Navitas Limited Privacy Statement
Last updated February 2018
Your privacy is important to us. This privacy statement explains what personal information we collect from you, how we collect that information and how we use that information.
This privacy statement applies to Navitas Limited’s (and all of its subsidiary companies and affiliated organisations) interactions with you and the products and services we offer to you.
The Company – Who are we?
The parent company Navitas Limited (the parent company), is a public listed company on the Australian Securities Exchange (ASX) and is headquartered in Perth, Western Australia.
The Company also has a number of subsidiary companies and affiliated organisations that operate in locations throughout Australia, New Zealand, Canada, the USA, the UK, Europe, Africa and Asia. The following link enables you to find the details of the subsidiary companies that make up Navitas Limited: https://www.navitas.com/students
Collectively they are called the ‘Company’
This notice provides you with the necessary information:
- regarding your rights and obligations pertinent to which of the Company’s subsidiary companies and/or affiliated organisations you are engaging with.
- explains how, why and when the subsidiary company and/or affiliated organisation as part of Navitas Limited collects and processes your personal information
iii. confirms that the subsidiary company and/or affiliated organisation of Navitas Limited shares your personal information with the parent company Navitas Limited
A full list of all of Navitas Limited’s subsidiary companies and affiliated organisations registered offices can be found by clicking here
A Data Protection Officer (DPO) has been appointed for the UK/EU companies.
A Data Protection Manager has been appointed for Australasia (Australia, New Zealand, Singapore, Sri Lanka, Indonesia, Thailand and Africa).
Regional Data Protection Managers (DPMs) have been appointed for all countries in which the Company operates that are geographically located outside of the Australasian region, the UK and EU.
The DPO and DPMs can be contacted directly on the relevant link below:
Data Protection Manager Australasia and Africa
Australia, New Zealand, Singapore, Sri Lanka, Indonesia, Thailand, South Africa
+61 8 93149628
+61 (0) 498 023 385
Data Protection Officer UK/EU
UK, EU, EEA and all non-EU member states in Europe and Turkey
Data Protection Manager UK
England, Wales, Scotland and Northern Ireland
Data Protection Manage Germany, Switzerland and Austria
Germany, Switzerland and Austria
Data Protection Manager South Western Europe
Belgium, France, Greece, Italy, Netherlands, Spain, Sweden, Romania
Data Protection Manager Canada
Data Protection Manager United States of America and South America
USA, Mexico and Colombia
Data Protection Manager Middle East
Jordan, Saudi Arabia and United Arab Emirates
Personal Data We Collect
The Company uses the information we collect to operate our business and provide you with a range of services and products that we offer.
We use your information to improve how we interact with you i.e. your personal experience, and our products and services.
We also may use your information to communicate with you, for example, informing you about your account, security updates and marketing information.
We are conscious of the importance of your personal information and therefore we do not use what you say in email, chat, skype/ZOOM calls or voice mail, or your documents, photos or other personal files to target advertising information to you.
What types of personal data does the Company collect from you?
- a) The Company processes your personal information in order to meet its legal, statutory and contractual obligations and, to provide you with the products and services you are interested in.
- b) It is not Company policy to collect any unnecessary personal information from you and the company does not process your information in any way, other than already specified in this notice.
- c) The personal data that may be collected from you could include any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What types of anonymous information does the Company collect from you?
- a) When individuals open anyone of the Company’s websites, it may also collect anonymous information for statistical purposes. The types of anonymous information we may collect could include: internet protocol address; date and time server received request; pages, documents and files requested, type of browser, operating system used, data sent to our website through web forms e.g. search terms.
- b) Anonymous information should not be confused with ‘anonymity’ which is the option individuals can exercise when dealing with the Company in relation to a particular matter (see APP 2 –anonymity and pseudonymity)
Use of Data
- a) The Company takes your privacy very seriously and will never disclose, share or sell your personal information without your consent, unless required to do so by law.
- b) Private information is only retained for as long as it is necessary to do so (and as prescribed by law) and, for the purposes specified in this notice.
- c) Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw consent at any time.
- e) The Company will always seek your consent to use your personal information.
