The National Centre for Vocational Education Research Limited (NCVER) is a not-for-profit company owned by the Commonwealth and state and territory ministers responsible for vocational education and training (VET). It is a professional and independent body responsible for collecting, managing, analysing, evaluating and communicating research and statistics about VET nationally. NCVER operates under the authority of ministers responsible for education and training, the legislated registration requirements for training providers under national VET regulation, and other relevant legislation.
1. Commitment to Privacy and Information Security
NCVER is committed to managing personal information, and ‘sensitive’ personal information, in an open and transparent way. In collecting, holding, using and disclosing personal information, NCVER is bound by the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act 1988 (Cth). This policy sets out how NCVER manages personal information in accordance with these requirements.
2. Regulatory Environment for VET Data
The Australian Skills Quality Authority (ASQA) is the regulatory body for the VET sector. ASQA was established through the enactment of the National Vocational Education and Training Regulator Act 2011 (Cth) (the Act).
Registered training organisations (RTOs) are obliged, as a condition of registration with ASQA, to collect and report Total VET Activity Data which must comply with the Australian VET Management Information Statistical Standard (AVETMISS).
Total VET Activity data collection and reporting requirements are regulated through the Data Provision Requirements 2012 legislative instrument, together with the National VET Data Policy, published by the Australian Government Department of Education, Skills and Employment and the Standards for Registered Training Organisations (RTOs) 2015. Access to and disclosure of national VET provider collection data is governed by the National VET Data Policy agreed by the Council of Australian Governments Ministers responsible for skills under the Act.
Regulation of the collection, use and disclosure of the Unique Student Identifier (USI) is regulated by the Student Identifiers Act 2014 (Cth), and Student Identifiers Regulations. NCVER is authorised, under the Student Identifiers Regulations, to adopt, use and disclose USIs in certain circumstances (see paragraph 4).
3. Meaning of Personal Information and ‘Sensitive’ Personal Information
The Privacy Act 1988 defines ‘Personal Information’ as information or an opinion about an identified individual, or someone who is reasonably identifiable, whether the information/opinion is true or not, and whether the information/opinion is recorded in material form or not. ‘Sensitive Personal Information’ is a sub-set of personal information which relates to a person’s racial or ethnic origin, political opinions, philosophical or religious beliefs/affiliations, memberships (political, professional or trade association, trade union), sexual preferences/practices, criminal record, health, genetic or biometric information.
3.1 Type of information collected by NCVER
NCVER may collect contact information (such as name, organisation, position, address, telephone, and email) for marketing, client support services, servicing data requests, managing research grants, conducting research, VOCEDplus research database services, or for communicating with stakeholders and suppliers as part of day to day services. Student information for the national VET collections and national VET surveys is not at present collected directly by NCVER (see paragraph 6.3 of this policy).
The management of NCVER employee information complies with this policy. Personal information collected includes names, addresses, phone numbers, emergency contact details and other employment related information.
Personal information defined as ‘sensitive’ under the Privacy Act 1988, which may be collected by NCVER, includes information such as dietary requirement for events and biographical information for key note speakers. Data collected for the national VET collections, national VET surveys, and some VET research conducted by NCVER may include personal information which infers ethnicity (eg. Indigenous status, country of birth, language spoken at home), and disability status (including types of disability). NCVER employee information may include professional association memberships, health and work injury information.
4. Government Related Identifiers
NCVER does not collect, use or disclose a government related identifier of an individual as its own identifier, unless NCVER is authorised by law and prescribed in regulations to do so.
NCVER is authorised by the Student Identifiers Act 2014 and Student Identifiers Regulation 2014 to collect, use and disclose a student identifier for purposes specified in the Regulations, including for purposes related to the collection and preparation of statistics relating to VET, for the purpose of auditing the accuracy and reliability of the national VET statistical collections, for the purposes of research, to enable the Student Identifiers Registrar to prepare an authenticated VET transcript, and for the purpose of assisting the Student Identifiers Registrar to identify, investigate and resolve a problem that occurs in relation to the assignment of student identifiers.
5. Anonymity and Pseudonymity
As far as practicable, NCVER aims to offer individuals the options of anonymity and pseudonymity when collecting personal information. Examples of situations where it is not possible to offer anonymity include servicing data requests, resolving client support service requests, registrations for events, document delivery requests, and HR management.
6. Collection, Use and Disclosure of Personal Information
When necessary, personal information is collected by NCVER for marketing services, client support services, and research activities. NCVER does not directly collect data for the national VET collections, national VET surveys, or the Longitudinal Survey of Australian Youth (LSAY), but receives this data from the organisations that collect it. A log book of visitor names and contact information is also maintained for administrative, safety and security purposes.
