On this page:
A provider may communicate electronically with its students if the provider complies with the requirements of the Electronic Transactions Act 1999 (ETA), HESA and chapter 8 of the Administration Guidelines in doing so.
The requirements in the Administration Guidelines only relate to information that HESA requires or, permits to be given between students and providers. The ETA does not apply to information that is not covered by HESA and its guidelines, such as enrolment forms.
Electronic communication of documents, forms, notices and requests (information) includes email, web-based communication or any other form of electronic communications specified by the provider [Administration Guidelines chapter 8], as long as the method of electronic communication assures that the integrity of information is maintained [ETA section 11].
41.1 - What can be communicated electronically
Information required or permitted under HESA to be given between the student and the provider, may be communicated electronically or online using an information system. This includes:
- requests for Commonwealth assistance [part 9]
- requests for the correction of a notice [part 10.4]
- notification, by a student, of their TFN or the provision of a Certificate of application for a TFN [part 34]
- notification, by a student, that he or she does not wish to be Commonwealth supported for a unit of study [part 20]; and
- the CAN [part 10]
Information technology requirements
The information system used for providing or receiving electronic communications must be accessible by students. To be accessible, the provider must have:
- informed students by direct communication, or by way of the provider’s publications, that communication will occur by electronic means using the information system; and
- given the students authority to use the information system
Any information system used to send or receive electronic communications must also be able to store the information so that the student can readily access it, and available for subsequent reference and printing.
Online access to electronic CANs
For units of study where the provider is required to initially issue a CAN [HESA subsection 169-5(1)], providers must ensure that a student enrolled in that unit can access an electronic CAN. The provider’s obligation to provide online access to the CAN ceases when the person is no longer enrolled in the relevant unit of study; for example, when they complete the unit.
Each time the person enrols in further units of study for which the provider must issue a new CAN, the provider has a new and separate obligation to provide online access to that CAN.
41.2 - Requirements for electronic communication of information from a student to a provider
Where providers receive information from students electronically, they will need to comply with the provisions of the ETA and chapter 8 of the Administration Guidelines. This includes:
- requests for Commonwealth assistance [part 9]
- a request for the correction of a notice [part 9.5]
- notification by a student of their TFN, or applied Certificate of application for a TFN [part 34]; and
- notification by a student that he or she does not wish to be Commonwealth supported for a unit of study [part 20.3]
The requirement for this information to be given in writing by the student is met if the student gives the information to the provider by means of electronic communications and all of the following circumstances prevail:
- The information system used for providing the information is
- compliant with the information technology requirements in [part 41.1]
- secure, with appropriate security and back-up measures in place; and
- able to generate a printable receipt for the student
- When giving information to the provider, the student follows instructions the provider has given. For example, the provider may require a notice from a student to be sent to a particular email address.
- The student is able to verify the provider has received the information in accordance with any requirements for verification the provider may have. A provider should inform students of the procedures they will need to follow regarding the electronic submission of information. For example, a provider should inform a student what they should do if they do not receive a confirmation of receipt of the information within the specified period.
- Where a document must be signed, a method is used to identify the person and indicate the person’s approval of the information [ETA sections 9 – 11 and Administration Guidelines chapter 8].
41.3 - Electronic submission of documents that require signature
For documents that students are required to sign, such as the eCAF [part 9.4], students must use a unique identifier, issued by their provider, to identify themselves and indicate their approval of the conditions and requirements set out in the CAF or other document [ETA section 10; Administration Guidelines chapter 8]. When submitting a Government eCAF, the ‘submission transaction’ serves as the student’s electronic signature, and the student receives a PDF copy via email for their records.
41.4 - Issuing unique identifiers to students
A provider must have a method in place that the student can use to uniquely identify themselves in the communication and indicate approval of information in it. A unique identifier can be in the form of a personal identification number (PIN), a username and password combination, or in a form as determined by the provider. USIs and CHESSNs cannot be used as identifiers.
In issuing the unique identifier, the provider must ensure it uses a reliable method of verifying a person’s identity [ETA subsection 10(1)]. The provider must:
- verify the identity of the person to whom the identifier is to be issued
- take all reasonable precautions to ensure there is no unauthorised access to, or use of, the identifier; and
- ensure the student is advised that, apart from the provider’s obligations under paragraphs a) and b), the student is personally responsible for protecting the identifier.
A provider may issue the student a unique identifier that can be multi-functional. That is, a student can use the identifier to submit an eCAF and for other enrolment processes.
