with TEQSA anonymously or to by using a pseudonym should tell TEQSA accordingly so that TEQSA can consider how it can deal with them.

In this regard, TEQSA’s online concern’s form (Raising a complaint or concern - online form | Tertiary Education Quality and Standards Agency (teqsa.gov.au)) allows you to remain anonymous in submitting your concern.

Disclosure 

From time to time, TEQSA may disclose records it holds that contain personal information to overseas higher education regulatory bodies. This may include with higher education regulatory bodies in the United Kingdom, Ireland and New Zealand. 

We only collect, hold, use and disclose personal information for a lawful purpose that is reasonably necessary or directly related to one or more of our functions or activities or where otherwise required or authorised by law.

We will only use your personal information for secondary purposes where we are able to do so in accordance with the Privacy Act (for example, with your authorisation). 

Complaints 

To make a complaint about the agency’s handling of personal information or compliance with the APPs please write to the address below: 

  • Privacy Contact Officer 
    Tertiary Education Quality and Standards Agency 
    GPO Box 1672 
    Melbourne VIC 3001 
  • Email: foi@teqsa.gov.au 

If we receive a complaint about the agency’s handling of personal information or compliance with the APPs we will determine what (if any) action we should take to resolve the complaint. If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about. 

We will tell you promptly that we have received your complaint and will take all reasonable steps to respond to the complaint within 30 days. 

If you are not satisfied with the agency’s response you can complain to the Commonwealth Ombudsman. You may also make a complaint to the Office of the Australian Information Commissioner.

PART A: Personnel records 

Collection 

The personal information contained in TEQSA’s personnel records is generally collected from the individual but may be obtained from former employers of individuals on engagement and from Document Verification Services (DVS), with the consent of the individual.

Content 

The content of personnel records may include: name, address, date of birth, occupation, AGS number, gender, qualifications, equal employment opportunity group designation, next of kin, details of pay and allowances, leave details, work reports, security clearance details, employment history and information relating to the health and safety of staff and the community. Personnel records include records about current and former employees and officeholders as well as records about applicants for positions at TEQSA and other individuals connected with employees and applicants who provide their personal information to TEQSA. ​​​

Under the Privacy Act 1988, sensitive information means: 

(a) Information or an opinion about an individual’s:

i. racial or ethnic origin; or
ii. political opinions; or
iii. membership of a political association; or
iv. religious beliefs or affiliations; or
v. philosophical beliefs; or 
vi. membership of a professional or trade association; or
vii. membership of a trade union; or
viii. sexual orientation or practices; or
ix. criminal records;
that is also personal information; or

(b) health information about an individual; or 
(c) genetic information about an individual that is not otherwise health information; or 
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or 
(e) biometric templates. 

Personnel records held by TEQSA may include personal and sensitive information such as: physical and mental health, COVID-19 vaccination status, disabilities, racial or ethnic origin and criminal convictions. The records may also include personal and sensitive information on third parties where TEQSA staff and officeholders have disclosed a personal or business relationship relevant to and in accordance with TEQSA’s conflict of interest policy and procedure and the Public Governance, Performance and Accountability Act 2013. 

Use 

Personnel records are used by TEQSA for the management of human resources and to manage the health and safety of staff and the community as required by law. The following agency staff have access to personnel records: executive and senior staff with personnel management responsibility, supervisors and members of selection committees (as appropriate), the individual to whom the record relates and, as is relevant to completing their duties, People & Capability staff. 

Security and disposal 

Personnel records are kept according to the applicable provisions of the records authorities in relation to personnel functions issued by Australian Archives. Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

Information held in personnel records may be disclosed, as appropriate or where required by law to: 

Comcare in relation to claims and workplace health issues; Commonwealth Medical Officers for the purposes of conducting fitness for duty assessments or for the purpose of managing and reducing the spread of infectious disease; State authorities for the purpose of managing and reducing the spread of infection disease; Attorney-General's Department or Australian Public Service Commission for the purposes of obtaining policy advice; ComSuper and other superannuation administrators or the Productivity Commission for the purposes of calculating and paying employee entitlements; and the Australian Taxation Office, Centrelink, and the Child Support Agency in relation to payments required to be made. Information held on personnel records is moved to other APS agencies on movement or reengagement of an employee to that agency.

PART B: Financial management system records 

Collection 

The personal information contained in TEQSA’s financial management system records is generally collected from the individual or the employer of an individual. 

Content 

Contents may include: name, address, contact information and transaction history with TEQSA over previous and current financial years. Details of vendors and employee bank accounts are also kept in the financial system. 

Use 

Information is collected to maintain complete information relating to all financial transactions of the agency. The purpose of these records is to maintain payment details to allow for payment of invoices and claims from staff members and service providers. 

