1.1 RTO Data Pty Ltd is a business that offers software as a service (SAAS). This SAAS is distributed as a cloud based service which means it is accessed by users through the internet on any capable device. RTO Data Pty Ltd collects and stores personal information on behalf of our clients/users who are typically Registered Training Organisations as defined at Section 3, National Vocational Education and Training Regulator Act 2011.
- OUR OBLIGATION
2.1 RTO Data Pty Ltd complies with the Privacy Act 1988 (Commonwealth). This policy describes how RTO Data Pty Ltd collects, manages, uses, discloses, protects, and disposes of personal information in accordance with the thirteen Australian Privacy Principles (APPs) outlined in Schedule 1 of the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
3.1 Under the Privacy Act 1988 and Privacy Amendment (Enhancing Privacy Protection) Act 2012 (s6(1)), personal and sensitive information is defined as follows:
3.1.1 Personal information: is “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.”
3.1.2 Sensitive information: is “(a) information or an opinion about an individual’s: (i) racial or ethnic origin, or (ii) political opinions, or (iii) membership of a political association, or (iv) religious beliefs or affiliations, or (v) philosophical beliefs, or (vi) membership of a professional or trade association, or (vii) membership of a trade union, or (viii) sexual preferences or practices, or (ix) criminal record, that is also personal information; or (b) health information about an individual; or (c) genetic information about an individual that is not otherwise health information; or (d) biometric information that is to be used for the purposes of automated biometric verification or biometric identification; or (e) biometric templates”.
- AUTHORITY TO COLLECT AND STORE INFORMATION
4.1 RTO Data Pty Ltd is authorised by its clients through their agreement to the RTO Data Cloud Terms and Conditions to collect and store information on their behalf. Our clients as Registered Training Organisation are registered under the authority of the National Vocational Education and Training Regulator Act 2011. This legislation requires our clients/users to collect personal and sensitive information from their learners. This requirement is specified in the Data Provision Requirements 2012 which is one of five legislative instruments that our clients must comply with as a condition of their registration.
4.2 The National Vocational Education and Training Regulator (Data Provision Requirements) Instrument 2020, require our clients to collect data from learners in accordance with the Australian Vocational Education and Training Management Information Statistical Standard (AVETMISS). This is a complex information standard that defines information about who the learner is, where the training is delivered and what the student is studying. The Standards for Registered Training Organisations 2015 require our clients to retain and store this information for up to 30 years and to report training activity to government agencies in accordance with mandatory reporting requirements. It is the primary purpose of RTO Data Cloud to support our clients to comply with this requirement.
- COLLECTION AND USE
5.1 RTO Data Pty Ltd collects and uses information for three distinct groups and for different purposes. These include
5.1.1 As a business. This include collecting and using information about our clients as subscribers to the services we provide.
5.1.2 As an employer. This include collecting and using information on and about our employees to support them and to meet our obligations as an employer.
5.1.3 As a service provider. This includes providing the systems for our clients to collect, store and use information in support of their own business.
5.2 As a business, RTO Data Pty Ltd collects information such as name, organisation, position, address, telephone, email and sales / subscription related information. This information is collected to provide services and for communicating with clients as part of our day to day operation through email and phone calls with support team members and finally through online forms such as purchase forms. In addition to this information, we may also collect, store and use information relating to client feedback, communications or complaint handling. It is important to note that we do not store any sensitive information on our clients including credit card information.
5.3 As an employer, RTO Data Pty Ltd collects the names, addresses, phone numbers, emergency contact details, bank account details and other employment related information from employees for the purpose of managing our human resources. Other employment related information may include taxation, leave, superannuation required to meet our obligations as an employer.
5.4 As a service provider, RTO Data Pty Ltd provides the systems for our clients to collect, store and use information in support of their own business. This includes AVETMISS related information and other information including management information, staff information, student information, etc. Some of the information collected may be regarded as ‘sensitive’ as defined by the Privacy Act. It is important to make the distinction that it is the client who is collecting information and entering this information into each clients dedicated RTO Data Cloud service. RTO Data Pty Ltd is responsible to store and keep this information secure and provide access to authorised users of each client only.
