Privacy Policies and Legal Disclaimers

Professional Learning Privacy Statement

The Australian Council for Educational Research Ltd (ABN 19 004 398 145) ("ACER") in providing its goods and services may use online platforms to assist in providing the same. One such platform is Moodle ("Moodle").

ACER uses Moodle to deliver a variety of goods and services ACER provides. As a result of you using such an ACER good or service ACER may collect and process that your personal data for the purpose of administering or delivering that good or service ("the Purpose").

This privacy statement details the personal data collected, what ACER processes and why, and where it obtains this data from.

The personal data

In pursuit of the Purpose, ACER may collect your personal data directly from you. Under the EU’s General Data Protection Regulation ("GDPR") personal data is defined as: “any information relating to an identified or identifiable natural person; and identifiable nature person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental economic, cultural or social identity of that natural person” ("the Data").

Privacy law that may be relevant to the Data

Your privacy is very important and ACER takes great care to ensure your personal data is protected. ACER is an Australian based company. The following information is set out to comply with applicable privacy and data law including, the:

(a) Australian Privacy Act 1988 (Cth) (Privacy Act); and
(b) European General Data Protection Regulation (EU) 2016/679 (GDPR).

The Australian Privacy Act

To the extent of the applicability of the Privacy Act to the Data:

• the collection of your Data by ACER was not required by law;
• the only consequences of you not supplying your Data are, you:
  • may not be able to use the relevant ACER goods and services provided by ACER via Moodle; and
  • may not be able to receive the full benefit of such goods and services.
• ACER discloses your Data (including sensitive information) to:
  • ACER clients, educational institutions, government departments and agencies with an interest in the relevant goods or services you use: and
  • ACER contractors assisting ACER in pursuing the Purpose; and

Sensitive information

ACER, in pursuing the Purpose, may collect your sensitive information such as health information or professional association membership. By supplying such sensitive information YOU CONSENT to ACER collecting, using, storing and disclosing your sensitive information as specified in this Privacy Statement. Should you not wish to give such consent or have queries concerning the same see the ‘Your rights’ section below.

Disclosure outside of Australia

In pursuit of the Purpose or to ensure you receive the full benefit of the relevant ACER good or service ACER may have to disclose your Data outside of Australia. ACER should take steps to ensure that the relevant disclosee complies with the Privacy Act, but if it is in a jurisdiction with privacy laws substantially similar to the Privacy Act with mechanisms for enforcement, such as the European Union being regulated by the GDPR, it does not have to.

In some instances the country the disclosee is located in might not have substantially similar laws to the Privacy Act. Such disclosees will be relevant to the good or service you use and will only be disclosed in pursuit of the Purpose. Nonetheless, Under the Australian Privacy Principles contained in the Act ACER is bound to take steps, reasonable in the circumstances, to ensure any overseas entity it discloses your personal information to complies with the Australian Privacy Principles.

BUT IF YOU CONSENT to such disclosure, ACER will not have to take steps to ensure compliance by the entity with the Australian Privacy Principles;

THE CONSEQUENCES OF GIVING SUCH CONSENT ARE:

1. the country of the entity may not have similar privacy laws or measures by which you may pursue any of your rights in respect of privacy as that of Australia;
2. the entity may not handle your personal information in the manner designated under the Australian Privacy Principles and you may not have any mechanism with which to seek redress.

By using the relevant good or service YOU CONSENT to such transfer. Should you not wish to give such consent or have queries concerning the same see the ‘Your rights’ section below.

Your rights

Under the Privacy Act you have the right to:

1. inspect your Data;
2. request amendment of your Data; and
3. make a complaint in respect of a breach of your privacy.

To exercise any or all of the above rights, please review ACER’s privacy policy, which sets out the processes of how you may attend to the same. The policy can be viewed at www.acer.org/privacy. You may also use the same procedure should you not wish to give, or have queries about, the consents specified above.

The GDPR

To the extent of the applicability of the GDPR to the Data:

1. The Data is processed by ACER solely to for the Purpose.
2. Dependant on the relevant good or service use ACER may be the controller and/or processor for the Data as listed in this privacy notice.

'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with other, determines the purpose and means of the processing or your Data

'Processor' where the purposes and means of such processing are determined by another natural or legal person, then ACER is a processor.

For all EU data processing activities ACER has appointed a Data Protection Officer (DPO). You can contact the DPO for all questions related to this notice and access of any of your rights (see below) via the details in the contact section below.