Within TEQSA this information is only available to relevant staff members of Finance Section and authorised users of interfacing systems responsible for payments by direct credit (i.e. staff salary payments via Aurion). 

Security and disposal 

The information in the Financial Management Information System (FMIS) is stored indefinitely. Paper records are destroyed seven years after last action. Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

Information may be disclosed to the Reserve Bank of Australia and the Productivity Commission for the purpose of processing agency payments. The Finance team at the FairWork Ombudsman (FWO) also have access to the FMIS as TEQSA has outsourced certain financial reporting functions to the FWO.

PART C: Consultancy and contracted services records 

Collection 

The personal information contained in TEQSA’s consultancy and contracted service records is generally collected from the individual or the employer of an individual.

Content 

The consultancy and contracted services (including external expert) records may include name, address, phone number, email address, qualifications, honorifics, languages spoken employment history, details of referees, details of rate, work reports, security clearance details and information on their employment and any employees and subcontractors. Sensitive contents of a consultant’s or contractor’s information may include security assessment details, professional memberships, and racial or ethnic origin. The personal information in these records relates to the employees or subcontractors of the consultancy firm or external experts responding to a request for goods/services. The consultancy services records include information collected in the course of engaging external subject matter experts and in the process of procuring goods and/or services. 

Use 

The purpose of these records is to assist with the evaluation and engagement of consultancy services, external experts, or the procurement of goods and/or services. 

Information collected is used in relation to TEQSA’s functions and activities, including:

  1. internal reporting
  2. external reporting (for example, to the Minister or Department of Education and Training)
  3. monitoring compliance with the Commonwealth Procurement Rules through the Commonwealth’s compliance reporting process.

TEQSA staff in the business area from which the original request for consultancy services or external experts originated have access to these records as well as the Finance Team and senior managers on a need to know basis.

Security and disposal 

Consultancy service records are kept according to the applicable provisions of the General Records Authority and establishment records issued by Australian Archives. Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

The name of a consultant and the content of their report may be disclosed to higher education providers, government agencies or other bodies for the purposes of performing TEQSA’s regulatory functions. TEQSA discloses some details of the consultancy record to the FWO for financial reporting. TEQSA discloses personal information when:

a) TEQSA is authorised by or under an Australian law or a court/tribunal order; 
b) a permitted general situation arises; or
c) TEQSA reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

Certain personal information collected by TEQSA from external experts is published on TEQSA’s website with the consent of those experts.

PART D: Higher education provider case management records 

Collection 

The personal information contained in TEQSA’s provider case management records is generally collected from the individual or a higher education provider with which the individual was/is associated (for example as a current or former student or employee). 

TEQSA also collects student records from providers who cease to operate. The personal information contained in these records may include, for example, personal details to facilitate verification of records and student identity, academic records and testamurs. 

Content 

The content includes: name, title, address, phone, email, date of birth, position title, position responsibilities, term of appointment, professional and educational history. Sensitive information may include acts of professional or academic misconduct, financial history, qualifications, gender and criminal convictions. 

Use 

The purpose of these records is to record details relating to higher education provider registration and course accreditation applications and assessments, notifications and general communications relating to providers, to enable TEQSA to carry out its regulatory functions. 

Security and disposal 

Provider case management records are kept according to TEQSA’s Records Authority. Access to these records is restricted. They are kept on premises only accessible via a security pass and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

Personal information in these records may be disclosed to Commonwealth, state or territory bodies responsible for regulating the provision of education, to consultants engaged by TEQSA and to bodies responsible for regulating occupations associated with courses regulated by TEQSA. Records may also be disclosed to regulated higher education providers, including in circumstances where a provider has ceased to operate and a student consents to TEQSA disclosing their student record to a different provider. These disclosures would be made for the purposes of assisting TEQSA to assess applications made to TEQSA, to verify providers’ policies and procedures relating to their compliance with the Higher Education Threshold Standards, and to otherwise assist TEQSA to perform its regulatory responsibilities.

PART E: Legal services records 

Collection 

The Legal Group does not usually collect personal information but relies on existing records held by TEQSA. 

Content 

The personal information in the legal services records includes but is not limited to: name, address, date of birth, gender, marital status, and occupation. Sensitive content may include financial information, employee records, criminal convictions, physical or mental health details, relationship details and racial or ethnic origin. 

Use 

These records are used to enable the Legal Group to perform its functions in relation to the delivery of legal services to TEQSA. Officers of TEQSA’s Legal Group involved in the provision of legal services and, on a need-to-know basis, senior managers have access to these records. 

Security and disposal 

The records are kept in accordance with the Administrative Functions Disposal Authority issued by the National Archives of Australia. The records are kept for specified periods that relate to the contents and have a wide range, e.g. records of breaches of mandatory standards are destroyed seven years after action completed, records of claims are destroyed seven years after settlement or withdrawal. 

Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

This information may be disclosed to Commonwealth departments and agencies for the purposes of seeking legal advice or consulting on such requests, external legal advisers, and Courts and Tribunals.

PART F: Enquiries mailbox 

Collection 

The personal information contained in these records is usually voluntarily sent by the individual to whom the information relates.

Content 

The personal information contained in these records may include: name, address, occupation and phone number. 

TEQSA staff who manage the mailbox have access to this information. In addition, personal information contained in the enquiries are sometimes forwarded to Provider Case Managers or other staff in order to respond to the enquiries. Some of the enquiries are treated as complaints. See the complaints section of this Privacy Policy for information on who has access to personal information contained in complaints.

Use 

These records contain details of email enquiries received by the TEQSA enquiries mailbox. TEQSA uses the personal information in these records to respond to the enquiry. These emails are kept by TEQSA as a record of TEQSA having responded to the query. 

Security and disposal 

The records will be kept for five years. Access to these records is restricted. They are kept on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff.

Disclosure 

TEQSA discloses personal information when:

a) Authorised by or under an Australian law or a court/tribunal order; 
b) a permitted general situation arises or
c) reasonably believed that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

PART G: Complaints 

Collection 

The personal information contained in these records is usually voluntarily sent by the individual to whom the information relates.

Content 

The records may contain personal information of a complainant’s name, educational history, email address, postal/residential address, citizenship /visa status, address, occupation and phone number. 

Use 

These records contain details of complaints received by TEQSA about higher education providers or about TEQSA’s conduct. The complaints are kept for consideration when TEQSA performs its regulatory functions in determining if a provider is meeting its obligations under the Tertiary Education Quality and Standards Agency Act 2011 or in assessing any complaint about TEQSA’s conduct.

TEQSA staff who manage the complaints mailbox and provider case managers have access to this information to the extent that it contains details of complaints about higher education providers.

TEQSA will use information about complaints it receives about TEQSA’s conduct in line with its Complaints about TEQSA policy

Security and disposal 

Complaints records are kept according to TEQSA’s Records Authority. 

Access to these records is restricted. They are kept on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

TEQSA discloses personal information received as part of complaints about higher education providers when:

  1. authorised by or under an Australian law or a court/tribunal order;
  2. a permitted general situation arises, or
  3. it reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

TEQSA discloses personal information received as part of complaints about TEQSA when:

  1. authorised by or under an Australian law or a court/tribunal order;
  2. a permitted general situation arises, or
  3. it reasonably believes that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

In line with TEQSA's Complaints about TEQSA policy, to the extent that TEQSA otherwise proposes to disclose a complainant’s personal details, the complainant’s consent will be sought.

PART H: Freedom of Information records 

Collection 

The personal information contained in these records is usually voluntarily sent by the individual to whom the information relates.

Content 

The records may include a freedom of information applicant’s name, address, phone number, date of birth, gender and occupation. 

Use 

The purpose of these records is to process and maintain a record of requests for access to documents under the Freedom of Information Act 1982. The following TEQSA staff have access to these records: the freedom of information coordinator and freedom of information officer, the Legal Group and senior managers on a need-to-know basis. 

Security and disposal 

The records are kept for seven years. 

Access to these records is restricted. They are kept in locked cabinets and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

Some of this information may be disclosed to Commonwealth agencies or departments concerned with the particular application, or to other entities required to be consulted under the Freedom of Information Act 1982.

PART I: Provider Information Request (PIR) data 

Collection 

PIR data is collected from higher education providers and from the Commonwealth Department of Education. 

Content 

The personal information contained in the PIR data includes student and staff numerical identifiers, courses studied by students and students’ outcomes, as well as students’ educational history, citizenship /visa status, fee-paying status, and in some cases the salaries and work contract description of staff. 

Use

This data enables TEQSA to regulate the higher education sector in line with its regulatory principles (relating to regulatory necessity, risk and proportionality). Through access to a core data set across all providers, TEQSA is able to employ a risk-based approach to regulation and thus can reduce regulatory burden on the sector and focus regulatory effort on potential risks to students. The data is used to calculate risk indicators which inform TEQSA’s assessments of providers and allow relevant application processes to be tailored. TEQSA also uses the data to prepare high level analysis across the higher education sector, though this information is only published or disclosed in a de-identified form. 

Security and disposal 

PIR data records are kept according to TEQSA’s Records Authority which set out requirements for keeping, destroying or transferring records. Records are held in an isolated electronic data vault, with access limited to a small number of specially authorised personnel from the Information Management staff at TEQSA, who are responsible for managing these records. 

Disclosure 

TEQSA may disclose this information to information technology contractors for the purposes of maintaining information technology systems (including databases) associated with this information. 

