1. Purpose
This policy outlines MediLearn’s approach to the collection, use, storage, disclosure, and management of personal information held about students, prospective students, staff, and stakeholders. MediLearn is committed to protecting the privacy of all individuals in accordance with applicable Commonwealth and NSW legislation, the Standards for Registered Training Organisations (RTOs) 2025 (RTO Standards 2025), and ASQA’s regulatory requirements.
MediLearn will comply with the following legislation and standards:
• Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs) as amended by the Privacy Amendment (Enhancing Privacy Protection) Act 2012
• Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)
• Health Records and Information Privacy Act 2002 (NSW) (HRIPA)
• National Vocational Education and Training Regulator Act 2011 (Cth) (NVETR Act)
• National Vocational Education and Training Regulator (Data Provision Requirements) (Instrument) 2020
• RTO Standards 2025 – Quality Area 2 (Learner Engagement and Support), Quality Area 3 (Governance and Administration), and Quality Area 4 (Compliance and Accountability), with particular reference to Clause 20
2. Scope
This policy applies to all MediLearn employees, contractors, trainers, assessors, education coordinators, and any other personnel involved in the collection, use, storage, or disclosure of personal information. It applies across all MediLearn operations, including all training programs delivered in NSW under RTO registration 46190.
This policy includes all regulatory obligations that fall under MediLearn’s responsibilities as a Registered Training Organisation (RTO) operating under ASQA’s jurisdiction.
3. Policy
3.1 Collection and Use of Personal Information
MediLearn will only collect personal information from individuals by fair and lawful means, and only where that information is necessary for the legitimate functions of MediLearn as an RTO. MediLearn will only collect sensitive information with the individual’s consent and where it is reasonably necessary for those functions.
NSW – Consent from the individual is obtained via the Enrolment Form, where the individual signs or electronically accepts (including by ticking a checkbox) a consent form that includes the required privacy disclosure wording. This satisfies the NSW consent requirements under PPIPA and MediLearn’s obligations under the NVETR Act and RTO Standards 2025.
Personal information collected by MediLearn will only be used to:
• Provide details of study opportunities and course information
• Enable efficient enrolment, course administration, and student support
• Maintain proper academic and training records as required by law
• Report to government agencies and regulatory bodies as required by the NVETR Act and ASQA
If an individual chooses not to provide MediLearn with certain required information, MediLearn may be unable to enrol that person in a course or provide them with appropriate support services.
3.2 Disclosure of Personal Information
Personal information about students and stakeholders will be shared with the following regulatory bodies and agencies where required:
• Australian Skills Quality Authority (ASQA) – in line with RTO Standards 2025 and the NVETR Act
• NSW Department of Education – as required for regulatory and compliance purposes
• National Centre for Vocational Education Research (NCVER) – via AVETMISS data collection
• Australian Government agencies as required by the NVETR Act and Data Provision Requirements Instrument 2020
• Contracted third-party service providers supporting MediLearn’s training operations (subject to written data handling agreements)
MediLearn will not disclose an individual’s personal information to any other person or organisation unless one of the following applies:
• The individual concerned is reasonably likely to have been aware, or has been made aware, that information of that kind is usually passed to that person or organisation
• The individual has provided written consent to the disclosure
• MediLearn believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual or of another person
• The disclosure is required or authorised by or under law
• The disclosure is reasonably necessary for the enforcement of criminal law, a law imposing a pecuniary penalty, or for the protection of public revenue
Where personal information is disclosed for enforcement or public revenue purposes, MediLearn will include a notation of the disclosure in the relevant record.
Any third party that collects personal information on behalf of MediLearn, or to whom personal information is disclosed, is required by written agreement not to use or disclose that information for any purpose other than the purpose for which it was collected or supplied.
