Privacy Policy & Terms of Use

Purpose ......................................................................................................................................... 1
Definitions .................................................................................................................................... 1
Policy .............................................................................................................................................. 3
1. Privacy Principles .............................................................................................................. 3
2. Collection of information .............................................................................................. 4
3. Unique Student Identifiers (USI) ............................................................................... 4
4. Storage and use of information ................................................................................. 5
5. Disclosure of information .............................................................................................. 6
6. Access to and correction of records ........................................................................ 7
7. Complaints about privacy ............................................................................................. 7
Procedures .................................................................................................................................. 8
1. Privacy Notices ................................................................................................................... 8
2. Marketing Privacy ..................................................... Error! Bookmark not defined.
3. Privacy of USI information ............................................................................................. 8
4. Access to Records ............................................................................................................ 8
5. Amendment to Records ................................................................................................. 9
Document Control .................................................................................................................... 10

Purpose

Under the Data Provision Requirements 2012, ZEST is required to collect personal information about you and to disclose that personal information to the National Centre for Vocational Education Research Ltd (NCVER).
Your personal information (including the personal information contained on this enrolment form), may be used or disclosed by ZEST for statistical, administrative, regulatory and research purposes. ZEST may disclose your personal
information for these purposes to:
Commonwealth and State or Territory government departments and authorised agencies; and
NCVER.
Personal information that has been disclosed to NCVER may be used or disclosed by NCVER for the following purposes:
populating authenticated VET transcripts;
facilitating statistics and research relating to education, including surveys and data linkage;
pre-populating RTO student enrolment forms;
understanding how the VET market operates, for policy, workforce planning and consumer information; and
administering VET, including program administration, regulation, monitoring and evaluation.
You may receive a student survey which may be administered by a government department or NCVER employee, agent or third party contractor or other authorised agencies. Please note you may opt out of the survey at the time
of being contacted. NCVER will collect, hold, use and disclose your personal information in accordance with the Privacy Act 1988 (cth), the National VET Data Policy and all NCVER policies and protocols (including those published on NCVER’s website at www.ncver.edu.au)

This policy ensures that Zest meets its legal and ethical requirements in regard to the collection, storage and disclosure of the personal information it holds in regards to individuals. This policy and procedure contributes to compliance with Clause 3.6 and 8.5 of the Standards as well as the legislative instrument Data Provision Requirements 2012 including the National VET Provider Collection Data Requirements Policy

Definitions

ASQA means Australian Skills Quality Authority, the national VET regulator and the RTO’s registering body Personal information means ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

‘Whether the information or opinion is true or not; and
‘Whether the information or opinion is recorded in a material form or not.

SRTOs means the Standards for Registered Training Organisations 2015 – refer definition of ‘Standards’

Sensitive information is information is information or an opinion about an individual’s: racial or ethnic origin; or political opinions; or membership of a political association; or religious beliefs or affiliations; or philosophical beliefs; or membership of a professional or trade association; or membership of a trade union;

or sexual orientation or practices; or criminal record; that is also personal information; or health information about an individual; or genetic information about an individual that is not otherwise health information; or biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or biometric templates. Standards means the Standards for Registered Training Organisations (RTOs) 2015 from the VET Quality Framework which can be accessed at www.asqa.gov.au

Unique Student Identifier is a unique reference number issued to an individual by the Australian Government. It is made up of numbers and letters and enables an individual to look up and track their training achievements in an online database.

USI means Unique Student Identifier as above.

National VET Provider Collection Data Requirements Policy is Part B of the National VET Data Policy.

Policy

1. Privacy Principles

In collecting personal information, Zest complies with the requirements set out in the Privacy Act 1988, including Australian Privacy Principles 3 and 5 (in accordance with the National VET Provider Collection Data Requirements Policy clause 4.4) and the relevant privacy legislation and regulations of the Queensland DESBT in which Zest operates.
Personal information, including sensitive information, is collected from individuals in order that Zest can carry out its business functions. Zest only collects and stores information that is directly related to its business purposes and legal requirements of providing nationally recognised training and assessment.
Sensitive information is only collected by Zest if a permitted general or health situation applies in accordance with the Privacy Act (16A, 16B) such as, if:

— The collection of the information is required or authorised by, or under, an Australian law or a court/tribunal order.