- f) Because the Company uses your personal data for a range of purposes (see list below) the Company will ensure that we have your consent for each purpose for which we intend using your personal information. (See GDPR Article 4 (1) (11)).
- g) The key purposes for which the Company collects personal information include:
- Providing services to individuals e.g. sending you information, or answering questions
- Administering and managing the services provided to ((SAE Alumni)), prospective and current students, including admissions, enrolment, education, billing, maintaining our information technology systems, customer service and data storage
iii. Marketing the services of the Company to ((SAE Alumni)), prospective, current and past students, partners and other customers
- Hiring and managing employees and contractors
- Planning, monitoring, evaluating and improving services, including conducting market research and surveys and assessing customer satisfaction
- Otherwise communicating with you
- h) The anonymous data will be used for the following purposes:
- Evaluate usage patterns
- Identify popular areas of the website
iii. Monitor network traffic
- Identify unauthorised attempts to upload or change information, or otherwise cause damage
- i) This information is collated for analysis and then evaluated and published in reports. This helps to improve and develop the website and its services.
Legal Basis for collecting personal information
The Company needs to collect your personal information in order to conduct its business.
We endeavour at all times to secure your consent to use your personal information;
GDPR Article 13 (1) (c) requires that the Company observe the right of individuals to give permission to the Company to use their personal data.
The Company undertakes to secure permission from you to use your personal information and it does this through consent requirements in the documents you will complete as part of your interaction with the Company.
The Company legally collects and processes a range of personal data as part of conducting its business. The Company’s legal basis for processing personal data includes:
- The Consent you have given the Company to process your Personal Information and data
- Performance of a contract to which you are a party e.g. acceptance of a place in a course
iii. To take steps at your request prior to entering into a contract
- The Company is legally obliged to comply with a legal obligation that as the controller we are required to meet
- Processing is necessary in order to protect your vital interests or of the vital interests of another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company i.e. the controller
vii. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by: security interests, your fundamental rights and freedoms and the protection of your personal information from serious harm, all of which require protection of personal data, in particular where the person is a child
The Company pursues a range of legitimate interests independently and in partnership with third parties, these legitimate interests include but are not limited to:
- Maintenance of ((SAE Alumni)) and student records
- Maintenance of staff records
iii. Payroll purposes
- Compliance with visa requirements
- Working with children clearances
- Compliance with taxation requirements
Special Categories of Personal Information
The Company understands that some personal information is especially sensitive and therefore undertakes to handle this information with respect and care.
- a) The special categories of personal data include sensitive personal information such as your racial origin or your political opinions. (see GDPR Article 9 and Australian Privacy Principle 3)
- b) The Company’s legal basis for processing special categories of personal data (see GDPR Article 9 and Australian Privacy Principles Parts 3 and 4) are inclusive of obtaining your consent to process this data and where the Company is obliged by law or regulatory requirement to collect and process such sensitive Personal Information.
The Company makes every effort to secure your consent to our use of your personal data.
- a) By consenting to this privacy notice you are giving the Company, permission to process your personal data specifically for the purposes identified.
- b) Consent from you is required for the Company to process both types of personal data (general and special), but consent must be:
- freely given, specific and informed
- constitute an unambiguous indication of your wishes by which you, either by a statement or by a clear affirmative action, give permission to the Company
iii. signify agreement to the processing of personal data relating to you by the Company (see GDPR Article 4)
- c) Where consent is to be provided in the form of a written declaration, such as completing the ‘Consent Section’ on an application or enrolment form, the purposes for collection you will be asked to Consent to will be presented in an intelligible and easily understandable manner, using clear and plain language.
- d) Where other matters i.e. using the data for purposes other than the primary purpose, are concerned, the specific purpose for which you are consenting will be distinguishable from all other matters (see GDPR Article 9).
- e) Where consent is being provided by a child, consent must be given or authorised by a holder of parental and/or legal guardianship responsibility over the child. The Company, takes all reasonable efforts to verify consent has been given or authorised by the holder of parental responsibility (see GDPR Article 8).
- f) Consent may be withdrawn at any time.
