• Section 1 - Background and Purpose
• Preamble
• Purpose
• Section 2 - Scope
• Section 3 - Policy Statement
• Section 4 - Procedures
• Australian Privacy Principles
• Information collected by the University
• Information at Point of Collection
• Use and Disclosure
• Security of Personal Information
• Cross-border Disclosures
• Access to personal information and correction of personal information
• University’s Privacy Officer
• Part A - Complaints
• Section 5 - Definitions
• Section 6 - Stakeholders

Section 1 - Background and Purpose

Preamble

(1) The Privacy and Data Protection Act 2014 applies to public bodies established for a public purpose under an Act. It provides that an act done or practice engaged in by an organisation is an interference with the privacy of an individual if the act or practice is contrary to, or inconsistent with, an Information Privacy Principle (‘IPP’). The names of this and subsequent sections will vary and will be dependent on the actual processes to be followed.

(2) The Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the overarching Privacy Act 1988 do not apply to the University.  The University is electing to incorporate the standards of the Australian Privacy Principles (APPs) into its Privacy Procedures where appropriate.

(3) The University is bound by privacy legislation in accordance with the Information Privacy Principles in the Privacy and Data Protection Act 2014. The University also has obligations under some agreements, grants and other funding arrangements to adhere to the Australian Privacy Principles, contained within the Privacy Amendment (Enhancing Privacy Protection) Act 2012. Collectively, these Principles stipulate how the University should collect, store, disclose and give access to personal information.

Purpose

(4) This Policy informs staff and students about how the University manages personal information.

(5) The Procedure governs the management by the University of personal information. The Procedure also outlines how to make a complaint if an individual believes theres has been an interference with his/her privacy.

Section 2 - Scope

(6) This Policy and Procedure applies to all organisational areas of the University. It applies to the collection, use, storage, disclosure and access to personal information.

(7) This Procedure does not cover the management of health information. The management of health information is covered by the Procedure in the Privacy – Health Information Policy.

(8) Nor does this Procedure apply to personal information that is:

1. In a publication that is available to members of the public;
2. kept in a library, art gallery or museum for reference, study or exhibition purposes;
3. a public record under the control of the Keeper of Public Records that is available for public inspection; or
4. an archive within the meaning of the Commonwealth Copyright Act 1968.

Section 3 - Policy Statement

(9) The University is committed to the protection of the privacy of personal information. It will manage personal information in accordance with privacy laws.

Section 4 - Procedures

Australian Privacy Principles

(10) The University will manage personal information in accordance with the Australian Privacy Principles, unless either:

1. the APPs are silent with regards to a matter under the IPPs; or
2. the IPPs require a behaviour or action by the University that the University considers to be a higher standard than the requirement of the APP.  This standard is a matter for the University to decide at its discretion.

Information collected by the University

(11) The University will:

1. only collect personal information that is necessary for, or directly related to, one or more of its functions or activities;
2. only collect sensitive information about an individual if the individual has consented, the collection is required or permitted under law (e.g. collection of statistics for a government agency) or the collection is otherwise in accordance with the relevant privacy principle/s; and
3. unless unreasonable or impracticable to do so, or the individual consent to collection of information from someone other than the individual, the University will only collect personal information about an individual from that individual.
    

(12) Sensitive information means personal information about an individual’s racial or ethnic origin, political opinions, membership of a political, professional or trade association or trade union, religious beliefs or affiliations, philosophical beliefs, sexual preferences or practices or criminal record.

Information at Point of Collection

(13) Where the University collects personal information from an individual, it will take reasonable steps in the circumstances to notify the individual of:

1. the identity of the University’s privacy officer and how to contact that officer;
2. that the individual is able to gain access to the information (subject to the provisions of the Freedom of Information Act 1982);
3. the purposes for which the information about the individual is collected;
4. to whom the organisation usually discloses information of that kind;
5. any law that requires the particular information to be collected;
6. the main consequences (if any) for the individual if the information is not provided;
7. if the University is likely to disclose the personal information to an overseas recipient, and if so, the countries in which such recipients are likely to be located (where practicable); and
8. the University’s Privacy Policy and that the Policy contains information about how the individual may
   1. access the personal information about the individual that is held by the University;
   2. seek correction of that information; or
   3. complain about a breach of the individual’s privacy and how the University will deal with such a complaint.

Use and Disclosure

(14) The University will:

1. not use or disclose personal information about an individual for a purpose other than the original purpose of collection except in accordance with the relevant privacy principle/s;
2. as required by Section 6(1) of the Privacy and Data Protection Act 2014, interpret IPP 4.2 regarding destruction or permanent de-identification of personal information subject to the University’s obligations under the Public Records Act 1973.
3. as required by Section 14 of the Privacy and Data Protection Act 2014, interpret IPP 6 regarding an individual’s rights to access to, and correction of, personal information subject to the procedures contained in the Freedom of Information Act 1982.

Security of Personal Information

(15) The University holds personal information securely and such information may only be accessed by authorised users.

Cross-border Disclosures

(16) In some circumstances, the University may disclose personal information to a third party which is outside Australia.  In such circumstances, the University will take reasonable steps to ensure that the overseas third party does not breach the relevant privacy principle/s.

Access to personal information and correction of personal information

(17) To find out further information, to access personal information held by the University or to seek the correction of personal information held by the University, the individual may contact the Freedom of Information/Privacy Officer.

(18) Where applicable, the Freedom of Information/Privacy Officer will respond to any complaint within 30 days and any request for access to information or request for the correction of information held by the University within 45 days.

(19) A fee will be charged by the University for access to personal information unless the University expressly decides to waive this fee.  For current University fees, see the Freedom of Information Webpage.

University’s Privacy Officer

(20) The responsibilities of the University’s Freedom of Information/Privacy Officer will include:

1. ongoing review of the University’s practices and procedures to ensure that they comply with this Procedure, current legislation and best practice;
2. reviewing this Procedure and advising and educating University management and staff of their responsibilities under this Procedure, the Privacy and Data Protection Act 2014 and the Health Records Act 2001; and
3. the receipt and investigation of complaints.

(21) To find out further information, to access personal information held by the University or to seek the correction of personal information held by the University, please contact:

Part A - Complaints

(22) Any individual in respect of whom personal information is or has been held by the University may complain to the University’s Privacy Officer about an act or practice of the University that the individual believes is an interference with the privacy of that individual.

(23) The Privacy Officer will investigate the complaint as speedily as possible. The Privacy Officer will then advise the Vice-Chancellor or nominee of his/her findings and make recommendations to the Vice-Chancellor or nominee about the complaint.

(24) The Vice-Chancellor or nominee will make a decision on the complaint and advise the complainant in writing of the result of the investigation.

Section 5 - Definitions

(25) For the purpose of this Policy and Procedure:

1. The term “personal information” means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

Section 6 - Stakeholders