TISC Privacy Policy Corporate

Background to the Policy
Purpose of disclosure
Security
Further disclosure
Direct marketing
Breach of our Privacy Policy
Definitions
Changes to our Privacy Policy

Last updated June 2018

Background to the Policy

The Tertiary Institutions Service Centre (TISC) collects, holds, processes, uses, transfers and discloses personal information, including sensitive information, about individuals to enable it to function as a provider of centralised tertiary admissions. This personal information must be afforded appropriate and adequate protection as required by the Privacy Act 1988 (Cth).

TISC discloses personal information about an individual to selected third-party entities to assist TISC in providing its services, and/or to allow those third parties to provide services to that individual. TISC may disclose personal information by making it accessible in person, by email, fax or telephone. TISC may also disclose personal information by granting access to services or databases as made available by TISC from time to time.

This policy sets out the obligation of third parties who access, use or store personal information disclosed by TISC. If a third party does not agree to comply with this Policy it should no longer access, use or store personal information disclosed by TISC.

Compliance with this Policy does not guarantee access to the personal information. Access to personal information is granted by TISC on a case-by-case basis. Failure to comply with this policy may lead to withdrawal of access to the personal information, but refusal or withdrawal of access may also occur as a result of factors unrelated to compliance with this policy.

Nothing in this policy has the effect of obliging TISC to disclose, or to continue to disclose, the personal information or limiting TISC from withdrawing, limiting, altering or attaching conditions to access the personal information.

This Policy supersedes any prior agreements and understandings (whether written or oral) between TISC and third parties regarding privacy obligations in relation to personal information. This Policy does not otherwise alter any rights, obligations, agreements or understandings between TISC and third parties.

Purpose of disclosure

Third parties may only use personal information disclosed by TISC to the extent necessary to achieve authorised purposes. The authorised purposes for which personal information disclosed by TISC may be used are:
  • any purpose for which the third party has secured the prior consent of the individual to whom the personal information relates;
  • allowing TISC and member universities to assess your university application in a reliable, valid and equitable manner;
  • notifying you of missing information or changes that relate to your university application, STAT booking or WAUFP enrolment;
  • assisting member universities with enrolments and/or special programs;
  • scaling WACE results jointly with the School Curriculum and Standards Authority) and calculating an Australian Tertiary Admission Rank (ATAR);
  • scaling WAUFP results and calculating a Combined Percentage Score (CPS);
  • ensuring that the individual is eligible to sit STAT and that your results are correctly issued to the individual;
  • ensuring that the individual is able to sit the appropriate WAUFP examinations and that the results are correctly issued to the individual;
  • facilitating provision information requested by the individual, for example information about study opportunities; or answering your enquiries;
  • for planning and quality control;
  • facilitating research into senior secondary and higher education;
  • maintaining the archive database of results from STAT sittings in Australia and overseas.
  • any other purpose for which prior written authorisation is obtained from TISC.

Top

Security

The third party must take reasonable steps, to the satisfaction of TISC, to ensure that personal information disclosed by TISC is protected against misuse, interference, loss and unauthorised access, modification and disclosure. The third party must ensure that each of its employees who access, use or disclose personal information are aware of and comply with the obligations under the Policy when they are accessing, using or disclosing the personal information. If the third party becomes aware of any misuse, interference, loss, or unauthorised access, modification or disclosure of personal information disclosed by TISC, the third party must immediately notify TISC.

Third parties may store the personal information in a secondary database to the extent necessary to undertake an authorised purpose. If the personal information is held in a secondary database, the third party must maintain appropriate logs of all personal information accessed by employees. If the nature of the database prevents the maintenance of such logs, the third party must restrict access to the database using appropriate security measures and maintain records of the individuals with current and previous access to the database. If requested by TISC, the third party must provide TISC with access to these logs or records within seven (7) days of the request.

The third party must take reasonable steps to update personal information if notified by TISC that the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading taking into account the purpose for which the information is held by the third party. The third party must take reasonable steps to destroy or de-identify personal information that is no longer required to fulfil the purpose for which it was disclosed by TISC.

Top

Further disclosure

An employee of a third-party entity to whom personal information is disclosed by TISC may further disclose that personal information to other employees of that entity as necessary to undertake activities directed related to an authorised purpose.

Personal information disclosed by TISC must not be further disclosed outside the third-party entity without prior express written permission of TISC; or consent of the individual to whom the personal information relates.

Direct marketing

TISC participants
TISC participants may use personal information (excluding sensitive information) disclosed by TISC to communicate directly with an individual who has that institution listed as a current preference on a TISC application at the date of the communication.

All direct marketing communications that use personal information disclosed by TISC must comply with the Privacy Act 1988 (Cth) including containing a prominent statement offering a simple means to opt out of receiving direct marketing communications. This requirement applies regardless of whether or not the third party would otherwise be bound by the provisions of the Privacy Act 1988 (Cth).

If TISC gives written notice to a TISC participant that an individual has requested to no longer receive direct marketing from that TISC participant, the TISC participant must cease all such direct marketing using personal information disclosed by TISC to that individual within thirty (30) days of receiving notice from TISC.

Nothing in this policy is intended to relieve TISC participants from obligations under the Spam Act 2003 or The Do Not Call Register Act 2006.

Non-TISC participants
Third parties other than TISC participants must not use personal information disclosed by TISC for direct marketing.

Breach of our privacy policy

If TISC determines that the third party has breached this policy, TISC may withdraw access to some or all of the personal information. TISC may also require the third party to return and/or securely destroy personal information previously disclosed by TISC. TISC will elect whether it requires the personal information to be returned or destroyed.

Top

Definitions

Authorised purposes - purposes for which personal information disclosed by TISC may be used by third parties.

Direct Marketing - the use and/or disclosure of personal information to communicate directly with an individual to promote goods and services.

Disclosure - when personal information is made accessible to TISC, but does not include instances when an individual exploits TISC 's security measures and gains unauthorised access to the personal information.

Consent - express consent or implied consent, where the consent is voluntary and informed, current and specific, and the individual has the capacity to understand and communicate the consent.

Employee - an officer, employee, or agent (whether employed under a contract or otherwise), engaged by the third party to provide services in exchange for wages.

TISC - the Tertiary Institutions Service Centre (TISC).

TISC participants - the entities participating in TISC, as set out below:
  • Member universities;
  • Australian tertiary admission centres;
  • educational institutions, including schools, universities and State Training Providers, a student attended or where TISC reasonably believes a student were enrolled;
  • examining bodies whose examinations a student has sat, or TISC reasonably believes a student has sat, including the Australian Council for Educational Research if the student sits or has sat STAT;
  • State government education authorities, the Catholic Education Office of Western Australia (if the student attended a Catholic school); the Association of Independent Schools of WA (if the student attended a member school);
  • Commonwealth Department of Education or its successor;
  • Contracted service providers TISC uses to perform services on its behalf, for example, mailing houses to which TISC contracts despatch of correspondence; IT service providers;
  • WA TAFE Admissions Centre if a student sat STAT in WA;
  • Universities Australia;
  • Other institutions as admitted from time to time to TISC.
Personal information - information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.

Secondary database - a collection of data controlled by the third party which includes personal information disclosed by TISC.

Sensitive information - a subset of personal information that includes health information about an individual (whether or not the individual is identifiable), and any of the following in relation to identifiable individuals racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record.

Third-party entity - an organisation (including a TISC participant) or individual to whom TISC disclosed personal information.

Changes to our Privacy Policy

TISC reserves the right to amend this Policy from time to time. Printed copies of this policy are uncontrolled.

Top