StudyNet Pty Ltd – Data Protection Policy

Purpose and Scope

This Data Protection Policy outlines how StudyNet Pty Ltd (“StudyNet”, “we”, “us”, “our”) manages, protects, and safeguards personal information collected, processed, stored, and disclosed in connection with our online platforms, referral programs, and related business operations.

StudyNet is committed to protecting the privacy and security of all personal information under its control. This policy applies to all StudyNet employees, contractors, counsellors, partners, referrers, and third-party service providers who handle or have access to personal information on behalf of StudyNet.

The purpose of this policy is to ensure compliance with the Privacy Act 1988 (Cth), the Notifiable Data Breaches (NDB) scheme, and best-practice data governance principles across all StudyNet activities.

Roles and Responsibilities

StudyNet Management

• Establish and maintain policies, procedures, and safeguards for the protection of personal information.
• Ensure staff, contractors, and partners are trained and aware of their obligations under this policy.
• Review incidents, breaches, or complaints related to data protection and implement corrective measures.

Employees and Contractors

• Handle personal information in accordance with this policy and internal guidelines.
• Immediately report any suspected or actual data breach, unauthorised access, or misuse to the Privacy Officer.
• Maintain confidentiality of all personal and sensitive data obtained during their work.

Privacy Officer

• Act as the main contact for data protection and privacy compliance.
• Monitor legislative changes and update internal practices accordingly.
• Oversee breach notifications, investigations, and regulatory reporting where required.

Lawful Collection and Processing of Data

StudyNet collects and uses personal information lawfully and fairly for business purposes that are necessary and directly related to its functions.

We collect data directly from individuals wherever practicable and may also receive limited information from trusted third parties (e.g., partner institutions or service providers) where lawful.

Personal information may include name, contact details, educational background, communication records, payment details (where applicable), and digital interaction data such as IP addresses and device identifiers.

All personal data is processed for one or more of the following purposes:

• Delivering StudyNet’s online and referral services.
• Managing user, counsellor, or referrer relationships.
• Conducting analytics, audits, and quality improvements.
• Complying with legal, regulatory, and contractual obligations.

StudyNet will not collect, use, or disclose personal information for purposes unrelated to its operations without consent, except as permitted by law.

Data Security and Storage

StudyNet maintains robust administrative, physical, and technical controls to protect data against unauthorised access, alteration, loss, or misuse. These include:

• Role-based access controls and password protection.
• Encryption of personal data during transmission and at rest.
• Network firewalls and secure data centres.
• Periodic security audits and vulnerability assessments.
• Restriction of data access to authorised personnel only.

Electronic data is stored on secure cloud infrastructure and internal systems located primarily in Australia, with limited overseas processing as outlined in Section 6. Paper-based records (if any) are stored in locked facilities and securely destroyed when no longer required.

Access Control and Confidentiality

• Access to personal information is granted strictly on a “need-to-know” basis.
• All employees, contractors, and partners must sign confidentiality agreements before accessing any data.
• StudyNet prohibits unauthorised copying, sharing, or transfer of personal data to external devices or unauthorised recipients.
• Users must immediately report lost devices, unauthorised disclosures, or potential security incidents to the Privacy Officer.

Cross-Border Data Transfers

Some of StudyNet’s service providers or technology partners may operate outside Australia, including in countries such as Singapore, India, Nepal, Bangladesh, and the United States.

Before transferring data overseas, StudyNet takes reasonable steps to ensure that recipients maintain standards of privacy and security that are consistent with Australian legal requirements. These steps include:

• Contractual clauses requiring equivalent data protection safeguards.
• Vendor due-diligence checks and risk assessments.
• Ongoing monitoring of third-party compliance.

StudyNet remains accountable for all personal information shared with overseas processors.

Data Breach Response and Notification

StudyNet has procedures in place to identify, investigate, and respond to any actual or suspected data breach that may involve personal information.

If a data breach occurs:

1. Assessment: The Privacy Officer will promptly investigate the incident to determine the scope, cause, and potential impact.
2. Containment: Immediate actions will be taken to isolate or secure affected systems and prevent further access.
3. Evaluation: StudyNet will assess whether the breach is likely to result in serious harm to any individual.
4. Notification:
   • Where notification is required under the Privacy Act 1988 (Cth) or is otherwise appropriate in the circumstances, StudyNet will inform affected individuals and the Office of the Australian Information Commissioner (OAIC).
   • Notification will be made promptly and within any applicable statutory timeframes, for example within 72 hours in jurisdictions requiring notification within that period.
   • Notifications will include details of the breach, potential risks, and recommended steps for affected individuals.
5. Review: Following resolution, StudyNet will review systems, processes, and staff awareness to prevent recurrence.

Data Retention and Destruction

StudyNet retains personal information only as long as necessary to fulfil its functions or to meet legal and contractual obligations.

• Account-related data is ordinarily deleted or de-identified within 24 months of inactivity.
• Financial or compliance records may be retained for seven years or longer if required by law.
• When data is no longer needed, it is securely deleted from digital systems or destroyed using certified shredding and de-identification methods.

All retention and destruction practices are logged and periodically audited.

Employee and Contractor Responsibilities

All StudyNet personnel and contractors must:

• Follow this policy and related security procedures.
• Complete mandatory data protection and privacy training.
• Report potential breaches or incidents immediately.
• Use company systems and data only for authorised business purposes.

Failure to comply with this policy may result in disciplinary action, termination of contract, or legal consequences.

Individual Rights

Individuals have the right to:

• Request access to personal information held about them.
• Request correction of inaccurate, incomplete, or outdated information.
• Withdraw consent for the use of their information, where consent was previously given.
• Lodge a complaint if they believe their data has been mishandled.

Requests should be made in writing to StudyNet’s Privacy Officer. Identification may be required before access or correction is granted.

If StudyNet refuses access or correction, written reasons will be provided along with information about complaint procedures.

Monitoring, Training, and Compliance

• StudyNet provides periodic data protection training to all staff and contractors.
• Compliance audits are conducted to ensure adherence to this policy and to identify improvement areas.
• The Privacy Officer monitors evolving legal and technological developments and recommends updates as necessary.
• Partners and vendors are required to demonstrate ongoing compliance with StudyNet’s security and privacy standards.

Policy Review and Updates

This policy is reviewed at least annually, or sooner if there are significant changes in legislation, organisational practices, or risk exposure.

Revised versions will be published on StudyNet’s website with an updated “Last Updated” date.

Material changes may also be communicated via email or internal announcements.

Contact and Escalation

For questions, concerns, or complaints regarding this policy or StudyNet’s handling of personal information, please contact:

Privacy Officer – StudyNet Pty Ltd

📧 Email:

privacy@studynet.com.au

📞 Phone:

+61 2 8964 8826

📍

Suite 1.02, Level 1, 233 Castlereagh Street, Sydney NSW 2000

If you are unsatisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.