6.1 Marketing Services
Personal information is collected directly from individuals who subscribe to NCVER marketing communications (see also paragraph 9.4); or who register for events (such as research forums) and NCVER hosted webinars; and from stakeholders for day-to-day business and information dissemination. Personal information is kept as long as it is required for the purpose it was collected. Subscribers to any of NCVER’s marketing communications can unsubscribe at any time.
NCVER’s research activities encompass NCVER’s own research program and research consultancy, management of the national competitive research grants on behalf of the Australian Government Department of Education, Skills and Employment and the VOCEDplus research database.
- NCVER’s own research program and research consultancy – Privacy notification is provided ahead of conducting research interviews or at the time of inviting individuals to participate in a survey. Personal information is collected directly from individuals. Where personal information is collected from persons under 18, parental consent is obtained and NCVER researchers comply with the relevant jurisdiction’s Children’s Protection Act. Personal contact information is kept only for as long as required for the research. Research data is de-identified and retained with appropriate security as required for research data archive requirements.
- Managed research grants – Privacy notification is provided when applicants apply for funding, when reviewers are invited to be part of the editorial board, and when respondents are invited to participate in a survey. Personal information is collected directly from researchers who have been awarded grants by telephone and/or written communications. This information is kept as required by contractual obligations.
- VOCEDplus research database – Privacy notification is provided at the point of collecting personal information via online forms. Personal contact information is collected directly from end-users for services including document delivery, reference queries, document submission for inclusion in the research database, general enquiries, and application for membership of the Pathways Practitioners Community. Information obtained for document delivery requests is retained in accordance with copyright law. Personal information collected for other purposes is not retained longer than required for the purpose it was collected.
6.3 National VET Collections and National VET Surveys
NCVER manages four national collections covering different aspects of vocational education and training in Australia, as well as a number of surveys.
- National VET Collections – Data for the national VET collections are collected by training providers and provided to NCVER as regulated by the Australian Skills Quality Authority (see paragraph 2). Student names and contact information are required fields in the AVETMIS Standard (AVETMISS Data Element Definitions). These fields are encrypted as soon as AVETMISS data are received by NCVER from data submitters. NCVER does not at present retain any student names or contact details.
- National VET Surveys – Student information for the national VET surveys is collected by professional social research organisations that are contracted by NCVER on behalf of the Australian Government Department of Education, Skills and Employment. Student names and contact information are removed by the contractor before providing the data to NCVER. The contractor destroys student names and contact details on completion of the survey.
- Longitudinal Survey of Australian Youth (LSAY) – This survey tracks people as they move from school into further study, work, and other destinations, and provides important information for understanding young people’s key learning transitions and pathways. LSAY is managed and funded by the Australian Government Department of Education, Skills and Employment. Data for LSAY are collected by a professional market and social research organisation via phone and online interviews. This organisation provides the data to NCVER after removing the names and contact information of the survey respondents. NCVER provides analytical, reporting and publishing services for LSAY.
6.4 Uses of NCVER Research, National VET Collections and Surveys Data
Research – Data collected as part of research informs published research. Research reports, with the exception of some consultancy reports, are publically available, and can be used by anyone to facilitate understanding of VET sector dynamics and performance, support critical policy and other decision making, and shed light on evolving VET sector priorities.
National VET Collections and Surveys – The data from the national VET collections and national VET and LSAY surveys are used by NCVER to produce publications and data tools that facilitate an understanding of VET sector dynamics and performance, support critical policy and other decision making, and are aligned to evolving VET sector priorities. Data are, upon request, accessible to the Commonwealth and state and territory governments, training providers, peak bodies, researchers, and the general public in accordance with the National VET Data Policy for disclosure and publication of national VET Administrative Collections and Surveys (see 6.5). Data may also be provided to the Australian Skills Quality Authority (ASQA) upon request in accord with the National Vocational Education and Training Regulator Act 2011 (Cth) and other state regulations.
6.5 Disclosure of Personal Information
In general, NCVER does not disclose personal information other than for the purpose for which it was collected, or if a person has consented to the disclosure of their information for a specific purpose, or they would reasonably expect this (eg. receiving communications about upcoming events), or if required by law.
NCVER takes rigorous steps to ensure data in publications are de-identified and confidentialised. Where requests are made to NCVER for national VET collection and survey data or for access to NCVER’s data tools, NCVER will release data in accordance with the National VET Data Policy (for disclosure and publication of the national VET Administrative Collections and Surveys). Where disclosure of unit record data is authorised under the National VET Data Policy, such disclosure is made upon written application and a signed undertaking to protect the data according to the provisions of the Privacy Act 1988. Disclosure of student identifiers is made in accordance with the provisions of the Student Identifiers Act and Student Identifiers Regulation.
