Privacy

PRIVACY POLICY

Date first approved:

11 October 2002

Date of effect:

11 October 2002

Date last amended:
(refer Version Control Table)

Date of Next Review:

December 2019

First Approved by:

University Council

Custodian title & e-mail address:

Director, Governance and Legal Division

privacy-enquiry@uow.edu.au

Author:

Director, Governance and Legal Division

Responsible Division & Unit:

Legal Services Unit, Governance and Legal Division

Supporting documents, procedures & forms of this policy:

Privacy Management Plan
Privacy Complaint Internal Review Application Form

Privacy Information Sheet

Relevant Legislation &

External Documents:

Privacy and Personal Information Protection Act 1998 (NSW) (“PPIPA”)
Health Records and Information Privacy Act 2002 (NSW) (“HRIPA”)

Information and Privacy Commission NSW

Government Information (Public Access) Act 2009 (NSW)

Independent Commission Against Corruption Act 1988 (NSW)

Public Interest Disclosures Act 1994 (NSW)

State Records Act 1998 (NSW)

Workplace Surveillance Act 2005 (NSW)

Work Health and Safety Act 2011 (NSW)

University of Wollongong Act 1989 (NSW)

University of Wollongong By Law 2005 (NSW)

Rules of the University of Wollongong

University Code of Conduct

Records Management Policy

Fraud and Corruption Prevention Policy

Access to Information Policy

Workplace Health and Safety Policy

Audience:

Public

Submit your feedback on this policy document using the Policy Feedback Facility.

Contents

1 Purpose of Policy

    1. The University of Wollongong (“UOW”), in carrying out its functions and activities, collects personal and/or health information from staff, students and third parties. It is the responsibility of UOW to ensure that the overall management of that information, which includes collection, storage, access, use and disclosure, complies with NSW privacy laws.

  • 2. The purpose of this policy is to facilitate UOW’s compliance with the Privacy and Personal Information Protection Act 1998 (“PPIPA”), the Health Records and Information Privacy Act 2002 (“HRIPA”) and other relevant privacy laws, including but not limited to regulations, statutory guidelines, codes of practice and privacy directions.

2 Application and Scope

      1. This policy outlines the responsibilities of all staff when handling information to ensure that UOW complies with PPIPA and HRIPA.

    • 2. This policy applies to the collection, storage, access, use and disclosure of information.
    • 3. All staff must comply with UOW’s Privacy Policy and Privacy Management Plan.
    • 4. A breach of this Privacy Policy or the Privacy Management Plan may constitute misconduct pursuant to UOW codes, policies and guidelines and be subject to disciplinary action.
    • 5. This policy does not apply to UOW’s related entities. UOW’s related entities have their own policies and procedures regarding information that is provided to or collected by them.

3 Definitions

Word/Term

Definition

Health information

  • Health information, for the purpose of this policy, refers to health information defined in HRIPA (or as amended in HRIPA from time to time) as:

    (a) personal information that is information or an opinion about:

      (i) the physical or mental health or a disability (at any time) of an individual, or

      (ii) an individual’s express wishes about the future provision of health services to him or her, or

      (iii) a health service provided, or to be provided, to an individual, or

    (b) other personal information collected to provide, or in providing, a health service, or

    (c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or

    (d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or

    (e) healthcare identifiers”

Information

    Health information and/or personal information as the context permits.

Law enforcement agency

    Law enforcement agencies include the Police Force of NSW or of another State or Territory, the NSW Crime Commission, the Australian Federal Police, the Australian Crime Commission, the Director of Public Prosecutions of NSW, another State or Territory or the Commonwealth, , the Department of Justice and/or the Office of the Sheriff of NSW.

Personal information

  • Personal information, for the purpose of this policy, refers to personal information defined in PPIPA (or as amended in PPIPA from time to time) as:
  • “Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
  • Under PPIPA, personal information does not include:
  • a. information regarding an individual who has been deceased for more than 30 years;
  • b. information about an individual that is readily available in a publicly available publication; and
  • c. information or an opinion about an individual’s suitability for appointment or employment as a public sector official.

Related entities

UOW’s related entities include UOW Enterprises,UOW Pulse and the Illawarra Health and Medical Research Institute (IHMRI).

Sensitive information

A subclass of personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.

Staff

  • All employees of UOW (including casual and conjoint employees), and honorary and visiting appointees, consultants and contractors, agency staff, emeriti, members of UOW committees and any other person appointed or engaged by UOW to perform duties or functions for UOW.

4 UOW’s Commitment to Privacy

    • 1. UOW will collect, store, use and disclose information in accordance with PPIPA, HRIPA and other relevant laws and codes of practice.
    • 2. UOW has prepared a Privacy Management Plan in compliance with section 33 of PPIPA. This plan sets out how UOW will comply with PPIPA, HRIPA and other applicable laws and codes of practice, and also sets out how to make a complaint about a privacy issue.
    • 3. UOW’s Privacy Management Plan operates as a procedure document under this Privacy Policy and is available via UOW’s policy directory and privacy homepage.

