PRIVACY POLICY

Date approved:	11 October 2002	Date Policy will take effect:	7 December 2012	Date of Next Review:	December 2015
Approved by:	University Council
Custodian title & e-mail address:	Director, Legal Services Unit privacy-enquiry@uow.edu.au
Author:	Director, Legal Services Unit
Responsible Faculty/ Division & Unit:	Legal Services Unit, Financial Services Division
Supporting documents, procedures & forms of this policy:	Privacy Management Plan Privacy Complaint Internal Review Application Form Privacy Information Sheet
References & Legislation:	Privacy and Personal Information Protection Act 1998 (NSW) (“PPIPA”) Health Records and Information Privacy Act 2002 (NSW) (“HRIPA”) Office of the Privacy Commissioner – Privacy NSW Government Information (Public Access) Act 2009 (NSW) Independent Commission Against Corruption Act 1988 (NSW) Public Interest Disclosures Act 1994 (NSW) State Records Act 1998 (NSW) Workplace Surveillance Act 2005 (NSW) Work Health and Safety Act 2011 (NSW) University of Wollongong Act 1989 (NSW) University of Wollongong By Law 2005 (NSW) Rules of the University of Wollongong University Code of Conduct Records Management Policy Public Interest Disclosures Policy Access to Information Policy Workplace Health and Safety Policy
Audience:	Public – accessible to anyone
Expiry Date of Policy:	Not applicable

Submit your feedback on this policy document using the Policy Feedback Facility.

1 Purpose of Policy

1. The University of Wollongong (“UOW”), in carrying out its functions and activities, collects personal and/or health information from staff, students and third parties. It is the responsibility of UOW to ensure that the overall management of that information, which includes collection, storage, access, use and disclosure, complies with NSW privacy laws.

• 2. The purpose of this policy is to facilitate UOW’s compliance with the Privacy and Personal Information Protection Act 1998 (“PPIPA”), the Health Records and Information Privacy Act 2002 (“HRIPA”) and other relevant privacy laws, including but not limited to regulations, statutory guidelines, codes of practice and privacy directions.

2 Application and Scope

1. This policy outlines the responsibilities of all staff when handling information to ensure that UOW complies with PPIPA and HRIPA.

• 2. This policy applies to the collection, storage, access, use and disclosure of information.
• 3. All staff must comply with UOW’s Privacy Policy and Privacy Management Plan.
• 4. A breach of this Privacy Policy or the Privacy Management Plan may constitute misconduct pursuant to UOW codes, policies and guidelines and be subject to disciplinary action.
• 5. This policy does not apply to UOW’s related entities. UOW’s related entities have their own policies and procedures regarding information that is provided to or collected by them.

3 Definitions

Term	Definition
Health information	Health information, for the purpose of this policy, refers to health information defined in HRIPA (or as amended in HRIPA from time to time) as: “ (a) personal information that is information or an opinion about: (i) the physical or mental health or a disability (at any time) of an individual, or (ii) an individual’s express wishes about the future provision of health services to him or her, or (iii) a health service provided, or to be provided, to an individual, or (b) other personal information collected to provide, or in providing, a health service, or (c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or (d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or (e) healthcare identifiers”
Information	Health information and/or personal information as the context permits.
Law enforcement agency	Law enforcement agencies include the Police Force of NSW or of another State or Territory, the NSW Crime Commission, the Australian Federal Police, the Australian Crime Commission, the Director of Public Prosecutions of NSW, another State or Territory or the Commonwealth, the Department of Corrective Services, the Department of Juvenile Justice or the Office of the Sheriff of NSW.
Personal information	Personal information, for the purpose of this policy, refers to personal information defined in PPIPA (or as amended in PPIPA from time to time) as: “Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.” Under PPIPA, personal information does not include: a. information regarding an individual who has been deceased for more than 30 years; b. information about an individual that is readily available in a publicly accessible publication; and c. information or an opinion about an individual’s suitability for appointment or employment as a public sector official.
Related entities	UOW’s related entities include ITC Ltd, URAC, UniCentre and the Illawarra Health and Medical Research Institute (IHMRI).
Sensitive information	A subclass of personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.
Staff	All employees of UOW, including casual employees, conjoint and visiting appointees, consultants and contractors, agency staff, emeriti, members of UOW committees and any other person appointed or engaged by UOW to perform duties or functions for UOW.

