Skip to content

Protecting Personal Data: A Guide for Education or Training Businesses

In Short

  • Implementing strong data protection measures helps safeguard sensitive information and maintain customer trust.
  • Adhering to data protection laws, such as the Australian Privacy Principles, is essential to avoid penalties.
  • Regular employee training ensures staff understand data privacy obligations and apply security measures correctly.

Tips for Businesses

Conduct regular privacy audits to check how you collect, use, and store personal data. Keep your privacy policies up to date and transparent. Have a clear plan for responding to data breaches. Train staff regularly on data protection to prevent issues and ensure compliance.


Table of Contents

As an education or training business, you will interact with a range of personal information from students and employees alike. While you know how important it is to deal with that personal information correctly, you may wonder what your legal obligations are. This article will take you through your legal requirements for dealing with personal information as an education or training business and outline some of the steps you can take to protect personal data.

Size of Your Business and Compliance Under the Privacy Act

Different legal requirements under the Privacy Act may apply to your business depending on its annual turnover. To determine what your obligations are, you need to know whether you are a small or large business:

  • businesses with a turnover exceeding $3 million are classified as APP entities and must comply with the Australian Privacy Principles (APPs). Large businesses have more than $3 million in annual turnover; and
  • small businesses, defined as those with an annual turnover of less than $3 million, are generally exempt from the Privacy Act. However, this exemption does not apply universally. Even small businesses may be considered APP entities under certain circumstances, such as:
    • providing services under a Commonwealth contract; 
    • disclosing or collecting personal information for a benefit, service, or advantage (unless done with consent or as required by law); or 
    • providing health services and holding health information beyond employee records.

Clearly, it is essential for all businesses, regardless of size, to carefully assess their specific situation to determine their privacy obligations under the Privacy Act.

What Kinds of Personal Information Might You Be Dealing With?

No matter what size your business is, knowing your obligations when dealing with personal data and information is essential. As an educational and training business, you handle the personal information of your clients regularly, including: 

  • names;
  • email addresses;
  • phone numbers of the client’s business contact;
  • account information;
  • interaction/usage data (if they make an account with you); or
  • payment information.
Continue reading this article below the form
Loading form

What Obligations Do Large Educational or Training Businesses Have?

If you own or run a large educational or training business, you have several obligations when dealing with the personal information of your students and employees. 

Your Obligations When Managing Personal Information

You are required to:

  • manage personal information in a way that is open and transparent – your students and employees must be able to easily find out how you plan to store and use their information. You will also need an up-to-date privacy policy that aligns with the law;
  • make sure your collected personal data is up to date and accurate; and
  • prevent the personal information you collect from being misused, lost or tampered with. You will also need to make sure others do not improperly access information. 

Your Obligations When Collecting Personal Information

You must:

  • not collect personal information unless it is needed for you to properly operate your business; and
  • get rid of personal information that you receive unsolicited.

Your Obligations When Disclosing Personal Information

You must:

  • ensure individuals, clients and employees know why you are collecting their information;
  • make sure clients and employees are aware of your privacy policy;
  • inform clients and employees whether you would normally disclose the kind of personal information you have collected to anyone else; and
  • make sure clients and employees can access their personal data.

Your Obligations to Provide Information to Your Students and Employees

Make sure to:

  • Tell students and employees the reason that you need their information and ensure they are aware of the consequences if you do not have it. You should also show them your privacy policy. 
  • Explain to students and employees what you will do with their personal information. 
  • Ensure that students and employees have access to their personal data.

Your Obligation to Provide Anonymity to Students And Employees

You must make sure that your students and employees have the option to remain anonymous when their information is being used. This does not mean that you must make sure they are anonymous if it is not practical to give them that option.

Front page of publication
Notifiable Data Breach Factsheet

This factsheet explains what a data breach is and when one is serious, your reporting obligations, and limiting an NDB’s impact.

Download Now

What Obligations Do Small Businesses Have?

Your Duty to Keep Personal Information Confidential

Small education or training businesses simply have to keep personal information confidential. You must take reasonable care to ensure personal information is not accessed or used without your students’ or employees’ permission.

Keeping Health Information Confidential

You also have specific obligations relating to your students’ and employees’ health information. This involves ensuring that health information is kept confidential and not disclosed unless necessary, such as during a health emergency. 

What Can You Do to Keep in Line With the Law?

Maintain a Detailed Privacy Policy

A current and detailed privacy policy will enable you to make sure you, your employees and your students are fully aware of what you can and cannot do with personal information. Your privacy policy must clearly state what organisation needs the personal information it collects for. It should also make it clear what you will do to use personal data you collect. LegalVision’s experienced education and training lawyers can help you create a privacy policy that meets your legal obligations and affirms your commitment to protecting your students’ and employees’ personal data.

Make Employees Aware of Their Obligations

Employees that work with personal data should know exactly what they can and cannot do with it. Regular training on your privacy obligations will keep employees informed and aware.

Keep Personal Information Secure

Taking care to store personal data securely is essential to preventing data breaches. Be careful to only allow access to personal data to those who need it, and make sure you have the right physical and digital security measures in place to prevent unauthorised access to personal data you store.

Key Takeaways

As an education and training business, lawfully dealing with student and employee data is very important. You should consider the following:

  • your obligations will be more extensive and detailed as a large business;
  • as a small business, you still have obligations to keep information confidential and deal with health information appropriately; and
  • a detailed privacy policy, employee awareness and robust security infrastructure will enable you to meet your personal information obligations.

If you need help dealing with student and employee personal data, our experienced education and training lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page

Frequently Asked Questions

What legal obligations do large education and training businesses have regarding personal information?

Large education and training businesses must comply with the Australian Privacy Principles, which involve maintaining an up-to-date privacy policy, ensuring data accuracy, and preventing unauthorised data access. They must inform stakeholders about data collection and usage purposes and ensure individuals can access their personal information.

How can small education and training businesses protect personal data?

Small education and training businesses should maintain the confidentiality of personal information by taking reasonable care to prevent unauthorised access or use. This includes keeping health information secure and providing clear communication about data handling practices. Establishing a thorough privacy policy and employee training also supports compliance.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Alec MacKinnon

Alec MacKinnon

Read all articles by Alec

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards