Does the Privacy Act apply to our RTO?

If you are a private registered training organisation, yes. Private RTOs are organisations under the Privacy Act 1988 and are subject to the Australian Privacy Principles. That means you must handle student personal information in accordance with the APPs, including taking active steps to protect it under APP 11. When a breach is likely to cause serious harm to affected individuals, the Notifiable Data Breaches scheme requires you to notify the OAIC and the affected people. Public TAFE institutes are state government entities and are subject to state privacy legislation rather than the federal regime, but the practical obligation to protect student data is the same.

What student data do we actually need to protect under the Privacy Act?

Enrolment records, training plans, assessment results, qualification records and contact information are all personal information for Privacy Act purposes. Payment records and government entitlement information, such as subsidised training funding records, carry financial data obligations as well. Health information provided in support of reasonable adjustments or welfare needs is sensitive information under the Act, which attracts higher protection requirements. The starting point is understanding what you hold, where it is, who can access it and what would happen if it was accessed without authorisation.

Our student management system is hosted by a third-party vendor. Does that change our Privacy Act obligations?

No. Using a third-party vendor to host or process student data does not transfer your Privacy Act obligations to that vendor. You remain the organisation responsible for the personal information. Under APP 8, if you share personal information with overseas recipients, additional obligations apply. You should have a written agreement with your student management system vendor that addresses their security obligations, what they will do in the event of a breach, and what happens to the data if the relationship ends. Many providers discover when something goes wrong that their vendor agreements do not address these questions.

Industries · Education · TAFE & VET

Cyber security for TAFE and VET providers.

TAFE providers and private RTOs hold student enrolment records, training activity data, qualifications and financial information across student management systems, LMS platforms and third-party portals. That data has Privacy Act implications and real commercial value to fraudsters.

IronSights helps TAFE providers and private RTOs understand their security exposure, protect student data and meet their compliance obligations. ISO 27001 certified, Microsoft certified, Sydney-based.

Book a cyber security review→Speak with an expert

Threat context

Why VET providers are a target.

VET providers hold data that is useful to fraudsters well beyond the provider itself. Student qualifications and training records can be falsified or used as part of identity fraud. Enrolment and financial data, including government-subsidised training entitlements and VET FEE-HELP records, have been targeted in fraud schemes. Student personal and financial information sits alongside operational records in systems that are not always well-secured.

Education ranked fourth for notifiable data breach notifications in Australia in the first half of 2024, with 44 notifications to the OAIC. VET providers form part of that count. Many private RTOs operate with lean IT arrangements: a single person managing the technology, reliance on third-party student management system vendors and limited visibility into what those vendors do with student data.

The third-party risk is real. Student management platforms, LMS providers, online assessment tools and government reporting portals all connect to provider systems and hold or process student data. A provider can do everything right internally and still have a problem if a vendor they rely on is compromised or mishandles the data they were given.

Common risks

What we see in VET provider environments.

Student management system security

Student management systems are the operational core of most VET providers. They hold enrolment records, training plans, attendance, results and in many cases payment information. Access controls are often poorly configured, with broad user permissions and no clear separation between administrative access and read-only roles. A compromised account can reach the full student record database.

AVETMISS reporting and government portal credentials

NCVER reporting via AVETMISS and the state training authority portals require login credentials with access to student training activity data. Those credentials are often managed informally: shared amongst staff, stored in spreadsheets or never rotated when the person managing the reporting role changes. Compromised portal credentials expose both the student data and the provider's reporting integrity.

Third-party LMS and assessment tools

Online learning platforms, competency assessment tools and skills recognition systems all hold or process student data. Private RTOs frequently select these tools based on functionality rather than security. Vendor agreements often do not clearly address data ownership, security standards or what happens to student data if the relationship ends.

VET FEE-HELP and subsidised training data

Government-subsidised training entitlements and VET FEE-HELP records are attractive targets for enrolment fraud and data manipulation. Providers that do not enforce strong access controls and audit logging on their enrolment and financial systems face both security risk and potential compliance exposure with state training authorities and ASQA.

Inadequate backup and recovery for operational systems

A ransomware event that takes down a student management system during a training period affects course delivery, assessment completion and AVETMISS reporting. Many providers have not verified that their backups are current, complete and recoverable under time pressure. Finding out during an incident that backups are incomplete or inaccessible is a significant operational problem.