- g) Withdrawing of Consent is as simple as sending an email to the relevant Data Protection Manager. Your email instruction will be acted upon however, it may be necessary to ask you also complete and sign a Withdrawal of Consent Form. The form may be submitted online or via email attachment (see Consent Withdrawal Form) and in accordance with the relevant procedure (set out by the Company’s Consent Procedure).
- h) Where the processing has multiple purposes, consent must be withdrawn for each individual purpose (see GDPR Article 7). The processing activities that relied upon the consent will stop immediately the Data Protection Officer/Data Protection Manager (as applicable depending on the geographic region) notifies the relevant process owner of the change and requests an immediate halt to the processing of the data covered by that consent.
- i) Where the person is a child, the holder of parental responsibility must withdraw consent (see GDPR Article 8) by completing the Parent Consent Withdrawal Form.
- j) Withdrawal of Consent on behalf of a child can be arranged online once the Company has confirmed the authenticity of the person making the request to withdraw consent on behalf of a child.
Consequences of NOT providing your Personal Information
- a) You are not obligated to provide your personal information to the Company, however as this information is required for the Company to provide you with its services, deliver its products and deal with legitimate interests, the Company will not be able to offer you some and indeed possibly none of our products and services without it.
- b) The Company takes your privacy very seriously and takes every reasonable measure and precaution to protect and secure your personal information. The Company works hard to protect you and your personal information from unauthorised access, alteration, disclosure or destruction and have a number of security measure in place including but not limited to:
- IT authentication
The Company takes particular care when it comes to sharing your personal information to a third party. If this is necessary we will make every reasonable effort to obtain your consent.
The Company will not knowingly pass on your personal data to third parties without first making every reasonable effort to obtain your consent.
The Company uses third parties to provide services and business functions, however all processors acting on our behalf process your data in compliance with this privacy notice, the prevailing data protection laws and any other appropriate confidentiality and security measures.
The Company’s interaction with third party companies will change as needs arise.
Contractual arrangements that incorporate a commitment to the protection of Personal Information that may be received from the Company will be part of all third party arrangements as they are contracted to work with the Company.
The Company currently uses a number of third parties that will receive your personal data as part of the processing activities. The third party partners currently used by the Company includes but is not restricted to: Google, Salesforce, Marketo, StudyLink
- a) The data below provides further details for the two (2) most prominent third party partners:
Third country (non-EU)/international organisation
To protect your personal data the Company:
– makes direct contact with them with respect to their management of Privacy and Information Security
– reviews contractual arrangements to ensure that the third parties are compliance with relevant Privacy Law and Regulations such as the GDPR and the Australian Privacy Act (1988)
– Embedded relevant web links to GDPR and Privacy law compliance in relevant Company documents and where helpful, marketing collateral
Microsoft: United States of America, Singapore, UK
The links to Microsoft are noted below:
Amazon: Australia, United States of America and Canada
The links to Amazon are noted below:
Retaining and Disposing of your Personal Information
The Company is required to retain information for a variety of reasons and in accord with legal requirements as set out in Government and Regulatory Authorities’ requirements. The Company makes every effort not to retain personal information for any longer than is necessary.
The Company has a formal Records Management Program that sets out in the Retention and Disposition Schedule the timeframe for the retention (i.e. storage) of your personal information.
Retention periods are dependent on the type of records. These are set out in the Records Retention and Disposal Schedule.
The Company does not retain or store records for any longer than is necessary in accord with legal requirements related to the storage of specific types of records and/or information.
Your Rights as a Data Subject
As an individual providing personal information to the Company it is important to understand that you have certain rights with respect to the management of that information. These rights include your right of access, the right to have your information corrected and your right to be ‘forgotten’. ((For more details on this please see the link below.))
At any point while we are in possession of or, processing your personal data, you have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you. (See (see Australian Privacy Principles Part 5 and GDPR Article 15)
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete. (See Australian Privacy Principle 13 and (GDPR Article 16)
iii. Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records. (See Australian Privacy Principle 2 and GDPR Article 17)
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing. (See Australian Privacy Principle GDPR Article 18)
- Right of portability – Under the GDPR, you have the right as person living in the UK/Europe, to have the data we hold about you transferred to another organisation. The right of portability does not exist in other geographic regions, however the Company will consider requests for portability of data from other geographic regions on their merit and the reasonableness of the request.
