Privacy Policy

Purpose

Gimbal Training is committed to delivering high-quality training and assessment services in accordance with the Standards for Registered Training Organisations (RTOs) 2025. As part of this commitment, Gimbal Training recognises its responsibility to protect the privacy and confidentiality of personal information relating to employees, learners, clients, contractors, and other stakeholders.

This policy outlines how Gimbal Training collects, uses, stores, discloses, and manages personal information in accordance with the Privacy Act 1988 and the Australian Privacy Principles (APPs).

This policy also outlines how Gimbal Training manages privacy risks associated with emerging technologies, including Artificial Intelligence (AI), in the collection, use, storage, and disclosure of personal information.

Policy Statement
Gimbal Training is committed to protecting the privacy of individuals and ensuring that personal information is managed lawfully, securely, and transparently. Personal information collected by Gimbal Training is used only for legitimate business, training, assessment, and regulatory purposes and is handled in accordance with applicable privacy legislation.
Gimbal Training will:

  • Maintain and make available a current Privacy Policy.
  • Collect, use, and disclose personal information only for authorised purposes.
  • Obtain consent before disclosing personal information to third parties unless
    disclosure is required or authorised by law.
  • Protect all records through appropriate security measures.
  • Maintain the confidentiality and integrity of personal information.
  • Provide individuals with access to their personal information and the opportunity to correct inaccurate information.


Use of Artificial Intelligence

Gimbal Training may utilise Artificial Intelligence (AI) technologies and automated tools to support administrative, operational, educational, and customer service functions. Any use of AI will be undertaken in a manner that complies with the Privacy Act 1988, Australian Privacy Principles (APPs), and other applicable legislation.

Gimbal Training will ensure that:

  • Personal information is not entered into AI systems unless appropriate privacy,
    security, and confidentiality safeguards are in place.
  • AI technologies are used responsibly, ethically, and only for legitimate business,
    training, and assessment purposes.
  • Human oversight is maintained for decisions that may affect learners, employees, contractors, or other stakeholders.
  • AI-generated content or recommendations are reviewed for accuracy and
    appropriateness before being relied upon for decision-making.
  • Third-party AI providers engaged by Gimbal Training maintain appropriate privacy and security standards.


Policy Principles

Legislative Framework
Although not legally required to do so, Gimbal Training voluntarily complies with the Privacy Act 1988 and the thirteen Australian Privacy Principles (APPs).

The APPs establish standards, rights, and obligations for the collection, use, disclosure, storage, access, and correction of personal information, including sensitive information.

Personal Information
Personal information refers to information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether it is recorded in a material form or not.

Sensitive Information
Sensitive information includes personal information relating to an individual’s:

  • Racial or ethnic origin
  • Political opinions or associations
  • Religious beliefs or affiliations
  • Philosophical beliefs
  • Professional or trade association memberships
  • Trade union memberships
  • Sexual orientation or practices
  • Criminal record
  • Health or biometric information, where applicable


Part 1 – Management of Personal Information

Open and Transparent Management
Gimbal Training manages personal information in an open, transparent, and accountable manner.

Gimbal Training will:

  • Maintain and regularly review its Privacy Policy.
  • Implement procedures to address privacy-related enquiries and complaints.
  • Ensure privacy practices comply with the Australian Privacy Principles.
  • Make its Privacy Policy available free of charge upon request and through appropriate communication channels.


The Privacy Policy includes information about:

  • The types of personal information collected and held.
  • How personal information is collected and stored.
  • The purposes for which information is collected, used, and disclosed.
  • How individuals may access and correct their personal information.
  • How privacy complaints may be lodged and managed.
  • Whether personal information may be disclosed to overseas recipients and, if applicable, the countries involved.


Anonymity and Pseudonymity

Where practical and lawful, individuals may choose not to identify themselves or may use a pseudonym when making enquiries about Gimbal Training’s services.
However, learners and clients must provide accurate identifying information where required by legislation, funding arrangements, enrolment processes, or regulatory requirements.

Part 2 – Collection of Personal Information
Gimbal Training only collects personal information that is reasonably necessary for its operations, training and assessment services, or where collection is required by law.
As a Registered Training Organisation, Gimbal Training is required to collect, hold, use, and disclose personal information in accordance with the National VET Data Policy and other applicable legislative requirements.

