Privacy

Policy-in-Practice

The personal information for clients also known as client records we collect and hold (file, archive) is what is reasonably necessary or our business functions and activities. Personal information for clients is defined as:

personal details with your
- name,
- contact details (addresses, telephone numbers, facsimile numbers, email addresses),
- demographic details (age, gender),
- education (schooling, vocational education, higher education, etcetera),
- health (relevant medical conditions, disabilities), and
- economic (employment);
your reference number;
your connection with others (next of kin);
what, how, why (purchasing behaviour), and when you have used our products and/or services;
your product and/or service purchase (course code, title, payment of fees, attendance, academic progress, academic results; certification documentation, graduation, product and/or service satisfaction); and
information which is relevant to you and the products and/or services provided to you;
credit card details hold via our secure financial systems about the debit or credit card you might use when purchasing our products and/or services; and
website related details
- address of the computer used to access our website;
- top level domain name of the network used to access our website;
- date and time of access to our website; pages accessed and documents downloaded from our website;
- previous website visited;
- search term used to find our website; and
- type of browser used to access our website

Some of our products and/or services require us to collect health information from you for the purposes of determining student support services, and public liability considerations involving you.

Personal Information Collection and Management

When we collect personal information about you, we do so by making a record of it. We do this when you:

submit the completed application and personal information form;
submit the completed enrolment form and student agreement;
communicate with us via email or online; and
deal with us in other ways involving a need for personal information to be supplied to us about enquiries, compliments, informal grievances, internal formal complaints and appeals; and/or external formal disputes.

The personal information we collect and hold about you is from direct dealings with us. We hold your personal information within hard-copy and electronic files. These files may be managed by us, our service providers, or third parties, such as government authorities. In all cases, we have rigorous information security requirements aimed at eliminating risks of unauthorised access to, and loss, misuse or wrongful alteration of, personal information.

Reason for Collection, Management and Disclosure of Personal Information

When we collect, manage (hold, use) and disclose your personal information, we do so to provide our services to you.

We disclose personal information we collect for purposes which are incidental to the provision of products and services to you.

We may collect, manage and disclose your personal information for other purposes which are within reasonable expectations or where permitted by law.

We may de-identify your personal information for use and disclosure of the anonymous data to assist us in providing services.

Access to Personal Information

We will provide you with access to any of your personal information we hold (except in limited circumstances recognised by law). If you wish to access your personal information or have an enquiry about privacy, please contact our Privacy officer at:

Privacy Officer

Before we provide you with access to your personal information we may require some proof of identity. We may charge a reasonable fee for giving you access to your personal information if your request requires substantial effort on our part. If you need your personal information corrected, please contact our Privacy Officer using one of the above contact methods.

IAC Privacy Officer
PO Box 405, Upper Coomera Qld 4209, Australia
T 0439 933 035
E privacy@iacglobal.com.au
www.iacglobal.com.au

Complaints

If you wish to complain about a breach of the privacy rules that bind us, you may contact our Privacy officer using one of the above contact methods. We may ask you to put your complaint in writing and to provide details about it.

We may discuss your complaint with our personnel, service providers and third parties, as appropriate.

Our Privacy officer will investigate the matter and attempt to resolve it within our complaint timeframes. Our Privacy officer will inform you in writing about the outcome of the investigation. If our Privacy officer does not resolve your complaint to your satisfaction and no other complaint resolution procedures are agreed or required by law, our Privacy officer will inform you that your complaint may be referred to the Privacy Commissioner for further investigation and will provide you with the Privacy Commissioner’s contact details.

Privacy Commissioner
Office of the Australian Information Commissioner, Australian Government
Level 3, 175 Pitt Street, Sydney 2000
GPO Box 5218 Sydney NSW 2001
GPO Box 2999 Canberra ACT 2601
1300 363 992 or +61 (0) 2 9284 9749
Teletypewriter - (TTY) 13 36 77 then ask for 1300 363 992
Speak & Listen Users - 1300 555 727 then ask for 1300 363 992
Internet relay users - Connect to the National Relay Service then ask for 1300 363 99
Translating and Interpreting Service - 131 450 then ask for 1300 363 992
If you do not speak English, or English is your second language, and you need assistance to communicate with us
E enquiries@oaic.gov.au
www.oaic.gov.au

Our Sharing of Your Personal Information

We may allow your personal information to be shared with our group companies located within countries other than Australia. Our business locations are in Australia and (country).

IAC shall collect, store and use personal information necessary for the provision of products and services to clients, personnel, visitors and where required by third parties. We take all reasonable steps to prevent unauthorised access to, maintain disclosure of, and secure personal information to reduce the misuse or loss of personal information. In providing these products and services, we seek each person’s consent for the use of their personal information to allow IAC to communicate effectively with the client, deliver contract requirements, and in most cases, where client consent is received, share approved information with third parties. If personal information is shared with third parties it shall be done to:

prevent a serious and imminent threat to your or another’s life, health, or safety;
prevent a serious threat to the community’s health or safety; and
assist in the prevention or investigation of an offence or breach of a prescribed law.

Data Breach Notifications

When is a Data Breach Notifiable?

A breach is notifiable if it meets the following criteria:

personal information is lost, or there is unauthorised access or disclosure of information to a third party;
the loss, disclosure or access could result in serious harm; and
your business is not able to reduce this harm.

A breach may not be notifiable if the harm is not serious or if steps can be implemented to reduce its impact.

What are my reporting obligations?

If an NDB occurs, you should report it to the OAIC and any affected individuals. The OAIC statement should include:

a summary of how the breach occurred;
what data was lost, disclosed or accessed;
the effect of the breach; and
your business name and contact details.

Notification to impacted individuals should:

summarise the events of the breach;
outline the potential impact; and
detail the actions you are taking to mitigate any risks.

When is a data breach serious?

Whether a data breach could result in “serious harm” depends on the perspective of a “reasonable person”. It considers several factors, including:

whether the harm is financial, physical, psychological or reputational;
whether the information lost or accessed is sensitive;
who has obtained or could obtain the information; or
whether effective security measures were in place to protect the information.

A notifiable data breach (NDB) occurs when personal data maintained by your business is lost or accessed by an unauthorised 3rd party. The NDB Scheme is managed by the Office of the Australian Information Commissioner (OAIC) and applies to businesses with an annual turnover of over $3 million, credit reporting bodies, businesses that trade in personal information, health service providers, and tax file number recipients.

If the NDB Scheme applies to your business, you should comply with the scheme’s reporting obligations. This factsheet explains what a data breach is and when one is serious, your reporting obligations, and limiting an NDB’s impact.

How do I limit a data breach’s impact

You can limit the impact of a breach by implementing a Data Breach Response Plan. Your plan should set out:

who in the business is responsible for dealing with the breach; and
what actions they should take if a breach occurs.

If a breach occurs, you can limit its impact by:

recovering lost records;
remotely deleting files;
shutting down the breached system; and
removing certain individuals’ access to the system.

The Policy shall be:

maintained, relevant, and appropriate as documented information;
made available and communicated within the organization, and to relevant parties; and
reviewed annually by the Executive Leadership Team (ELT) and Operations Management Team (OMT).

Dr Gloria Carter
ManagingDirector
‍1 July 2025