40. Privacy requirements

40.1 - Requirements with respect to personal information

When dealing with personal information, a provider is required to comply with any relevant obligations under HESA, the Privacy Act 1988 (Cth) and any other law that regulates the handling of personal information. These obligations include (but are not limited to):

  • compliance with section 19-60 of HESA – which includes the following requirements:
    • compliance with the Australian Privacy Principles (APPs) (set out in Schedule 1 of the Privacy Act 1988 (Cth)) in respect of personal information obtained for the purposes of section 36-20 or Chapter 3 or 4 of HESA;
    • a provider must have a procedure under which a student enrolled with the provider may apply to the provider for, and receive, a copy of personal information that the provider holds in relation to that student; and
    • compliance with the requirements of the Higher Education Provider Guidelines relating to personal information in relation to students, and the provider’s own personal information handling procedures referred to in the point above; and
  • compliance with relevant requirements in Divisions 179 (Protection of Personal Information) and 180 (Disclosure or use of Higher Education Support Act information) of HESA.

40.2 - Seeking informed consent from students

A provider must obtain the student’s consent prior to providing the student’s personal information to the department. This consent can be obtained:

  • when the student submits their CAF to the provider prior to the allocation of a CHESSN; or
  • if the provider’s business processes require the CHESSN to be allocated prior to CAF submission, the student is a research student, or a student does not require a CHESSN, at another time, and in another form, determined by the provider.

40.3 - Privacy complaints

A provider must have published, publicly available grievance procedures for dealing with complaints by the provider’s students, and persons who seek to enrol in courses of study with the provider, relating to non-academic matters [HESA section 19-45]. These procedures should extend to, but are not limited to, complaints about breaches of privacy by the provider.