Where AI-enabled systems are used to process or analyse personal information, Gimbal Training will ensure that such processing is directly related to its legitimate functions and activities and is conducted in accordance with privacy legislation and organisational policies. Personal information will not be used to train or improve external AI models unless the individual has provided informed consent or such use is otherwise permitted by law.

Notification of Collection
At or before the time personal information is collected, Gimbal Training will take reasonable steps to inform individuals of:

  • The identity and contact details of Gimbal Training.
  • The purpose of collection.
  • How the information will be used and disclosed.
  • Any legal requirements for collection.
  • How individuals may access and correct their information.
  • The consequences of not providing requested information.


Methods of Collection

Personal information may be collected through:

  • Enrolment and application forms.
  • Online enquiries and registrations.
  • Telephone conversations.
  • Emails, letters, and other correspondence.
  • Certified supporting documents.
  • Learning management systems and student portals.
  • Information provided by authorised third parties, including previous training providers.


Where information is collected from a third party, Gimbal Training will take reasonable steps to ensure the individual is aware of the collection unless an exception permitted by law applies.

Part 3 – Use and Disclosure of Personal Information
Gimbal Training will only use or disclose personal information for the purpose for which it was collected, unless:

  • The individual has provided consent.
  • The use or disclosure is required or authorised by law.
  • Another exception under the Privacy Act 1988 applies.


Where Artificial Intelligence (AI) technologies are used to support administrative,
educational, or operational activities, Gimbal Training will ensure that:

  • Personal information is only processed through approved AI systems.
  • AI-generated outputs are reviewed by appropriately authorised personnel before being relied upon for decisions affecting individuals.
  • Personal information is not used to train external AI models without appropriate authority, consent, or legal basis.
  • Third-party AI providers engaged by Gimbal Training meet applicable privacy,
    confidentiality, and security requirements.


Direct Marketing

Gimbal Training may use personal information to communicate information about services, training opportunities, and related activities where consent has been provided or where permitted by law.
Individuals will be provided with a clear and accessible option to opt out of receiving marketing communications.

Government Identifiers
Gimbal Training collects and reports Unique Student Identifier (USI) information as required under applicable legislation.
USI information will not be disclosed or displayed for any purpose other than those authorised by law and will not be adopted as Gimbal Training’s own identifier for an
individual.

Part 4 – Integrity and Security of Personal Information
Quality of Information
Gimbal Training will take reasonable steps to ensure personal information collected, used, and disclosed is accurate, current, complete, and relevant.

Security of Information
Gimbal Training will implement appropriate physical, electronic, and administrative
safeguards to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

These safeguards may include:

  • Secure electronic record management systems.
  • Access controls and user permissions.
  • Password protection and multi-factor authentication where appropriate.
  • Secure storage and disposal procedures.
  • Staff training in privacy and information security requirements.


Where AI technologies are used:

  • Staff must not enter sensitive or confidential information into public AI tools unless authorised.
  • Approved AI platforms must comply with organisational privacy and security
    requirements.
  • AI usage will be monitored to ensure compliance with privacy, confidentiality, and cybersecurity obligations.


Personal information will be securely destroyed or de-identified when it is no longer required and retention obligations have been met.

Part 5 – Access to and Correction of Personal Information
Individuals may request access to personal information held by Gimbal Training and may request correction of information that is inaccurate, incomplete, out of date, irrelevant, or misleading.

Gimbal Training will:

  • Respond to access requests within 30 days where practicable.
  • Provide access in the manner requested where reasonable and practical.
  • Not charge a fee for access to personal information, except where administrative costs apply for replacement certification documentation.


Access may be refused where permitted under the Privacy Act 1988, including where access would:

  • Unreasonably impact the privacy of another individual.
  • Prejudice legal proceedings or investigations.
  • Be unlawful.
  • Present a serious threat to health, safety, or security.


Where access or correction is refused, Gimbal Training will provide written reasons for the decision and information about available complaint mechanisms.
Where AI systems are used to process personal information, individuals may request clarification regarding the use of their information and seek review of decisions that involve significant automated processing.

Gimbal Training Responsibilities
The General Manager ensures that all employees are made aware of this policy and its underpinning legislative requirements and comply with this policy at all times. All employees have access to this policy.

Records Management
All personal information and records are maintained in accordance with Records Management Policy. (See Records Management Policy).

Monitoring and Improvement
All practices for Privacy are monitored by the General Manager and areas for improvement identified and acted upon