— It is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure.

— It genuinely and reasonably believes that:
— The collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
— Unlawful activity, or misconduct of a serious nature, that relates to Zest’s functions or activities has been, is being or may be engaged in, and the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.
— The collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing.
— The collection, use or disclosure is reasonably necessary for the establishment, exercise or defense of a legal or equitable claim.

Zest ensures each individual:

− Knows why their information is being collected, how it will be used and who it will be disclosed to.
− Is made aware of any legal requirement for Zest to collect the information.
− Is able to access their personal information upon request.
− Does not receive unwanted direct marketing.
− Can ask for personal information that is incorrect to be corrected.
− Can make a complaint about Zest if they consider that their personal information has been mishandled.
− Is made aware of any consequences for not providing the information requested.

− Whether the information is likely to be disclosed to overseas recipients, and if so, which countries such recipients are likely to be located in.

Zest retains evidence that that the student has acknowledged the following Privacy Notice and Student Declaration as part of their enrolment process: https://www.education.gov.au/privacy-noticeand-student-declaration

2. Collection of information

In collecting personal information, Zest complies with the requirements set out in the Privacy Act 1988, including Australian Privacy Principles 3 and 5 (in accordance with the National VET Provider Collection Data Requirements Policy clause 4.4) and the relevant privacy legislation and regulations of the Queensland DESBT in which Zest operates.
Personal information, including sensitive information, is collected from individuals in order that Zest can carry out its business functions. Zest only collects and stores information that is directly related to its business purposes and legal requirements of providing nationally recognised training and assessment.
Sensitive information is only collected by Zest if a permitted general or health situation applies in accordance with the Privacy Act (16A, 16B) such as, if:

− personal and contact details
− employment information, where relevant
− academic history
− background information collected for statistical purposes about prior education, schooling, place of birth, disabilities and so on
− training, participation and assessment information
− fees and payment information
− information required for the issuance of a USI.

3. Unique Student Identifiers (USI)

All students participating in nationally recognised training from 1 January 2015 are required to have a Unique Student Identifier (USI) and provide it to Zest upon enrolment. Alternatively, Zest can apply for a USI on behalf of an individual.
The Student Identifiers Act 2014 authorises the Australian Government’s Student Identifiers Registrar to collect information about USI applicants. When Zest applies for a USI on behalf of a student who has authorised us to do so, we need to collect personal information about the student which will be passed on to the Student Identifiers Registrar. This will include

− name, including first or given name(s), middle name(s) and surname or family name
− date of birth
− city or town of birth
− country of birth
− gender

− contact details, so the Student Identifiers Registrar can provide individuals with their USI and explain how to activate their USI account.

In order to create a USI on behalf of a student, Zest will be required to verify the identity of the individual by receiving a copy of an accepted identification document. This document will only be used for the purposes of generating the USI and confirming the identity of the individual with the Registrar. Once the USI has been generated and validated, the identity documents used or collected for this purpose will be securely destroyed.
The information provided by an individual in connection with their application for a USI:

− Commonwealth and State/Territory government departments and agencies and statutory bodies performing functions relating to VET for:
− the purposes of administering and auditing VET, VET providers and VET programs
− education-related policy and research purposes
− to assist in determining eligibility for training subsidies
− VET Regulators to enable them to perform their VET regulatory functions
− VET Admission Bodies for the purposes of administering VET and VET programs
− current and former Registered Training Organisations to enable them to deliver VET courses to the individual, meet their reporting obligations under the VET standards and government contracts, and assist in determining eligibility for training subsidies
− schools for the purposes of delivering VET courses to the individual and reporting on these courses
− the National Centre for Vocational Education Research for the purpose of creating authenticated VET transcripts, resolving problems with USIs, and for the collection, preparation, and auditing of national VET statistics
− researchers for education and training-related research purposes
− any other person or agency that may be authorised or required by law to access the information
− any entity contractually engaged by the Student Identifiers Registrar to assist in the performance of his or her functions in the administration of the USI system
− will not otherwise be disclosed without the student’s consent unless authorised or required by or under law.

The consequences to the student of not providing the Registrar with some or all of their personal information are that the Registrar will not be able to issue the student with a USI, and therefore Zest will be unable to issue a qualification or statement of attainment.

4. Storage and use of information

Zest will store all records containing personal information securely and take all reasonable security measures to protect the information collected from unauthorised access, misuse, or disclosure. Personal information will be stored electronically in a secure environment to which only authorised staff have access within Dropbox Vault and the student management system (Axcelerate).
The personal information held about individuals will only be used by Zest to enable efficient student administration, report data to provide information about training opportunities, issue statements of attainment and qualifications to eligible students, and to maintain accurate and detailed records of student course participation, progress, and outcomes.
Zest may use the personal information provided by an individual to market other internal products and services to them. An individual may opt out of being contacted for marketing purposes at any time by contacting our office.

5. Disclosure of information

Zest will not disclose an individual’s personal information to another person or organisation unless:

− They are aware that information of that kind is usually passed to that person or organisation.
− The individual has given written consent.
− Zest believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious threat to the life or health of the individual concerned or another person.
− The disclosure is required or authorised by, or under, law.
− The disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.

Any person or organisation to which information is disclosed is not permitted to use or disclose the information for a purpose other than for which the information was supplied to them.
Personal information may be used or disclosed by Zest for statistical, regulatory and research purposes. Zest may disclose personal information for these purposes to third parties, including:

− Employers – where students are enrolled in training paid for by their employer
− Commonwealth and State or Territory government departments and authorised agencies; such as the Australian Skills Quality Authority (ASQA), and Department of Emplyment, small Business and Training (DESBT).
− NCVER
− Organisations conducting student surveys including DESBT
− Researchers.

• Personal information disclosed to NCVER may be used or disclosed for the following purposes:

− Issuing a VET Statement of Attainment or VET Qualification, and populating Authenticated VET Transcripts
− Facilitating statistics and research relating to education, including surveys
− Understanding how the VET market operates, for policy, workforce planning and consumer information
− Administering VET, including program administration, regulation, monitoring and evaluation.

6. Access to and correction of records

• Individuals have the right to access or obtain a copy of the information that Zest holds about them including personal details, contact details and information relating to course participation, progress and AQF certification and statements of attainment issued.
Requests to access or obtain a copy of the records held about an individual must be made by contacting our office using the Request to Access Records Form. The individual must prove their identity to be able to access their records.
There is no charge for an individual to access the records that Zest holds about them; however, there may be a charge for any copies made. Arrangements will be made within 10 days for the individual to access their records.

7. Complaints about privacy

• Any individual wishing to make a complaint or appeal about the way information has been handled within Zest can do so by following Zest’s Complaints and Appeals Policy and Procedure.

Procedures

1. Privacy Notices

Procedure

Ensure the NCVER privacy notice and declaration are included on the enrolment form https://www.education.gov.au/privacy-notice-and-student-declaration

A. Privacy notices

Responsibility

Compliance Consultant

2. Privacy of USI information

Procedure

A. USI Authority and Identification documents• USIs are collected on the Enrolment Form. Where a student does not have a USI, they may request for Zest to create one on their behalf.
Students who request for Zest to create a USI on their behalf must sign the USI Authority Form and provide the required identification document/s.
A USI must not be created for a student if the USI Authority Form, which includes the privacy notice, has not been signed.
As soon as practicable, once the USI has been generated and validated, the personal information provided in the USI section of the Enrolment Form must be securely destroyed and not kept on file.
Refer to the Student Administration Policy and Procedure for detailed instructions on the generation of USIs.

A. Privacy notices

Responsibility

Administration Team

3. Access to Records

Procedure

A. Request to access records
• Individuals may request to access their records by using the Request to Access Records Form. Written requests should be sent to the head office.
• Requests may be from past or current students or other individuals. It may be to access records held in a file about a student, or access to a previously issued AQF certification document – refer to the AQF Certification Policy & Procedure.
• Upon receiving a completed form, confirm the request is valid and has been made by the individual to which the records relate – check identification documents.
• Arrangements for provision of records should be made as suitable – mailing copies, providing a time for records to be viewed etc.
• Arrangements should be made verbally and confirmed in writing within 10 days of receiving the request.
• Where records are to be mailed, they should only be mailed to the address that is held on file for that individual, unless alternate change of address information is provided along with proof of identity – such as a driver’s license or utility bill.
• Where records are to be shown to an individual, the student must produce photo ID prior, and this should be matched to the records held on file about the individual to confirm they are only viewing their own records.
• Keep a note on how the records were accessed on the individual’s file.