4 UOW’s commitment to privacy

• 1. UOW will collect, store, use and disclose information in accordance with PPIPA, HRIPA and other relevant laws and codes of practice.
• 2. UOW has prepared a Privacy Management Plan in compliance with section 33 of PPIPA. This plan sets out how UOW will comply with PPIPA, HRIPA and other applicable laws and codes of practice, and also sets out how to make a complaint about a privacy issue.
• 3. UOW’s Privacy Management Plan operates as a procedure document under this Privacy Policy and is available via UOW’s policy directory and privacy homepage.

5 Collection of information

• 1. UOW will collect information in an open manner, including informing individuals that information is being collected, why it is being collected, how it will be used, who else might see it and any consequences that may apply if the information is not provided.
• 2. UOW will only collect information by lawful means where collection is:
• a. for a lawful purpose which is directly related to one of its activities; and
• b. reasonably necessary for that purpose.
• 3. UOW will ensure that the information collected is relevant, accurate, up to date and not excessive, and that collection does not intrude to an unreasonable extent on the personal affairs of the individual.
• 4. UOW will collect information directly from the individual concerned unless it is unreasonable or impracticable to do so.
• 5. UOW’s Privacy Management Plan provides further detail concerning collection of information.

6 Access, accuracy and amendment of information

• 1. All reasonable steps will be taken by UOW to ensure that information it collects, holds or discloses is accurate, complete, up to date and not misleading.
• 2. UOW will respond to enquiries from an individual as to whether it holds that individual’s information including any rights of access to it.
• 3. UOW will allow an individual to:
• a. access his/her own information held by UOW without unreasonable delay or expense;
• b. make appropriate amendments, corrections or updates to his/her information where necessary.
• 4. UOW’s Privacy Management Plan provides further detail concerning access, accuracy and amendment of information.

7 Retention and security of information

• 1. UOW will take all reasonable steps to ensure that information is:
• a. held for no longer than is necessary, subject to the State Records Act 1998 (NSW);
• b. disposed of securely in accordance with approved methods; and
• c. protected to the extent reasonable in the circumstances from loss, unauthorized access, use, modification or disclosure, and against all other misuse.
• 2. UOW’s Privacy Management Plan provides further detail concerning retention and security of information.

8 Use of information

1. In general terms, ‘use’ of information refers to the communication or handling of information within UOW.

• 2. UOW will only use information for the primary purpose for which it was collected unless:
• a. the use of the information is directly related to the primary purpose for which the information was collected; or
• b. the use of the personal information is necessary to deal with a serious and imminent threat to any individual’s life or health; or
• c. the use of the health information is necessary to deal with a serious and imminent threat to any individual’s life, health or safety, or is necessary to lessen or prevent a serious threat to public health or public safety; or
• d. the individual provides consent to any other use.
• 3. UOW will only use information without an individual’s consent in limited circumstances, including (but not limited to):
• a. exchanging information within UOW that may relate to law enforcement purposes or for the protection of public revenue; or
• b. where the use is permitted or required under an Act or any other law; or
• c. for health information, where the use is necessary for the training of employees or for research purposes, in the public interest, and the use is in accordance with the guidelines issued under HRIPA.
• 4. UOW’s Privacy Management Plan provides further detail concerning use of information and other circumstances where UOW may use information without an individual’s consent.