- SENSITIVE INFORMATION
6.1 As a business, RTO Data Pty Ltd does not collect any sensitive information. This includes payment details such as credit card information as this information is entered directly into the RTO Data Pty Ltd payment merchant service with the National Australia Bank, NAB Transact. This information is not held and is not accessible to RTO Data Pty Ltd.
6.2 As an employer, RTO Data Pty Ltd may collect the following information from employees:
6.2.1 ‘Disability’ and ‘long-term impairment status’ (health); and ‘indigenous status’.
6.2.2 Tax File Number and related information such as preferred superannuation account and bank account details for the payment and processing of wages.
6.2.3 Work health and work injury information (health).
6.3 As a service provider, RTO Data Pty Ltd on behalf of its clients stores the following information:
6.3.1 ‘Disability’ and ‘long-term impairment status’ (health); and ‘indigenous status’, ‘language spoken at home’, ‘proficiency in spoken English’, ‘country of birth’ (implies ethnic/racial origin). This information is specified in the AVETMISS data elements and is collected for the national VET data collections, national VET surveys, and may be collected for VET-related research.
6.3.2 Identity related information such as drivers licence, passport number, visa number, Medicare number, et cetera that is required under the Student Identifiers Act 2014.
6.3.3 Dietary requirements (health-related) may be collected for catering purposes.
6.3.4 Biographical information, which may contain information on ‘affiliations’ and ‘membership of a professional or trade association’.
- DIRECT MARKETING
7.1 RTO Data Pty Ltd respects an individual’s right not to receive marketing material and provides an option within communications and on its website for individuals to unsubscribe from receiving marketing material. RTO Data Pty Ltd conducts its marketing communications and dissemination of service information in accordance with Australian Privacy Principle 7 (Direct marketing), the Spam Act 2003 (in respect of electronic communications), and the Do Not Call Register Act 2006. It is not, however, RTO Data Pty Ltd practice to ‘cold call’ for the purpose of marketing its products and services.
- GOOGLE ANALYTICS AND COOKIES ON RTODATACLOUD.COM.AU
8.2 The RTO Data Pty Ltd website automatically log information such as server address, date and time of visit and web pages accessed. No personal information is recorded. These logs are used for website management and improvement.
- UNSOLICITED PERSONAL INFORMATION
9.1 If RTO Data Pty Ltd should receive unsolicited personal information, it will be treated and managed according to the Australian Privacy Principles.
- NOTIFICATION OF COLLECTION
10.1 RTO Data Pty Ltd aims to notify individuals of the collection of their personal information before, or at the time of collection, or as quickly as possible thereafter. Notifications are usually in writing. Notification is provided in the following circumstances:
10.1.1 As a business. Notification is provided when the client commences their subscription to RTO Data Cloud, and they agree to the service terms and conditions.
10.1.2 As an employer. Notification is provided at the commencement of their employment.
10.1.3 As a service provider. Our clients have an obligation under the National VET Data Policy to notify their students, prior to their enrolment or commencement, whichever occurs first.
- DISCLOSURE OF PERSONAL INFORMATION
11.1 RTO Data Pty Ltd will never disclose your personal information other than for the purpose for which it was collected; without your consent unless we have a legal obligation to do so. This includes disclosure of information to any related entities or third parties.
11.2 RTO Data Pty Ltd may be compelled under s 62 of the National Vocational Education and Training Regulator Act 2011 (Cth) to provide information to the National VET Regulator about an RTO to which it provides a service by issuing a written notice to RTO Data Pty Ltd to give information and documents. It is an offence under s 64 of the National Vocational Education and Training Regulator Act 2011 not to provide information and documents when ordered to do so.
