40. Privacy requirements

On this page:

40.1 - Requirements with respect to personal information

When dealing with personal information, a provider is required to comply with any relevant obligations under HESA, and any other law that regulates the handling of personal information. Higher education providers who are APP Entities within the meaning of section 6C of the Privacy Act 1988 (Cth)  also need to comply their obligations under the Privacy Act 1988.

Privacy obligations that providers are subject to include (but are not limited to):

  • compliance with section 19-60 of HESA – which includes the following requirements:
    • compliance with the Australian Privacy Principles (APPs) (set out in Schedule 1 of the Privacy Act 1988 ) in respect of personal information obtained for the purposes of Subdivision 36-B or Chapter 3 or 4 of HESA
    • a provider must have a procedure under which a student enrolled with the provider may apply to the provider for, and receive, a copy of personal information that the provider holds in relation to that student; and
    • compliance with the requirements of the Higher Education Provider Guidelines relating to personal information in relation to students, and the provider’s own personal information handling procedures referred to in the point above; and
    • compliance with relevant requirements in Divisions 179 (Protection of Personal Information) and 180 (Disclosure or use of Higher Education Support Act information) of HESA

40.2 - Seeking informed consent from students

A provider must obtain the student’s consent prior to providing the student’s personal information to the department. This consent can be obtained:

  • when the student submits their CAF to the provider; or
  •  for students who are not required to submit a CAF, at another time, and in another form, determined by the provider

40.3 - Privacy complaints

A provider must have published, publicly available grievance procedures for dealing with complaints by the provider’s students, and persons who seek to enrol in courses of study with the provider, relating to non-academic matters [HESA section 19-45]. These procedures should extend to, but are not limited to, complaints about breaches of privacy by the provider.