In Short
- Implementing strong data protection measures helps safeguard sensitive information and maintain customer trust.
- Adhering to data protection laws, such as the Australian Privacy Principles, is essential to avoid penalties.
- Regular employee training ensures staff understand data privacy obligations and apply security measures correctly.
Tips for Businesses
Conduct regular privacy audits to check how you collect, use, and store personal data. Keep your privacy policies up to date and transparent. Have a clear plan for responding to data breaches. Train staff regularly on data protection to prevent issues and ensure compliance.
Table of Contents
- Size of Your Business and Compliance Under the Privacy Act
- What Kinds of Personal Information Might You Be Dealing With?
- What Obligations Do Large Educational or Training Businesses Have?
- What Obligations Do Small Businesses Have?
- What Can You Do to Keep in Line With the Law?
- Key Takeaways
- Frequently Asked Questions
As an education or training business, you will interact with a range of personal information from students and employees alike. While you know how important it is to deal with that personal information correctly, you may wonder what your legal obligations are. This article will take you through your legal requirements for dealing with personal information as an education or training business and outline some of the steps you can take to protect personal data.
Size of Your Business and Compliance Under the Privacy Act
Different legal requirements under the Privacy Act may apply to your business depending on its annual turnover. To determine what your obligations are, you need to know whether you are a small or large business:
- businesses with a turnover exceeding $3 million are classified as APP entities and must comply with the Australian Privacy Principles (APPs). Large businesses have more than $3 million in annual turnover; and
- small businesses, defined as those with an annual turnover of less than $3 million, are generally exempt from the Privacy Act. However, this exemption does not apply universally. Even small businesses may be considered APP entities under certain circumstances, such as:
- providing services under a Commonwealth contract;
- disclosing or collecting personal information for a benefit, service, or advantage (unless done with consent or as required by law); or
- providing health services and holding health information beyond employee records.
What Kinds of Personal Information Might You Be Dealing With?
No matter what size your business is, knowing your obligations when dealing with personal data and information is essential. As an educational and training business, you handle the personal information of your clients regularly, including:
- names;
- email addresses;
- phone numbers of the client’s business contact;
- account information;
- interaction/usage data (if they make an account with you); or
- payment information.
What Obligations Do Large Educational or Training Businesses Have?
If you own or run a large educational or training business, you have several obligations when dealing with the personal information of your students and employees.
Your Obligations When Managing Personal Information
You are required to:
- manage personal information in a way that is open and transparent – your students and employees must be able to easily find out how you plan to store and use their information. You will also need an up-to-date privacy policy that aligns with the law;
- make sure your collected personal data is up to date and accurate; and
- prevent the personal information you collect from being misused, lost or tampered with. You will also need to make sure others do not improperly access information.
Your Obligations When Collecting Personal Information
You must:
- not collect personal information unless it is needed for you to properly operate your business; and
- get rid of personal information that you receive unsolicited.
Your Obligations When Disclosing Personal Information
You must:
- ensure individuals, clients and employees know why you are collecting their information;
- make sure clients and employees are aware of your privacy policy;
- inform clients and employees whether you would normally disclose the kind of personal information you have collected to anyone else; and
- make sure clients and employees can access their personal data.
Your Obligations to Provide Information to Your Students and Employees
Make sure to:
- Tell students and employees the reason that you need their information and ensure they are aware of the consequences if you do not have it. You should also show them your privacy policy.
- Explain to students and employees what you will do with their personal information.
- Ensure that students and employees have access to their personal data.
Your Obligation to Provide Anonymity to Students And Employees
You must make sure that your students and employees have the option to remain anonymous when their information is being used. This does not mean that you must make sure they are anonymous if it is not practical to give them that option.

This factsheet explains what a data breach is and when one is serious, your reporting obligations, and limiting an NDB’s impact.
What Obligations Do Small Businesses Have?
Your Duty to Keep Personal Information Confidential
Small education or training businesses simply have to keep personal information confidential. You must take reasonable care to ensure personal information is not accessed or used without your students’ or employees’ permission.
Keeping Health Information Confidential
You also have specific obligations relating to your students’ and employees’ health information. This involves ensuring that health information is kept confidential and not disclosed unless necessary, such as during a health emergency.
What Can You Do to Keep in Line With the Law?
Maintain a Detailed Privacy Policy
A current and detailed privacy policy will enable you to make sure you, your employees and your students are fully aware of what you can and cannot do with personal information. Your privacy policy must clearly state what organisation needs the personal information it collects for. It should also make it clear what you will do to use personal data you collect. LegalVision’s experienced education and training lawyers can help you create a privacy policy that meets your legal obligations and affirms your commitment to protecting your students’ and employees’ personal data.
Make Employees Aware of Their Obligations
Employees that work with personal data should know exactly what they can and cannot do with it. Regular training on your privacy obligations will keep employees informed and aware.
Keep Personal Information Secure
Taking care to store personal data securely is essential to preventing data breaches. Be careful to only allow access to personal data to those who need it, and make sure you have the right physical and digital security measures in place to prevent unauthorised access to personal data you store.
Key Takeaways
As an education and training business, lawfully dealing with student and employee data is very important. You should consider the following:
- your obligations will be more extensive and detailed as a large business;
- as a small business, you still have obligations to keep information confidential and deal with health information appropriately; and
- a detailed privacy policy, employee awareness and robust security infrastructure will enable you to meet your personal information obligations.
If you need help dealing with student and employee personal data, our experienced education and training lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Large education and training businesses must comply with the Australian Privacy Principles, which involve maintaining an up-to-date privacy policy, ensuring data accuracy, and preventing unauthorised data access. They must inform stakeholders about data collection and usage purposes and ensure individuals can access their personal information.
Small education and training businesses should maintain the confidentiality of personal information by taking reasonable care to prevent unauthorised access or use. This includes keeping health information secure and providing clear communication about data handling practices. Establishing a thorough privacy policy and employee training also supports compliance.
We appreciate your feedback – your submission has been successfully received.