Responsibility

Administration team

4. Amendment to Records

Procedure

• Arrangements for provision of records should be made as suitable – mailing copies, providing a time for records to be viewed etc.
Arrangements should be made verbally and confirmed in writing within 10 days of receiving the request.
Where records are to be mailed, they should only be mailed to the address that is held on file for that individual, unless alternate change of address information is provided along with proof of identity – such as a driver’s license or utility bill.
Where records are to be shown to an individual, the student must produce photo ID prior, and this should be matched to the records held on file about the individual to confirm they are only viewing their own records.
Keep a note on how the records were accessed on the individual’s file.

Responsibility

Administration team

Document Control

Document No. & Name: CG4 - Privacy P&P V3.0 (ID 27)
Quality Area: CG Corporate Governance
Author: ZEST Institute
Status: Approved
Standards (SRTOs): Clause 8.5 and 3.6

Purpose

Definitions

‘Whether the information or opinion is true or not; and
‘Whether the information or opinion is recorded in a material form or not.

SRTOs means the Standards for Registered Training Organisations 2015 – refer definition of ‘Standards’

USI means Unique Student Identifier as above.

National VET Provider Collection Data Requirements Policy is Part B of the National VET Data Policy.

Policy

1. Privacy Principles

In collecting personal information, Zest complies with the requirements set out in the Privacy Act 1988, including Australian Privacy Principles 3 and 5 (in accordance with the National VET Provider Collection Data Requirements Policy clause 4.4) and the relevant privacy legislation and regulations of the Queensland DESBT in which Zest operates.
Personal information, including sensitive information, is collected from individuals in order that Zest can carry out its business functions. Zest only collects and stores information that is directly related to its business purposes and legal requirements of providing nationally recognised training and assessment.
Sensitive information is only collected by Zest if a permitted general or health situation applies in accordance with the Privacy Act (16A, 16B) such as, if:

— The collection of the information is required or authorised by, or under, an Australian law or a court/tribunal order.

— It is unreasonable or impracticable to obtain the individual’s consent to the collection, use or disclosure.

— It genuinely and reasonably believes that

— The collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
— Unlawful activity, or misconduct of a serious nature, that relates to Zest’s functions or activities has been, is being or may be engaged in, and the collection, use or disclosure is necessary in order for the entity to take appropriate action in relation to the matter.
— The collection, use or disclosure is reasonably necessary to assist any APP entity, body or person to locate a person who has been reported as missing.

— The collection, use or disclosure is reasonably necessary for the establishment, exercise or defense of a legal or equitable claim.

Zest ensures each individual:

− Whether the information is likely to be disclosed to overseas recipients, and if so, which countries such recipients are likely to be located in.

Zest retains evidence that that the student has acknowledged the following Privacy Notice and Student Declaration as part of their enrolment process: https://www.education.gov.au/privacy-noticeand-student-declaration

2. Collection of information

In collecting personal information, Zest complies with the requirements set out in the Privacy Act 1988, including Australian Privacy Principles 3 and 5 (in accordance with the National VET Provider Collection Data Requirements Policy clause 4.4) and the relevant privacy legislation and regulations of the Queensland DESBT in which Zest operates.
Personal information, including sensitive information, is collected from individuals in order that Zest can carry out its business functions. Zest only collects and stores information that is directly related to its business purposes and legal requirements of providing nationally recognised training and assessment.
Sensitive information is only collected by Zest if a permitted general or health situation applies in accordance with the Privacy Act (16A, 16B) such as, if:

3. Unique Student Identifiers (USI)

All students participating in nationally recognised training from 1 January 2015 are required to have a Unique Student Identifier (USI) and provide it to Zest upon enrolment. Alternatively, Zest can apply for a USI on behalf of an individual.
The Student Identifiers Act 2014 authorises the Australian Government’s Student Identifiers Registrar to collect information about USI applicants. When Zest applies for a USI on behalf of a student who has authorised us to do so, we need to collect personal information about the student which will be passed on to the Student Identifiers Registrar. This will include

− name, including first or given name(s), middle name(s) and surname or family name
− date of birth
− city or town of birth
− country of birth
− gender

− contact details, so the Student Identifiers Registrar can provide individuals with their USI and explain how to activate their USI account.