- MANAGEMENT OF PERSONAL INFORMATION
12.1 RTO Data Pty Ltd endeavours to ensure the personal information it collects, and uses is accurate, up to date, complete and relevant. RTO Data Pty Ltd routinely updates the information held in its customer relationship management system.
- ACCESS TO AND CORRECTION OF PERSONAL INFORMATION
13.1 Individuals may, subject to the exceptions prescribed by the Australian Privacy Principles, request access to and correction of their personal information where this is collected directly from individuals by RTO Data Pty Ltd.
13.2 RTO Data Pty Ltd does not charge for giving access to or for correcting personal information. Requests for access to or correction of personal information should be made in accordance with the learner access to records policy.
- RTO DATA PTY LTD ACCESSING CLIENT INFORMATION
14.1 RTO Data Pty Ltd may monitor your use of RTO Data Cloud and access all information clients input or can access through RTO Data Cloud. Our observation of client use of RTO Data Cloud is limited to that required for managing client billing, user authorisation and system performance. Whilst RTO Data Pty Ltd can access all information clients input or can access through RTO Data Cloud, RTO Data Pty Ltd will always request client permission to do so first unless we are legally compelled to do so first without gaining permission or to protect the integrity of RTO Data Cloud.
14.2 During normal day-to-day delivery of service, RTO Data Pty Ltd employees will never access client information stored within their dedicated RTO Data Cloud service unless we have received written and verbal permission to do so from the client authorised representative. The “client authorised representative” may be the client system administrator or a client entity owners or Directors. This permission needs to include both written permission which may be provided via an email and verbal confirmation which can be provided via phone or Zoom. Once permission is obtained, the access will be proposed to the RTO Data Pty Ltd Managing Director who will assess each request based on its purposed, method, consent, and necessity. Permission will only be granted under specified limitations which may include limiting the access to a specific RTO Data Pty Ltd employee/s, time limitation, copy limitation, edit limitation, and testing limitation. After this access has been completed, a report will be provided to the client via email to confirm any work undertaken, conclusion of access, edits made, testing outcomes and confirm no copies of data have been retained.
- INFORMATION RETENTION AND DISPOSAL
15.1 Personal information is held in electronic format:
15.1.1 Information collected from employees is held in secure cloud based file storage with controls user access and online accounting software for the purpose of administering payroll.
15.1.2 Information collected from clients is held in a secure cloud based client management software.
15.1.3 Information collected on behalf of our clients is held in dedicated client specific instances of RTO Data Could securely hosted with Amazon Web Services. This information is retained whilst the clients maintain a valid subscription to RTO Data Cloud and 28 days after the subscription has ended when it will be deleted.
15.1.4 All information is secured by backup and recovery arrangements.
- INFORMATION SECURITY
16.1 RTO Data Pty Ltd takes active steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. RTO Data Pty Ltd applies the following strategies to keep information secure:
16.2 RTO Data Pty Ltd website and cloud services are protected by Transport Layer Security (TLS) / Secure Socket Layer protocol (SSL). TLS/SSL provides an internet protocol for establishing a secure online connection between a web server and a user’s computer. Client and server perform a handshake, in which a public key certificate containing identification details and a digital signature is passed between the client and the server, confirming the identity of each. This information is then used to create a cryptographic key, which securely encodes the information exchanged, ensuring that transactions between client and server cannot be read or altered by third parties. The key is unique to this session between the server and the client and lasts for the duration of the session. Webservices secured by a TLS/SSL will display HTTPS and the small padlock icon in the browser address bar. TLS/SSL is used to protect both the end users’ information while it’s in transfer, and to authenticate the webservice’s organisation identity to ensure users are interacting with legitimate website owners.
16.3 RTO Data Cloud undertakes a full backup of each client’s individual database twice daily. This backup is available to an authorised client to restore your instance of RTO Data Cloud on request. This request will need to be in writing from the authorised representative of the business. The maximum period of backup retention is 28 days meaning that a maximum of 56 restore points are available. Backup copies of client databases beyond this period of 28 days are not retained.