9 Disclosure of information

• 1. In general terms, ‘disclosure’ of information refers to the communication or transfer of information outside UOW.
• 2. UOW will not disclose information it holds unless:
• a. the disclosure of the information is directly related to the primary purpose for which the information was collected and there is no reason to believe that the individual concerned would object to the disclosure; or
• b. the individual is reasonably likely to have been aware, or has been made aware, that information of that kind is usually disclosed to a third party; or
• c. the disclosure of the personal information is necessary to deal with a serious and imminent threat to any individual’s life or health; or
• d. the disclosure of the health information is necessary to deal with a serious and imminent threat to any individual’s life, health or safety, or is necessary to lessen or prevent a serious threat to public health or public safety; or
• e. the individual provides consent to any other disclosure.
• 3. UOW will only disclose information without an individual’s consent in limited circumstances, including (but not limited to):
• a. where the disclosure relates to law enforcement and related matters such as:
• i. disclosing information to a law enforcement agency for the purpose of ascertaining the whereabouts of an individual who has been reported to police as a missing person; or
• ii. disclosing information to a law enforcement agency in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed; or
• b. where disclosure is permitted or required under an Act or any other law; or
• c. for health information where the disclosure is necessary for the training of employees or for research purposes, in the public interest, and the disclosure is in accordance with the guidelines issued under HRIPA.
• 4. UOW will only disclose sensitive information with the consent of the individual unless disclosure is necessary to deal with a serious and imminent threat to any individual’s life or health.
• 5. UOW’s Privacy Management Plan provides further detail concerning disclosure of information and other circumstances where UOW may disclose information without an individual’s consent.

10 Anonymity, identifiers and transfer of health information outside NSW

• 1. In relation to health information, UOW will:
• a. provide individuals with the option of receiving health services anonymously; and/or
• b. assign a unique identification number to an individual,
• where it is reasonably practicable and lawful in the circumstances and it does not negatively affect the functions of UOW.
• 2. UOW will transfer health information outside New South Wales or to a Commonwealth agency, in limited circumstances, including where the recipient of the health information is subject to principles that are substantially similar to NSW privacy principles, the individual has provided consent or the transfer is necessary for the performance of a contract between UOW and a third party.
• 3. UOW’s Privacy Management Plan provides further detail concerning anonymity, identifiers and the transfer of health information outside NSW.

11 Complaints and enquiries

1. All privacy enquiries should be directed to a UOW Privacy Officer via email at privacy-enquiry@uow.edu.au. Additional contact details can be found on UOW’s privacy homepage.

• 2. If an individual has any concerns about the way UOW is managing his/her information or believes that UOW may have breached his/her privacy, that individual may:
• a. lodge a complaint with a UOW Privacy Officer; or
• b. submit a formal request for an internal review by completing the UOW’s Privacy Complaint Internal Review Application Form; or
• c. contact the Office of the Privacy Commissioner NSW.
• 3. For more information about lodging a complaint and/or requesting an internal review, please see UOW’s Privacy Management Plan or visit UOW’s privacy homepage.

12 Roles and responsibilities

• 1. The Director, Legal Services Unit, as UOW’s Principal Privacy Officer, is responsible for UOW’s overall compliance with its privacy obligations.
• 2. UOW’s Privacy Officers are responsible for:
• a. providing privacy advice and education to staff;
• b. responding to enquiries or complaints from individuals on privacy matters;
• c. implementing and maintaining this Privacy Policy, the Privacy Management Plan and UOW’s privacy homepage.
• 3. The Human Resources Division is responsible for the central management of staff information;
• 4. The Academic Registrar’s Division is responsible for the central management of student information;
• 5. The Research Student Centre is responsible for the central management of higher degree research (HDR) student information;
• 6. All staff are responsible for complying with UOW’s privacy obligations and practices as specified in this Privacy Policy, the Privacy Management Plan and UOW’s Code of Conduct when managing information provided to, or collected by UOW. This includes attending training or completing online privacy training as required.

13 Version Control and Change History

Version Control	Date Effective	Author/Reviewer	Approved By	Amendment
1	11 October 2002		University Council	New Policy.
2	26 October 2004		Administrative Committee	Privacy Policy put into new Policy Template.
3	6 May 2009		Vice-Principal (Administration)	Migrated to UOW Policy Template as per Policy Directory Refresh
4	9 March 2010		Vice-Principal (Administration)	Future review date identified in accordance with Standard on UOW Policy
5	9 November 2010		Vice-Principal (Administration)	Minor amendment – name change of related legislation (Government Information Public Access Act 2009)
6	3 February 2012		Vice-Principal (Administration)	Minor amendment to update references to Public Interest Disclosure legislation.
7	7 December 2012	Director, Legal Services Unit	University Council	Major amendments following a comprehensive review of this Policy: each of the principles of NSW legislation explained, application and scope section and roles and responsibilities section clearly described. Reference made to Privacy Management Plan.