3.3 Security and Integrity of Personal Information
MediLearn is committed to ensuring the confidentiality, security, and integrity of the personal information it collects, uses, and discloses. MediLearn will take all reasonable steps to ensure that personal information is:
• Relevant to the purpose for which it was collected
• Accurate, up to date, and complete
• Protected from misuse, interference, loss, unauthorised access, modification, or disclosure
MediLearn will securely store all records containing personal information for a minimum period of seven (7) years from the date the training activity is completed, as required under the NVETR Act and RTO Standards 2025 – Clause 20. Where a shorter retention period is specified by applicable legislation, that period applies.
Where MediLearn no longer requires personal information for any disclosed purpose, and is no longer required by law to retain it, all reasonable steps will be taken to destroy or de-identify the information in a secure manner.
MediLearn uses secure electronic systems and physical document controls to safeguard personal information. Controls include access restrictions, password protection, and encryption where appropriate. All staff who handle personal information are trained in privacy obligations and are subject to confidentiality requirements.
3.4 Clause 20 – Student Records and Privacy (RTO Standards 2025)
MediLearn complies fully with Clause 20 of the RTO Standards 2025, which sets out specific obligations regarding the management of student records and privacy. In accordance with this clause, MediLearn will:
a) Maintain accurate and complete records of each student’s enrolment and participation in training and/or assessment
b) Issue each student with a Qualification, Statement of Attainment, or other relevant documentation within 30 calendar days of the student completing the requirements for that outcome, or within 30 calendar days of a request, whichever is the earlier
c) Retain all training records, including assessment records and results, for a minimum of 30 years for AQF Qualifications and Statements of Attainment, and a minimum of seven (7) years for all other training records, including individual unit of competency results
d) Provide each student on request with a copy of their training record within 30 calendar days of the request being made
e) Collect and submit AVETMISS-compliant data to the relevant government authority in accordance with the National VET Data Policy and the Data Provision Requirements Instrument 2020
f) Ensure that personal information of current and prospective students is collected, held, used, and disclosed in accordance with the Privacy Act 1988 (Cth), PPIPA (NSW), HRIPA (NSW), and the Australian Privacy Principles (APPs)
g) Make available to students on enrolment, and on request, information about what personal information is collected, how it is used, and to whom it may be disclosed
MediLearn maintains student records in its student management system (Cloud Assess) and ensures all student data is stored, managed, and accessible in line with the above requirements. The RTO Manager is responsible for overseeing records management and Clause 20 compliance.
3.5 Breach of Privacy – Notification and Response
MediLearn takes privacy and data breaches seriously and has a responsibility under Commonwealth and NSW law to respond promptly and appropriately to any privacy incident. A privacy or data breach occurs when personal information held by MediLearn is accessed, disclosed, or lost in an unauthorised manner.
A breach may include:
• Unauthorised access to or disclosure of personal information
• Attempted unauthorised access, modification, or use of personal information
• Loss of personal information (e.g., lost or stolen device, document, or database)
• Misuse of personal information by a staff member, contractor, or third party
Notifiable Data Breaches – Commonwealth
Under Part IIIC of the Privacy Act 1988 (Cth) (the Notifiable Data Breaches scheme), MediLearn must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as soon as practicable where a data breach is likely to result in serious harm to any individual whose information is involved. Notification must occur within 30 days of MediLearn becoming aware of the eligible data breach.
NSW Obligations
Under the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW), MediLearn will also notify the NSW Privacy Commissioner and take such other steps as are required under NSW law in the event of a reportable privacy breach.
Breach Response Procedure
Upon becoming aware of a potential or actual privacy breach, MediLearn will take the following steps:
h) Contain the breach – take immediate steps to limit the breach and prevent further disclosure, access, or loss of personal information
i) Assess the breach – determine the nature, scope, and likely risk of harm to affected individuals, and assess whether the breach is an eligible data breach under the NDB scheme
j) Notify – where required, notify affected individuals and the OAIC (and/or NSW Privacy Commissioner) as soon as practicable and within 30 days of becoming aware of the breach
k) Report internally – immediately report the breach to the RTO Manager and CEO; document the breach, the response taken, decisions made, and outcomes in MediLearn’s incident register
l) Review and improve – identify root causes and implement corrective actions to prevent recurrence, recorded in MediLearn’s Continuous Improvement Register
All MediLearn staff are required to report any actual or suspected privacy breach to the RTO Manager immediately upon becoming aware of it. Failure to report a known breach is a serious matter and may result in disciplinary action.