PART J: Data collected from TEQSA website 

When you use TEQSA’s online services, our servers automatically record information that your browser sends whenever you visit a website. These server logs may include information such as your server address, your top level domain name, the date and time of the visit to the site, the pages accessed and documents viewed, the previous sites visited, and the browser type, browser language, and one or more cookies that may uniquely identify your browser.  The information does not contain anything that identifies, or may be used to identify, individuals.

PART K: Sector engagement details

Collection 

Sector engagement contact details and personal information is collected from the relevant individual or their employer. 

Content 

The personal information contained in the sector engagement contact details may include individuals’ names, email addresses, job titles, employers, phone numbers, employers’ address, state/territory/location of residence, and images of sector events (including images of attendees and speakers).

Use

This data enables TEQSA to keep members of the higher education sector up to date with news and events about the agency. It also allows the agency to maintain contact with peak bodies and organisations relevant to TEQSA’s functions. Personal information (such as name, job title and employer) and images may also be used to promote TEQSA’s activities and functions.  

Security and disposal 

Sector engagement contact records are kept according to TEQSA’s Records Authority. Access to these records is restricted. MOU and Peak body contact details are kept on premises only accessible via a security pass and on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. Contact details for Subscribers to TEQSA’s newsletters are kept on MailChimp and only accessible to a small number of authorised staff in the Engagement Group. 

Disclosure 

TEQSA may disclose this information to Information Technology companies (such as MailChimp) for the purposes of maintaining databases associated with this information. TEQSA may also publish information (such as name, job title, employer and image) to promote TEQSA’s functions and activities. For example, images and descriptions of speakers and attendees at the TEQSA conference or other events may be published on TEQSA’s website or in other promotional materials.

PART L: Academic cheating services

Collection 

Personal  information contained in records is provided to TEQSA by individuals when submitting complaints or concerns about academic cheating services. Information may also be collected from higher education providers that become aware of academic cheating services being advertised or offered.   

Content 

The records may contain personal information including student or complainant’s name, education history, telephone number, email address and social media user details (such as username, image and other publicly available information). Records may also contain personal information of individuals allegedly providing or advertising academic cheating services including name, telephone number and email address.

Use

The records contain details of alleged academic cheating service providers or advertisers received by TEQSA. The information is kept for consideration in investigating reports of academic cheating services and in determining any breaches of the Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act) and any action that may be taken.

Security and disposal 

Records relating to academic cheating are kept according to TEQSA’s Records Authority. 

Access to these records is restricted. They are kept on a restricted drive on TEQSA’s IT network, which is only accessible by authorised staff. 

Disclosure 

TEQSA discloses personal information when:

a) Authorised by or under an Australian law or a court/tribunal order; 
b) a permitted general situation arises; or
c) reasonably believed that the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.

Privacy management plan

Compliance

The agency will ensure compliance with its privacy obligations by:

  • maintaining an up to date privacy policy
  • embedding privacy requirements in relevant policies and procedures, which are regularly reviewed 
  • keeping senior management informed about relevant privacy issues
  • undertaking privacy impact assessments when necessary
  • maintaining an up to date Data Breach Management Plan
  • responding promptly to complaints and inquiries about how the agency handles personal information
  • using established processes to allow individuals to access and correct their personal information
  • training staff on privacy obligations 
  • directing staff to seek advice on privacy obligations when required. 

As required under the Privacy (Australian Government Agencies — Governance) APP Code 2017 agency staff will receive annual privacy training as well as training on induction. 

Complaints and inquiries

The agency’s privacy officer will review and respond to any complaints or inquiries about the way the agency handles personal information. More information can be found in the complaints section earlier in this document.

Privacy goals and target

The agency’s privacy goals are to handle personal information in a responsible manner, consistent with its obligations under the Privacy Act 1988 and to ensure staff are aware of the agency’s privacy obligations.

The agency’s privacy target is to achieve 100 per cent compliance with its privacy obligations, and the requirements or requests that arise in respect of its privacy obligations.

Measuring performance

The agency will measure and record its performance against its privacy target and goals annually. Any instances in which the agency falls short of its goals and target will be assessed and action taken in order to improve privacy processes.

Reporting

The agency’s privacy officer will report to senior management at least annually about relevant privacy issues, including performance against privacy targets, through a scheduled review of this privacy management plan.

The privacy officer will report to senior management as soon as practicable any substantiated complaint about the agency’s handling of an individual’s personal information, a data breach or any other privacy event which substantially affects TEQSA’s capacity to meet its obligations under the Privacy Act 1988, the Privacy (Australian Government Agencies — Governance) APP Code 2017 or this policy and plan.

Regular reviews

The agency will regularly review and update its privacy practices, procedures and systems, to ensure their currency and adequacy for the purposes of compliance with the APPs. The scope of the review will include:

  • the agency’s privacy policy
  • any privacy notice prepared for the purposes of APP 5.