5 Collection of Information

    • 1. UOW will collect information in an open manner, including informing individuals that information is being collected, why it is being collected, how it will be used, who else might see it and any consequences that may apply if the information is not provided.
    • 2. UOW will only collect information by lawful means where collection is:
      • a. for a lawful purpose which is directly related to one of its activities; and
      • b. reasonably necessary for that purpose.
    • 3. UOW will ensure that the information collected is relevant, accurate, up to date and not excessive, and that collection does not intrude to an unreasonable extent on the personal affairs of the individual.
    • 4. UOW will collect information directly from the individual concerned unless it is unreasonable or impracticable to do so.
    • 5. UOW’s Privacy Management Plan provides further detail concerning collection of information.

6 Access, Accuracy and Amendment of Information

    • 1. All reasonable steps will be taken by UOW to ensure that information it collects, holds or discloses is accurate, complete, up to date and not misleading.
    • 2. UOW will respond to enquiries from an individual as to whether it holds that individual’s information including any rights of access to it.
    • 3. UOW will allow an individual to:
      • a. access his/her own information held by UOW without unreasonable delay or expense;
      • b. make appropriate amendments, corrections or updates to his/her information where necessary.
    • 4. UOW’s Privacy Management Plan provides further detail concerning access, accuracy and amendment of information.

7 Retention and Security of Information

    • 1. UOW will take all reasonable steps to ensure that information is:
      • a. held for no longer than is necessary, subject to the State Records Act 1998 (NSW);
      • b. disposed of securely in accordance with approved methods; and
      • c. protected to the extent reasonable in the circumstances from loss, unauthorized access, use, modification or disclosure, and against all other misuse.
    • 2. UOW’s Privacy Management Plan provides further detail concerning retention and security of information.

8 Use of Information

      1. In general terms, ‘use’ of information refers to the communication or handling of information within UOW.

    • 2. UOW will only use information for the primary purpose for which it was collected unless:
      • a. the use of the information is directly related to the primary purpose for which the information was collected; or
      • b. the use of the personal information is necessary to deal with a serious and imminent threat to any individual’s life or health; or
      • c. the use of the health information is necessary to deal with a serious and imminent threat to any individual’s life, health or safety, or is necessary to lessen or prevent a serious threat to public health or public safety; or
      • d. the individual provides consent to any other use.
    • 3. UOW will only use information without an individual’s consent in limited circumstances, including (but not limited to):
      • a. exchanging information within UOW that may relate to law enforcement purposes or for the protection of public revenue; or
      • b. where the use is permitted or required under an Act or any other law; or
      • c. where the use is reasonably necessary for the purpose of research, or the compilation of statistics, in the public interest, and:
          • i. either the purpose cannot be served by de-identified information and it is impracticable to seek the consent of the individual for the use, or reasonable steps have been taken to de-identify the information; and
          • ii. if it could reasonably be expected to identify individuals, the information is not published in a publicly available publication; and
          • iii. the use must be in accordance with any guidelines issued by the NSW Privacy Commissioner.
      • d. for health information, where the use is reasonably necessary for the training of employees or persons working with UOW and:
          • iv. either the purpose cannot be served by de-identified information and it is impracticable to seek the consent of the individual for the use, or reasonable steps are taken to de-identify the information; and
          • v. if it could reasonably be expected to identify individuals, the information is not published in a generally available publication; and
          • vi. the use must be in accordance with any guidelines issued by the NSW Privacy Commissioner.
    • 4. UOW’s Privacy Management Plan provides further detail concerning use of information and other circumstances where UOW may use information without an individual’s consent.