41.5 - Verifying a student’s identity
The unique identifier and other details should be immediately matched with other data on the provider’s system to validate the name and the identifier. If the information provided by the student does not match the data on the provider’s system, the form should be rejected, and a message provided to the student stating that there is an error and advising of any follow-up action required.
41.6 - Requirements for provider eCAFs
Students need to complete and submit CAFs electronically [HESA Division 174]. Providers may choose to use their own, purpose-built eCAFs, or they may choose to use the Government eCAF, which is available for all approved providers. Providers who elect to use their own eCAF systems must meet the requirements in the ETA and chapter 8 of the Administration Guidelines and ensure that their eCAFs are ‘approved forms’.
An approved form comprises all the information contained in the Government eCAF. The department will provide access to the Government eCAF as the point of reference that providers must use to develop their provider eCAFs.
The information contained in the Government eCAF represents the minimum mandatory information required for a provider eCAF to be valid. This will allow providers to ‘personalise’ the form as they require, provided the minimum requirements are met. Omitting to incorporate these minimum requirements will invalidate the form, as it will not be the form approved by the Minister for the purposes of HESA (with the exception of the optional fields described below).
Other fields that providers may wish to include in their provider eCAF will be minimal and must be kept separate from the prescribed minimum requirements. This is to avoid confusion among students as to what information is being collected for the purposes of establishing their eligibility for Commonwealth assistance under HESA and what information is being collected for the provider’s own internal purposes.
Accessing the Government eCAF
Providers can request access to the Government eCAF training environment and the Government live eCAF environment by contacting the department.
- For higher education providers, please email HEenquiries@education.gov.au
- For VET Providers, please visit the VET Student Loans page on the DEWR website
Other key requirements for provider eCAFs
Additionally, providers must fulfil the below key requirements in relation to eCAFs.
Inclusion of an automatically generated date field
Students who complete an electronic form are not required to date the form. A provider must include a date field that is automatically generated by the system when the student submits the form.
Assistance in submitting, and correcting and submitting the form
A provider must ensure that students have reasonable access to the relevant student information booklet [part 9.2], to assist students when completing electronic forms such as eCAFs. A provider should give students the opportunity to re-read the information they have provided online and correct any errors if necessary.
If the provider is satisfied that the student has made an error in completing the form, the student should be provided with an opportunity to correctly complete and resubmit the form [HESA section 169-10].
Issue of a receipt
Any information system that students use to submit an eCAF must be able to generate a printable receipt for the student. A provider may determine the format of this receipt. However, the student’s TFN must not be printed on the receipt issued to the student.
41.7 - Retrieval of information
A provider must store all electronic forms, notices, documents, and other information in such a way that they can be reproduced and retrieved. A provider may use the Government eCAF as a template for inputting stored data into the related fields and generating a hard copy. The hard copy of the electronic form does not need to be in the same format as the current eCAF but should reflect what the student has submitted.
41.8 - Storage of data
The information system must store the information so that the student can readily access it and so that it can be made available for subsequent reference.
A provider must store the data in a dataset. Information provided by students, in particular TFNs, must be recorded in a secure database. The storage and security of TFNs must comply with the Privacy (Tax File Number) Rule 2015.
Security and back-up measures
A provider must ensure a student’s information can only be accessed by a person authorised by the provider to access that information.
A provider should ensure that back-up measures are in place to cater for situations where computer malfunctions occur.
Where personal information of a student is stored on an information system, the provider must comply with the Privacy Act 1988 and HESA Division 179 [part 41.1].
41.9 - Requirements for electronic communication of information from a provider to a student
Where providers are sending any written information, documents, forms, requests and notices (‘information’) required or allowed by HESA to students electronically, they will need to comply with the provisions of the ETA and chapter 8 of the Administration Guidelines. The information that is likely to be sent would include a CAN.
In accordance with section 9 of the ETA and chapter 8 of the Administration Guidelines, the requirement for a provider to give a student a CAN, or other information in writing, is met if the information is provided by means of electronic communications and all of the following circumstances prevail:
- The information system used for providing the information electronically must be compliant with the information system requirements in [part 40.1].
- The student consents to receiving the CAN electronically [ETA paragraphs 9(1)(d), 11(1)(e) and 11(2)(e)]. It is up to providers to determine the means by which they obtain the student’s consent. A provider may wish to obtain the student’s consent through enrolment documentation.