Compliance

Privacy Act obligations for VET providers.

Whether the federal Privacy Act applies depends on whether the provider is a government entity or a private organisation.

Private RTOs

Federal Privacy Act applies

Private registered training organisations are organisations for Privacy Act purposes and are directly subject to the federal Australian Privacy Principles. They must handle student personal information in accordance with the APPs, including taking active steps to protect information from misuse, loss and unauthorised access under APP 11. The Notifiable Data Breaches scheme applies: when a breach is likely to cause serious harm to affected individuals, the RTO must notify the OAIC and those individuals. Student financial information, enrolment records and any health or welfare data relevant to training all carry Privacy Act obligations.

Public TAFE

State privacy frameworks apply

Public TAFE institutes are government entities and, like government schools and public universities, are generally excluded from the federal Privacy Act under the state and territory authority provisions. They comply instead with state and territory privacy legislation. The applicable framework varies: Victorian TAFE institutes comply with the Privacy and Data Protection Act 2014 (Vic) and VPDSS requirements. NSW TAFE is subject to the Privacy and Personal Information Protection Act 1998 (NSW). Regardless of the applicable legislation, the practical obligation — to protect student data and respond appropriately when something goes wrong — is the same.

How we help

Services for TAFE and VET providers.

Security reviews

We identify your highest-priority gaps, assess your student management systems and third-party vendor relationships, and give you a practical list of what to address. For private RTOs, we map findings against Privacy Act obligations.

Microsoft 365 security

enforcement, , DMARC, DKIM and SPF, and for classifying student records. Most VET providers run on . We harden those environments and reduce the risk that a single compromised staff account reaches the full student database.

Fortify — managed security

Around-the-clock monitoring for providers that cannot maintain security coverage internally. Fast containment when something goes wrong. For RTOs where IT is managed by one person or a managed service provider without security-specific capability, Fortify provides the coverage that arrangement does not.

Incident response

Available 24 hours a day. containment, breach investigation and notification support for private RTOs. For TAFE institutes, we work within the relevant state departmental incident reporting framework.

Common questions

Asked by VET providers.

Not in this list? Call us on 1300 004 766 or book a 30-minute consultation. No obligation.

Does the Privacy Act apply to our RTO?
If you are a private registered training organisation, yes. Private RTOs are organisations under the Privacy Act 1988 and are subject to the Australian Privacy Principles. That means you must handle student personal information in accordance with the APPs, including taking active steps to protect it under APP 11. When a breach is likely to cause serious harm to affected individuals, the Notifiable Data Breaches scheme requires you to notify the OAIC and the affected people. Public TAFE institutes are state government entities and are subject to state privacy legislation rather than the federal regime, but the practical obligation to protect student data is the same.
What student data do we actually need to protect under the Privacy Act?
Enrolment records, training plans, assessment results, qualification records and contact information are all personal information for Privacy Act purposes. Payment records and government entitlement information, such as subsidised training funding records, carry financial data obligations as well. Health information provided in support of reasonable adjustments or welfare needs is sensitive information under the Act, which attracts higher protection requirements. The starting point is understanding what you hold, where it is, who can access it and what would happen if it was accessed without authorisation.
Our student management system is hosted by a third-party vendor. Does that change our Privacy Act obligations?
No. Using a third-party vendor to host or process student data does not transfer your Privacy Act obligations to that vendor. You remain the organisation responsible for the personal information. Under APP 8, if you share personal information with overseas recipients, additional obligations apply. You should have a written agreement with your student management system vendor that addresses their security obligations, what they will do in the event of a breach, and what happens to the data if the relationship ends. Many providers discover when something goes wrong that their vendor agreements do not address these questions.

Also in education

IronSights works across the Australian education sector.

Independent Schools →Privacy Act obligations, student welfare data, duty-of-care security for private schools.Universities →Espionage threats, ransomware, and Privacy Act obligations for higher education.K-12 Schools →Ransomware targeting, VPDSS compliance in Victoria, and LMS security for government schools.

Start here

Understand your student data obligations and what it takes to meet them.

We assess your environment, your student management systems, your third-party vendor relationships, and whether your incident response process is adequate. The output is a practical, prioritised plan.

ISO 27001 and ISO 9001 certified. NSW Master Security Licence 000109187. Microsoft certified. Australian-owned. Sydney-based.

Book a cyber security review →Call 1300 004 766