Purpose .......................................................................................................................................................... 1
Definitions ..................................................................................................................................................... 1
Policy ................................................................................................................................................................ 3
1. Privacy Principles ................................................................................................................................ 3
2. Collection of information ................................................................................................................ 4
3. Unique Student Identifiers (USI) ................................................................................................. 4
4. Storage and use of information ................................................................................................... 5
5. Disclosure of information ............................................................................................................... 6
6. Access to and correction of records ..........................................................................................7
7. Complaints about privacy .............................................................................................................. 7
Procedures .................................................................................................................................................. 8
1. Privacy Notices ................................................................................................................................... 8
2. Marketing Privacy ..................................................................... Error! Bookmark not defined.
3. Privacy of USI information ............................................................................................................. 8
4. Access to Records ............................................................................................................................ 8
5. Amendment to Records ................................................................................................................. 9
Document Control .................................................................................................................................... 10

Under the Data Provision Requirements 2012, Zest is required to collect personal information about students undertaking nationally recognised training and disclose that personal information to the National Centre for Vocational Education Research Ltd (NCVER). NCVER will collect, hold, use and disclose personal information in accordance with the Privacy Act 1988 (Cth), the VET Data Policy and all NCVER policies and protocols (including those published on NCVER’s website at www.ncver.edu.au).
In general, personal information will be collected through course application and/or enrolment forms, training records, assessment records and online forms and submissions.
The types of personal information collected include:

In order to create a USI on behalf of a student, Zest will be required to verify the identity of the individual by receiving a copy of an accepted identification document. This document will only be used for the purposes of generating the USI and confirming the identity of the individual with the Registrar. Once the USI has been generated and validated, the identity documents used or collected for this purpose will be securely destroyed.
The information provided by an individual in connection with their application for a USI:

− name, including first or given name(s), middle name(s) and surname or family name
− date of birth
− city or town of birth
− country of birth
− gender

− contact details, so the Student Identifiers Registrar can provide individuals with their USI and explain how to activate their USI account.

− is collected by the Registrar as authorised by the Student Identifiers Act 2014.
− is collected by the Registrar for the purposes of:
− applying for, verifying and giving a USI
− resolving problems with a USI
− creating authenticated vocational education and training (VET) transcripts
− may be disclosed to:
− Commonwealth and State/Territory government departments and agencies and statutory bodies performing functions relating to VET for:
− the purposes of administering and auditing VET, VET providers and VET programs
− education related policy and research purposes
− to assist in determining eligibility for training subsidies
− VET Regulators to enable them to perform their VET regulatory functions
− VET Admission Bodies for the purposes of administering VET and VET programs
− current and former Registered Training Organisations to enable them to deliver VET courses to the individual, meet their reporting obligations under the VET standards and government contracts and assist in determining eligibility for training subsidies
− schools for the purposes of delivering VET courses to the individual and reporting on these courses
− the National Centre for Vocational Education Research for the purpose of creating authenticated VET transcripts, resolving problems with USIs and for the collection, preparation and auditing of national VET statistics
− researchers for education and training related research purposes
− any other person or agency that may be authorised or required by law to access the information
− any entity contractually engaged by the Student Identifiers Registrar to assist in the performance of his or her functions in the administration of the USI system
− will not otherwise be disclosed without the student’s consent unless authorised or required by or under law

The consequences to the student of not providing the Registrar with some or all of their personal information are that the Registrar will not be able to issue the student with a USI, and therefore Zest will be unable to issue a qualification or statement of attainment.

Zest will store all records containing personal information securely and take all reasonable security measures to protect the information collected from unauthorised access, misuse, or disclosure. Personal information will be stored electronically in a secure environment to which only authorised staff have access within Dropbox Vault and the student management system (Axcelerate).
The personal information held about individuals will only be used by Zest to enable efficient student administration, report data to provide information about training opportunities, issue statements of attainment and qualifications to eligible students, and to maintain accurate and detailed records of student course participation, progress, and outcomes.
Zest may use the personal information provided by an individual to market other internal products and services to them. An individual may opt out of being contacted for marketing purposes at any time by contacting our office.