16.4 RTO Data Cloud undertakes a full system snapshot (image) every two hours. This snapshot establishes a full system recovery point if the system were to be disrupted. This recovery can be deployed within minutes to the last available recovery point. It provides 12 separate full system recovery points every day and is stored for up to two days.
16.5 RTO Data Cloud is protected behind a web application firewall. This is an important layer of the system security arrangements. The web application firewall applies strict security rules that control bot traffic and block common attack patterns such as brute force, SQL injection or cross-site scripting. The firewall also applies geo-blocking and blocks all traffic from outside of Australia. Access outside of Australia can be arranged under specifically agreed arrangements.
16.6 RTO Data Cloud is hosted only in Australia in a highly secure data centre protected behind multiple layers of physical and virtual security. No aspect of RTO Data Cloud is hosted, served, or routed through any other country other than Australia.
16.7 RTO Data Cloud is hosted in Sydney Australia with Amazon Web Services within the highly regarded Equinix SY3 Sydney IBX Data Center. This is arguably the most secure data storage center in Australia. Data is protected behind a world class firewall and is encrypted whilst being stored and in transit. The Australian government Cyber Security Centre (ACSC) has awarded PROTECTED certification to AWS Asia-Pacific (Sydney) Region. This is the highest data security certification available in Australia for cloud service providers, and AWS offers the most protected services of any public cloud service provider. These certified AWS services are utilised by RTO Data Cloud and cover service such as compute, storage, network, database, security, analytics, application integration, management, and governance.
16.8 RTO Data Cloud may only be accessed via a valid strong password that must include a combination of upper/lower case letters, numbers and special characters. The password during the log-in process must be verified by Two Factor Authentication (2FA). 2FA requires the entering of a code which is sent to the user nominated email account. The code that is issued will automatically expire after a short period of time and the user can select to trust their device for a maximum of 30 days.
- YOUR SECURITY RESPONSIBILITY
17.1 Protecting your information is a shared responsibility. Unless you take adequate security precautions, it could be possible for an unauthorised person to gain access to your RTO Data Cloud. It is important to take all reasonable precautions to ensure that your username and password are not misused and remain secure and confidential. In particular:
17.1.1 you must not tell anyone your username or password, including any member of your family.
17.1.2 you must not let anyone else, whether acting as your agent or not, access RTO Data Cloud using your username and password.
17.1.3 you must be extra careful when accessing RTO Data Cloud from public computers to not allow the device to remember your password.
17.1.4 if you think anyone else might know your password you should reset your password immediately from within RTO Data Cloud or contact the support team to arrange a password reset.
17.1.5 you must maintain a strong password which must be between 8 or more characters, and comply with the following format rules and guidelines:
220.127.116.11 must include an Uppercase letter;
18.104.22.168 must include a Lowercase letter;
22.214.171.124 must include a Number;
126.96.36.199 must include a Special character (such as #, $, ?, !, @);
188.8.131.52 not contain your name, business name, common words;
184.108.40.206 not contain easily identifiable personal information;
220.127.116.11 not be the same passwords used on any other site or platform; and
18.104.22.168 not be a similar variation of a previous password used.
17.1.6 you must ensure that all personnel within your organisation are informed of this policy and are complying with the above password rules and guidelines.
- COMPLAINTS AND CONCERNS
18.1 Complaints or concerns about RTO Data Pty Ltd management of personal information should be directed in writing to RTO Data Pty Ltd Managing Director. RTO Data Pty Ltd will respond in writing within 10 business days. Complaints received by RTO Data Pty Ltd will be managed in accordance with the RTO Data Cloud – Complaints and Appeals Policy.
19.1 The privacy, confidentiality and security of your information is our top priority. We will take all reasonable measures to safeguard your information and ask that you help us in this effort by following the rules and guidelines outlined in this policy.
20.1 This policy should be read in-conjunction with the other related terms and conditions.
20.2 By accessing RTO Data Cloud via the secure login, you acknowledge and agree to this policy.