Cross-Border Data Transfers

It is unlikely but if any of your Data is transferred out of the European Union by ACER, ACER will ensure such transfer is compliant with the GDPR or any other applicable local law.

Legal basis for processing your information

1. ACER will obtain specific consent in order to collect and process sensitive information to assist with health, disability or special assistance an individual may need to use the relevant good or service (e.g. special accommodation applications and services to individuals with disabilities),
2. Processing of personal data may also be necessary for the pursuit of ACER’s legitimate interests or a third party’s legitimate interests in pursuing the Purpose -but only where it is not unwarranted and will not cause a prejudicial effect to an individual’s rights and freedoms. Relevant third parties are ACER contractors or subcontractors assisting ACER in pursuing the Purpose.
3. To perform ACER’s contract with an individual in respect of the relevant good or service a person use in pursuit of the Purpose including:
   • responding to related requests or queries; or
   • to give you information about the good or service.

Data Retention Period

ACER will process different forms of personal data for as long as is necessary and proportionate for the Purpose and will store the Data for the shortest amount of time possible, taking into account legal requirements and the Purpose. If you have any queries concerning the same please contact the DPO whose contact details are below.

Your Data Protection Rights

Your personal information data rights

Under the GDPR or applicable law incorporating this legislation individuals are afforded a number of rights that are enforceable on any controller or processor processing personal data. These rights are protected and enforced by various supervisory authorities depending on the relevant individual’s residency. ACER has a representative listed below which is the primary point of contact for exercising any of these GDPR rights for processing carried out by ACER.

How to access your personal data

Subject to applicable laws, an individuals may request to know if ACER is processing their personal data, and if so, access to their personal data, provide the legal basis and contact details of the DPO and representative (if appointed). ACER will need to verify your identity before it can give access. It will promptly acknowledge receipt, and will endeavour to deal with and respond to any such request within the prescribed time of one calendar month.

In certain circumstances, it is permitted by law to refuse access to personal data. In such cases, ACER will give a written explanation for its decision and how a complaint may be made to the appropriate supervisory authority (ICO in the UK) if the individual is not satisfied with ACER’s decision.

There is no charge for making a request for access to personal data. However, a fee may be charged to provide such personal data if the request is repetitive to cover administrative costs. The fee will be notified at the time the request is made.

How to correct personal information data

If an individual thinks that any personal data ACER holds about that individual is inaccurate, a request may be made to ACER for correction. ACER will take reasonable steps to correct it unless it disagrees with the reasons given. If correction is refused ACER will give a written explanation why.

Additional rights and choices under the GDPR:

In certain circumstances, an individual may:

• obtain information about the processing of relevant personal information data (legal basis, data source, if and to whom shared, foreign transfer mechanism, legitimate interest basis, etc) ;
• ask ACER to erase relevant personal data without undue delay, such as if consent is withdrawn and ACER is not otherwise legally entitled to retain it;
• object to, and ask ACER to restrict, our processing of relevant personal data, if the legal basis is legitimate interest or public interest or it is applying profiling to your data, although ACER may continue to process your personal data while it verifies the assertion or complaint;
• ask for a copy of any personal data processed and ask to receive some personal data the individual has given ACER in a structured, commonly used and machine-readable format or ask ACER to transmit it to someone else if technically possible or feasible;
• withdraw consent or object to processing for direct marketing or profiling purposes; and
• Raise a complaint with the relevant supervisory authority if ACER fails to provide the rights as required in the time frame allowed.

How to make a complaint

If an individual believes that ACER has not processed relevant personal data correctly compliantly with the GDPR and failed to provide the relevant rights as detailed above, , or believes ACER’s privacy obligations are not consistent with the spirit of the legislation, please contact ACER initially using the contact details below for the representative. ACER will investigate any complaint, and provide notification of its decision in relation to the complaint, as soon as practicable after it is received, but within 30 days.

If ACER is unable to satisfactorily resolve any concerns about its handling of personal data, following an initial complaint the relevant individual has the right to make a complaint to the relevant European data protection authority (for example in the place of residence or where the individual believes it has breached relevant rights). The Supervisory Authority of ACER’s representative is the UK ICO which will be able to investigate your complaint. The ICO can make use of the “One Stop Shop” mechanism to address complaints from residents within the EEA and outside the UK if that benefits the complainant and their home location.

Contacts

Effective date: 17/08/2020