- Right to object – Under the GDPR, you have the right, as a person living in the UK/Europe, to object to certain types of processing such as direct marketing. The Company will consider requests for the right to object from other geographic regions on their merit and the reasonableness of the request.
vii. Right to object to automated processing, including profiling – Under the GDPR, you have the right as a person living in the UK/Europe, to have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. (See GDPR Article 22.) The Company will consider requests for the right to object from other geographic regions on their merit and the reasonableness of the request.
viii. Right to judicial review: in the event that the Company refuses your request under rights of access, you will be provided with a reason as to why. (See GDPR Recital 142 and Office of the Australian Information Commissioner (OAIC).)
- You have the right to complain as outlined in Section 10 below.
The Company will provide responses to you in a structured, commonly used and machine readable form.
Requests for Access should be made on the Subject Access Request Form which can be downloaded from the link above.
Requests from you to exercise your rights as described above will be treated with all reasonable care. You will be asked to verify your identity before any such request is fulfilled, this is to ensure that your data is protected and kept secure.
If you wish to make a complaint about how the Company is processing your personal information, you have every right to lodge a complaint with the Company. All complaints will handled in a fair and transparent manner without unnecessary delay.
In the event that you wish to make a complaint about how your personal data is being processed by the Company (or third parties associated with the Company), or how your complaint has been handled, you have the right to lodge a complaint directly with:
- The Company’s’ data protection representatives, inclusive of:
– Data Protection Officer (UK/EU)
– Data Protection Manager (all other regions)
- Some nominated supervisory authorities also have a process whereby you can make a complaint.
Details of the procedure for making a complaint can be found in the Complaints Procedure document.
Australia has nominated the Office of the Australian Information Commissioner (OAIC) as the primary Supervisory Authority. See contact details below.
PRINCIPAL SUPERVISORY AUTHORITY FOR AUSTRALIA:
Office of the Australian Information Commissioner
Telephone: 1300 363 992
GPO Box 5218
Sydney NSW 2001
Office of the Australian Information Commissioner
Level 3, 175 Pitt Street
Sydney NSW 2000
The UK/EU has nominated the Office of the Information Commissioner (OIC) as the primary Supervisory Authority. If you have a concern about the Company’s information rights practices, you can report it to the ICO by:
- Calling the HELPLINE: +44 0303123113
- Setting up a ‘live chat’ on the link: live chat
You can also contact the Data Protection Officer on DPO@navitas.com.
Other regions outside of the UK/EU should note their respective Supervisory Authority is listed below.
The contact details for a range of privacy protection agencies in the areas where the Company operates can be found on link to Privacy Authorities.
Contact details for Privacy Authorities add link http://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=612080
Please go to the link below for further information on how to contact your local Privacy Authority.
Frequently Asked Questions
1 Personal Information/Data Collected
- a) The Company collects personal information/data in order to:
- operate effectively and to provide you the best possible experience with our services and products
- b) You provide some of this data directly to us for example when you submit an application form.
- c) The Company gets some of your personal information by recording how you interact with our website using technologies like ‘cookies’ and data usage reports.
- d) You can exercise your right to block and or delete cookies when you access the Company’s websites.
- e) The third party analytics service providers that the Company engages with also have opt in and opt consent options and controls.
- f) The Company also receives information from third parties, for example, a recruitment agent.
2 Special Categories of Personal Information
- a) It may be necessary for the Company to request sensitive Personal Information from you. Where the Company collects this sensitive Personal Information, it is only ever requested for a specified purpose and your explicit consent is obtained through a verifiable signature.
- b) You can modify or remove consent at any time, the Company will act on this request without delay, unless there is a legitimate interest or legal reason for not doing so. The Company will inform you of this impediment.
- c) If the Company needs to collect special category information you will be asked to confirm in writing your permission for the Company to do so.
3 How the Company uses your personal information
- a) The Company will process (collect, store and use) the information you provide in a manner compatible with relevant regulation such as the Australian Privacy Principles and the GDPR.
- b) The Company will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary.
- c) The Company is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on individual business needs.
- d) The Company retains records in accordance with the Records Retention and Disposal Schedule. For further information on the retention of records for specific countries click here
- e) The Company, uses the data collected from you to:
- operate and administer our business
- to comply with regulatory compliance requirements
iii. provide you with our services and courses
- improve our services and products
- personalise your experience
- communicate with you
- g) The Company aims to avoid unnecessary intrusion, and undertakes not to ask irrelevant or unnecessary questions. Moreover, the information you provide will be subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure.
- h) The Company has implemented procedural and technological safeguards to protect your personal information.
4 Why Does the Company need to collect and store personal data?
- a) In order for Navitas to provide you with your chosen service/s Navitas needs to collect personal data for the purposes noted above. In any event, the Company is committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.
- b) The Company will contact you for additional consent where we intend to use personal data for marketing purposes. In doing so, we comply with regulations such as the Australian Privacy Act, Privacy Principles, Do Not Call Register Act and UK’s Privacy and Electronic Communications Regulations (PECR), which set out specific privacy rights in relation to:
- electronic communications
- marketing calls
iii. emails, texts and faxes
- restrictions on the processing and sharing of personal traffic data and location data
- providing access to users’ personal data in the interest of national security
- f) For further information on the Australian Privacy Act, Privacy Principles and Do Not Call Register Act and the PECR, click here.
5 Will the Company share my personal information with a third party or parties?
- a) The Company may pass your personal information on to third-party service providers contracted to the Company in the course of dealing with you.
- b) Any third parties that we may share your personal information with are obliged to keep your personal information secure, and to use such information only for the purpose for which the personal information was provided and for which consent was obtained.
- c) When the third-party/ies no longer need your personal information to fulfil this service, they will dispose of the personal information in line with the Company’s records retention and disposal procedures.
- d) The Company will obtain your consent prior to sharing your personal information with a third party unless we are legally required to do otherwise.
6 Contacting you
- a) In line with requirements set out under the Australian Privacy Principles and the GDPR, the Company will often be required to contact you when dealing with personal information.
- b) If you decide to exercise any of your rights, for example wishing to obtain access to your information, the Company will need to be in touch with you regarding the process and its outcome.
- c) When you give consent to the Company to collect, use and store your personal information, you are immediately imposing on the Company the responsibility to communicate with you in a reasonable, clear, accurate and transparent manner using simple, easy to understand language.
- d) The Company will contact you to confirm any changes to your personal data, inform you of the outcome of any requests you have made such as becoming anonymous and in the event of a security breach that may have some impact on you.
- e) The Company will make every endeavour to communicate with you, unless communication is impossible or involves disproportionate effort
7 Can I find out what personal information the Company holds on me?
- a) The Company at your request, can confirm what information we hold about you and how it is processed.
- b) If the Company does hold personal information about you, you can request the following information:
- Identity and the contact details of the person or organisation that has determined how and why to process your data. Each of the Company’s operational areas (UK/EU, Australasia, United States of America and Canada) has a Data Protection Officer (DPO) and/or Manager (DPM) who will be able to assist you.
- Contact details of the Data Protection Officer/Data Protection Manager whichever is applicable.
iii. The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of the Company or a third party, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
vii. If the Company intends to transfer the personal data to a third country or international organisation, information about how this is done securely.
viii. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, the Company will ensure there are specific measures in place to secure your information.
- How long the Company will store your personal information/data.
- Details of your rights to correct, erase, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
xii. How to lodge a complaint with the supervisory authority.
xiii. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
xiv. The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
- d) The Company requires two or more of the following forms of identification when information on your personal data is requested:
- Current passport
- Driving licence
iii. Birth certificate
- Utility bill (from last three (3) months)
- Current vehicle registration document
- Bank statement (from last three (3) months)
vii. Rent book (from last three (3) months)
- e) The Company is planning the implementation of a ‘secret question and answer’ process to further ensure the security of personal information. The process will be implemented as part of the online enquiry system.