3.6 Right to Access and Correct Records
Individuals have the right to access or obtain a copy of the personal information that MediLearn holds about them. Requests must be made in writing to the RTO Manager.
There is no charge for an individual to access their personal information; however, MediLearn may charge a reasonable fee to produce a copy. MediLearn will advise individuals of how they may access or obtain a copy of their personal information, and of any applicable fees, within 10 calendar days of receiving a written request. Where it is reasonable to do so, access will be provided in the manner requested.
If an individual considers their personal information to be incorrect, incomplete, out of date, or misleading, they may request that the information be amended. Where a record is found to be inaccurate, a correction will be made as soon as practicable. Where an amendment is requested but the record is found to be accurate, the details of the amendment request will be noted on the record. There is no charge for requesting a correction.
Requests may be directed to MediLearn by phone on 02 9819 0600 or in writing via https://medilearn.com.au.
3.7 Complaints About an Alleged Breach of Privacy
Where an individual believes that MediLearn has breached a Privacy Principle or the APPs in relation to that individual, they may lodge a complaint using MediLearn’s Complaints and Appeals handling procedures. This process enables students and prospective students to lodge grievances of a non-academic nature, including complaints about the handling of personal information and access to personal records.
If the individual is not satisfied with MediLearn’s response to their complaint, they may escalate the matter to:
• The Office of the Australian Information Commissioner (OAIC) – for Privacy Act 1988 (Cth) / APP complaints: www.oaic.gov.au
• The NSW Privacy Commissioner – for PPIPA or HRIPA complaints: www.ipc.nsw.gov.au
• ASQA – for complaints relating to MediLearn’s performance as a registered training organisation: www.asqa.gov.au
3.8 Publication and Transparency
This Privacy and Personal Information Policy will be made available to students and persons seeking to enrol with MediLearn by publication on MediLearn’s website at https://medilearn.com.au. A copy may also be requested by contacting MediLearn directly.
MediLearn will advise students at the time of enrolment about this policy, what personal information is collected, how it is used, and to whom it may be disclosed, to ensure that students can provide informed consent.
3.9 Monitoring and Continuous Improvement
All privacy-related administration, data reporting practices, and records management processes are monitored by the RTO Manager. Areas for improvement are identified and acted upon in accordance with MediLearn’s Continuous Improvement Policy. Privacy incidents, complaints, and corrective actions are recorded in MediLearn’s Continuous Improvement Register.
This policy is reviewed annually or earlier if required by changes to legislation, ASQA standards, or MediLearn’s operational context. All revisions are documented and version-controlled.
4. Responsible Persons
RTO CEO
RTO Manager
Education Coordinator
Trainers and Assessors
5. Legislative and Regulatory Framework
This policy is informed by and must be read in conjunction with the following:
• Privacy Act 1988 (Cth) – including the Australian Privacy Principles (APPs) and Notifiable Data Breaches (NDB) scheme
• Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)
• Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)
• Health Records and Information Privacy Act 2002 (NSW) (HRIPA)
• National Vocational Education and Training Regulator Act 2011 (Cth) (NVETR Act)
• National Vocational Education and Training Regulator (Data Provision Requirements) (Instrument) 2020
• Standards for Registered Training Organisations (RTOs) 2025 – Clause 20 and Quality Areas 2, 3, and 4
• National VET Data Policy
• Australian Qualifications Framework (AQF)
6. Related Documents
RTO Complaints and Appeals Policy and Procedure
RTO Continuous Improvement Policy
Enrolment Form
VET Student Handbook
Risk Management Framework and Policy