4. Storage and use of information

5. Disclosure of information

Zest will not disclose an individual’s personal information to another person or organisation unless:

Any person or organisation to which information is disclosed is not permitted to use or disclose the information for a purpose other than for which the information was supplied to them.
Personal information may be used or disclosed by Zest for statistical, regulatory and research purposes. Zest may disclose personal information for these purposes to third parties, including:

• Personal information disclosed to NCVER may be used or disclosed for the following purposes:

6. Access to and correction of records

7. Complaints about privacy

• Any individual wishing to make a complaint or appeal about the way information has been handled within Zest can do so by following Zest’s Complaints and Appeals Policy and Procedure.

Individuals have the right to access or obtain a copy of the information that Zest holds about them including personal details, contact details and information relating to course participation, progress and AQF certification and statements of attainment issued.
Requests to access or obtain a copy of the records held about an individual must be made by contacting our office using the Request to Access Records Form. The individual must prove their identity to be able to access their records.
There is no charge for an individual to access the records that Zest holds about them; however, there may be a charge for any copies made. Arrangements will be made within 10 days for the individual to access their records.

Email: josh@zestinstitute.edu.au

PH - 0434 400 340

Block A, Suite 7A, 3 Zamia Street, Sunnybank, QLD, 4109

Useful Links

Student Resources

Implement and monitor work health and safety practices

Quick Link

Products

First Aid & CPR

Use hygienic practices for food safety

Prepare and serve espresso coffee

Courses & Programs

Certificate IV in Kitchen Management

Diploma of Hospitality Management

Participate in safe food handling practices

Procedures

1. Privacy Notices

Ensure the NCVER privacy notice and declaration are included on the enrolment form https://www.education.gov.au/privacy-notice-and-student-declaration

Compliance Consultant

Responsibility

A. Privacy notices

Procedure

2. Privacy of USI information

Administration Team

Responsibility

A. Privacy notices

Procedure

A. USI Authority and Identification documents• USIs are collected on the Enrolment Form. Where a student does not have a USI, they may request for Zest to create one on their behalf.
Students who request for Zest to create a USI on their behalf must sign the USI Authority Form and provide the required identification document/s.
A USI must not be created for a student if the USI Authority Form, which includes the privacy notice, has not been signed.
As soon as practicable, once the USI has been generated and validated, the personal information provided in the USI section of the Enrolment Form must be securely destroyed and not kept on file.
Refer to the Student Administration Policy and Procedure for detailed instructions on the generation of USIs.

3. Access to Records

Administration Team

Responsibility

A. Request to access records

Procedure

A. Request to access records
Individuals may request to access their records by using the Request to Access Records Form. Written requests should be sent to the head office.
Requests may be from past or current students or other individuals. It may be to access records held in a file about a student, or access to a previously issued AQF certification document – refer to the AQF Certification Policy & Procedure.
Upon receiving a completed form, confirm the request is valid and has been made by the individual to which the records relate – check identification documents.
Arrangements for provision of records should be made as suitable – mailing copies, providing a time for records to be viewed etc.
Arrangements should be made verbally and confirmed in writing within 10 days of receiving the request.
Where records are to be mailed, they should only be mailed to the address that is held on file for that individual, unless alternate change of address information is provided along with proof of identity – such as a driver’s license or utility bill.
Where records are to be shown to an individual, the student must produce photo ID prior, and this should be matched to the records held on file about the individual to confirm they are only viewing their own records.
Keep a note on how the records were accessed on the individual’s file.

4. Amendment to Records

Administration Team

Responsibility

A. Request for records to be amended

Procedure

Arrangements for provision of records should be made as suitable – mailing copies, providing a time for records to be viewed etc.
Arrangements should be made verbally and confirmed in writing within 10 days of receiving the request.
Where records are to be mailed, they should only be mailed to the address that is held on file for that individual, unless alternate change of address information is provided along with proof of identity – such as a driver’s license or utility bill.
Where records are to be shown to an individual, the student must produce photo ID prior, and this should be matched to the records held on file about the individual to confirm they are only viewing their own records.
Keep a note on how the records were accessed on the individual’s file.

Document No. & Name: CG4 - Privacy P&P V3.0 (ID 27)
Quality Area: CG Corporate Governance
Author: ZEST Institute
Status: Approved
Standards (SRTOs): Clause 8.5 and 3.6