In accordance with the National VET Data Policy, personal information that has been disclosed to NCVER may be used or disclosed by NCVER for the following purposes:
(a) populating authenticated VET transcripts;
(b) facilitating statistics and research relating to education, including surveys and data linkage;
(c) pre-populating RTO student enrolment forms;
(d) understanding how the VET market operates, for policy, workforce planning and consumer information; and
(e) administering VET, including program administration, regulation, monitoring and evaluation.
6.6 Data Linking
NCVER participates in projects which link the National VET Collections data with other datasets, such as datasets collected by the Australian Government Department of Education, Skills and Employment and by other Commonwealth Government agencies. Data linking projects are expected to increase because of the benefits of enriched information for policy decision making, improving training pathways and options, and research for example.
In linking datasets, NCVER takes rigorous steps to protect the privacy of individuals. NCVER manages its datasets and conducts all data linking projects in accordance with the requirements of the Australian Privacy Principles, as outlined in the Privacy Act 1988, and also the Student Identifiers Act 2014 (and Regulation) where Unique Student Identifiers (USIs) may be included. Although not mandated to do so, NCVER follows the Guidelines on Data Matching in Australian Government Administration published by the Office of the Australian Information Commissioner. Where Commonwealth data are involved, NCVER liaises with the Commonwealth agencies and complies with the High Level Principles for Data Integration Involving Commonwealth Data for Statistical and Research Purposes published by the Australian Government Cross Portfolio Statistical Integration Committee (CPSIC). NCVER also conducts Privacy Impact Assessments for all data linking projects with the aim of reducing any privacy risks.
6.7 NCVER Employee Information
Privacy notification and collection of personal information occurs on employment commencement and throughout employment as necessary for administrative and other HR management purposes. After an employee leaves NCVER, their personal information is retained as required by Australian law.
6.8 Unsolicited personal information
If NCVER should receive unsolicited personal information, it will be treated and managed according to the Australian Privacy Principles if found to be related to one of its collections, otherwise it will be destroyed or de-identified if lawful to do so.
7. Information Security
NCVER takes active steps to protect personal information and data from cybercrime, interference, misuse, modification, and unauthorised access or disclosure. NCVER’s information security management system aligns with the requirements of ISO 27001 (Information Security Management System) and ICT systems security recommendations published by the Australian Signals Directorate. ICT system security measures include system security, information security, network security, physical security, personnel security and training, and ensuring any contracted third-parties have appropriate security policies and certified ICT safeguards before engagement.
Generally, NCVER retains personal information for as long as it is required for its business activities, and for as long as we are legally required to retain the information, or are required to do so under a court/tribunal order. When personal information is no longer necessary for the business activity it was collected for, and it is legal to do so, NCVER destroys or takes reasonable steps to de-identify the information.
The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (NDB Act), which amended the Privacy Act 1988 (Cth) (Privacy Act), has introduced new obligations on NCVER to report certain (actual or suspected) unauthorised access, disclosure or loss of personal information of individuals to the Australian Information Commissioner (Commissioner) and/or certain affected individuals. In order to enable NCVER to comply with its obligations under the Privacy Act, it requires each entity, individual, organisation, Government Department, agency or other person with whom it contracts or otherwise deals with (Users) to:
|(a)||notify NCVER immediately upon it suspecting or becoming aware of any unauthorised access to or disclosure or loss of, personal information that is “held” by NCVER (within the meaning of the Privacy Act);|
|(b)||meet with NCVER as soon as practicable, and not later than within 30 days of the suspicion or knowledge arising, to mutually carry out a reasonable and expeditious assessment of whether there are reasonable grounds to believe that an “eligible data breach” (as defined in the Privacy Act) has occurred (Assessment);|
|(c)||if the Assessment concludes there are reasonable grounds to believe that an eligible data breach has occurred:|
(i) consider whether there is any remedial action that can be immediately taken to prevent any serious harm occurring to individuals (Remedial Action), and if so, take that action immediately;
(ii) if the Remedial Action is successful in preventing any serious harm occurring, assess whether it is then likely that any serious harm will occur to any individual as a result of the access, disclosure or loss;
And if there remain reasonable grounds to believe serious harm remains likely:
(iii) assist NCVER in preparing, as soon as practical, a statement to be provided to the Commissioner in accordance with section 26WK(3) of the Privacy Act (Statement); and
(iv) assist NCVER in considering the practicability of:
(A) notifying each individual, to whom the relevant information relates, of the contents of the Statement; or (if that is not practicable)
(B) notifying each individual who is “at risk” from the eligible data breach,
and notifying those persons accordingly, and if neither of those options is practicable, assist NCVER in:
(C) publishing a copy of the Statement on NCVER’s and/or the User’s website (at NCVER’s discretion); and
(D) taking reasonable steps to publicise the content of the Statement.