9 Disclosure of Information

    • 1. In general terms, ‘disclosure’ of information refers to the communication or transfer of information outside UOW.
    • 2. UOW will not disclose information it holds unless:
      • a. the disclosure of the information is directly related to the primary purpose for which the information was collected and there is no reason to believe that the individual concerned would object to the disclosure; or
      • b. the individual is reasonably likely to have been aware, or has been made aware, that information of that kind is usually disclosed to a third party; or
      • c. the disclosure of the personal information is necessary to deal with a serious and imminent threat to any individual’s life or health; or
      • d. the disclosure of the health information is necessary to deal with a serious and imminent threat to any individual’s life, health or safety, or is necessary to lessen or prevent a serious threat to public health or public safety; or
      • e. the individual provides consent to any other disclosure.
    • 3. UOW will not disclose information to any person or body who is in a jurisdiction outside NSW or to a Commonwealth agency unless one of the following additional criteria are met:
        • d. UOW reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that upholds the principles for the fair handling of the information that are substantially similar to the principles of NSW privacy laws;or
        • e. the individual expressly consents to the disclosure;or
        • f. the disclosure is necessary for the performance of a contract between the individual and UOW;or
        • g. the disclosure is necessary, on reasonable grounds, to prevent or lessen a serious and imminent threat to the life or health of any individual; or
        • h. the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law;or
        • i. UOW has taken reasonable steps to ensure that the information disclosed will be handled in a manner that is consistent with NSW privacy laws.
    • 4. UOW will only disclose information without an individual’s consent in limited circumstances, including (but not limited to):
      • a. where the disclosure relates to law enforcement and related matters such as:
          • i. disclosing information to a law enforcement agency for the purpose of ascertaining the whereabouts of an individual who has been reported to police as a missing person; or
          • ii. disclosing information to a law enforcement agency in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed; or
      • b. where disclosure is permitted or required under an Act or any other law; or
      • c. where the disclosure is reasonably necessary for the purpose of research, or the compilation of statistics, in the public interest, and:
          • iii. either the purpose cannot be served by de-identified information and it is impracticable to seek the consent of the individual for the disclosure, or reasonable steps have been taken to de-identify the information; and
          • iv. if it could reasonably be expected to identify individuals, the information is not published in a publicly available publication; and
          • v. the use must be in accordance with any guidelines issued by the NSW Privacy Commissioner.
      • d. for health information, where the disclosure is reasonably necessary for the training of employees or persons working with UOW and:
          • vi. either the purpose cannot be served by de-identified information and it is impracticable to seek the consent of the individual for the disclosure, or reasonable steps are taken to de-identify the information; and
          • vii. if it could reasonably be expected to identify individuals, the information is not published in a generally available publication; and
          • viii. the use must be in accordance with any guidelines issued by the NSW Privacy Commissioner.
    • 5. UOW will only disclose sensitive information with the consent of the individual unless disclosure is necessary to deal with a serious and imminent threat to any individual’s life or health.
    • 6. UOW’s Privacy Management Plan provides further detail concerning disclosure of information and other circumstances where UOW may disclose information without an individual’s consent.

10 Anonymity, Identifiers and Transfer of Health Information Outside NSW

    • 1. In relation to health information, UOW will:
      • a. provide individuals with the option of receiving health services anonymously; and/or
      • b. assign a unique identification number to an individual,
      • where it is reasonably practicable and lawful in the circumstances and it does not negatively affect the functions of UOW.
    • 2. UOW will transfer health information outside New South Wales or to a Commonwealth agency, in limited circumstances, including where the recipient of the health information is subject to principles that are substantially similar to NSW privacy principles, the individual has provided consent or the transfer is necessary for the performance of a contract between UOW and a third party.
    • 3. UOW’s Privacy Management Plan provides further detail concerning anonymity, identifiers and the transfer of health information outside NSW.

11 Complaints and Enquiries

    • 2. If an individual has any concerns about the way UOW is managing his/her information or believes that UOW may have breached his/her privacy, that individual may:
      • a. lodge a complaint with a UOW Privacy Officer; or
      • b. submit a formal request for an internal review by completing the UOW’s Privacy Complaint Internal Review Application Form; or
      • c. contact the Information and Privacy Commission NSW.
    • 3. For more information about lodging a complaint and/or requesting an internal review, please see UOW’s Privacy Management Plan or visit UOW’s privacy homepage.

12 Roles and Responsibilities

    • 1. The Director, Governance and Legal Division, as UOW’s Principal Privacy Officer, is responsible for UOW’s overall compliance with its privacy obligations.
    • 2. UOW’s Privacy Officers are responsible for:
      • a. providing privacy advice and education to staff;
      • b. responding to enquiries or complaints from individuals on privacy matters;
      • c. implementing and maintaining this Privacy Policy, the Privacy Management Plan and UOW’s privacy homepage.
    • 3. The Human Resources Division is responsible for the central management of staff information;
    • 4. The Student Services Division is responsible for the central management of student information;
    • 5. The Graduate Research School is responsible for the central management of higher degree research (HDR) student information;
    • 6. All staff are responsible for complying with UOW’s privacy obligations and practices as specified in this Privacy Policy, the Privacy Management Plan and UOW’s Code of Conduct when managing information provided to, or collected by UOW. This includes attending training or completing online privacy training as required.

13 Version Control and Change History

Version Control

Date Effective

Approved By

Amendment

1

11 October 2002

University Council

New Policy.

2

26 October 2004

Administrative Committee

Privacy Policy put into new Policy Template.

3

6 May 2009

Vice-Principal (Administration)

Migrated to UOW Policy Template as per Policy Directory Refresh

4

9 March 2010

Vice-Principal (Administration)

Future review date identified in accordance with Standard on UOW Policy

5

9 November 2010

Vice-Principal (Administration)

Minor amendment – name change of related legislation (Government Information Public Access Act 2009)

6

3 February 2012

Vice-Principal (Administration)

Minor amendment to update references to Public Interest Disclosure legislation.

7

7 December 2012

University Council

Major amendments following a comprehensive review of this Policy: each of the principles of NSW legislation explained, application and scope section and roles and responsibilities section clearly described. Reference made to Privacy Management Plan.

8

16 December 2016

Vice-Chancellor

Minor amendments including: various name changes to UOW divisions and UOW subsidiaries, the office of the Privacy Commissioner, inclusion of honoraries to staff definition and amendments to legislation.

Access to Information Right Hand Sticky Image