User’s must use their reasonable endeavours in all dealings with NCVER to ensure they comply with the Privacy Act and do not do or omit to do anything that may cause NCVER to breach any of its obligations under the Privacy Act.
The User must meet its own costs arising out of or in relation to complying with these Notifiable Data Breaches clauses.
8. Access to and correction of personal information
NCVER endeavours to ensure the personal information it collects and uses or discloses is accurate, up to date, complete and relevant. NCVER routinely updates the information in its customer relationship management system.
Individuals may request access to and correction of personal information at any time. This can only be done for personal information collected by NCVER directly from individuals. Subscribers to any of NCVER’s marketing communications are able to access their online accounts and make changes or unsubscribe at any time.
NCVER is not able to update or provide access to personal information collected for the national VET collections, the national VET surveys, or Longitudinal Survey of Australian Youth (LSAY) (see paragraph 6.3). NCVER does not at present hold the names of individuals and their contact details. To seek access to or correction of this information, students should contact their training provider regarding the national VET collections data which are submitted to NCVER by registered training organisations, and people who have provided information for the national VET surveys or LSAY should contact the organisation who collected the information. For the Student Outcomes Survey refer to Student Outcomes Survey-Privacy collection notice and for the LSAY refer to LSAY-Participant Information.
9. Online Privacy
9.1 NCVER’s website management
The web servers for the NCVER Portal, LSAY, AVETMISS Validation Software, and VOCEDplus websites automatically log information such as server address, date and time of visit and web pages accessed. No personal information is recorded. These logs are used for website management and improvement.
Where there are links on NCVER’s websites to third party websites, NCVER cannot guarantee the privacy of those sites and is not responsible for the privacy practices of the linked websites. Any concerns regarding the privacy policies of linked websites should be directed to those websites.
9.2 Google Analytics and Hotjar
NCVER uses Google Analytics for improving its Portal, LSAY, AVETMISS Validation Software and VOCEDplus websites. The Portal and LSAY websites are also ‘Hotjar enabled’. By accessing and navigating these websites, end users consent to the processing of the data collected by Google and Hotjar analytics in the manner and for the purposes set out below.
Hotjar is also a web analytics service and is provided by Hotjar Ltd located in Malta. A Hotjar enabled website tracks end-user website activities and data such as IP addresses, device type, country location, referring URL and domain, and cookies to collect information such as standard internet log information. This information is transmitted to Hotjar servers located in Ireland and is subject to the European Union Data Protection Directive which regulates the processing of personal data within the European Union.
By ‘Hotjar enabling’ the Portal and LSAY website, NCVER can enhance end-user experience by improving functionality, identifying preferences, diagnosing technical problems, and analysing trends.
9.3 MailChimp and Facebook Pixel
NCVER uses the MailChimp subscription service for its marketing communications. When you sign up to NCVER’s marketing communications on any of our websites, your personal information will be captured by MailChimp and held in servers located in the United States and subject to USA law. MailChimp may transfer this information to third parties that process information on their behalf, or where required by law.
NCVER uses Facebook Pixel on the LSAY website to measure the effectiveness and reach of our LSAY advertisements as we would like communications to be relevant and of interest to potential audiences in promoting the survey.
NCVER may use SurveyMonkey occasionally for research purposes or for gathering views from users of the VOCEDplus database and website in order to make improvements.
SurveyMonkey is a global provider of web-based survey solutions. When you enter information for a survey conducted by NCVER using SurveyMonkey, your responses are stored on servers located in the USA. SurveyMonkey treats the information as private to NCVER (the survey creator) who also owns and manages the data. The data are disclosed to NCVER only. Surveys conducted by NCVER using SurveyMonkey are completely voluntary.
SurveyMonkey collects information such as: usage data, device data, referral data, information from page tags, cookies and Google Analytics.
10 Privacy Complaints
Complaints or concerns about NCVER’s management of personal information should be directed in writing to NCVER’s Privacy Officer at email@example.com. NCVER will respond in writing within 14 business days.
11. Privacy Contact
For all privacy related enquiries, or to request a pdf copy of this policy, contact:
The Privacy Officer
NCVER, Level 5, 60 Light Square, ADELAIDE, SA 5000.
(T) Telephone 08 8230 8400
12. Policy revision history
|REVISION DATES:||Policy created: 27/2/2014; Last revised: December 2018|