Privacy Management Plan

Document Number000258
Date Approved21 October 2008
Date Last Amended15 November 2012
         
 

INDEX

1. Introduction

2. Definitions

3. The Information Protection Principles

3.1. Privacy Code of Practice

4. The Health Privacy Principles

4.1. Statutory Guidelines

5. Public Registers

6. Policy and Procedure for Internal Review

7. Review by the Privacy Commissioner

8. Implementation

1.      Introduction

1.1.     This Privacy Management Plan sets out how the University of Newcastle complies with the principles and requirements of the Privacy and Personal   Information Protection Act 1998 (“the PPIP Act”), the Health Records and   Information Privacy Act 2002 (“the HRIP Act”) any relevant Codes of Practice made by the Attorney-General or Directions issued by the NSW Privacy Commissioner.

1.2      The Privacy and Personal Protection Act does not affect the operation of nor the University's obligations in relation to access to documents under the Government Information (Public Access) Act 2009 (GIPA).

1.3.     The twelve Information Protection Principles (“the IPPs”) in the PPIP Act are legal obligations describing the manner in which NSW “government agencies” (including public universities) must handle personal information. They cover the collection, storage, use and disclosure of personal information as well as access and correction rights.

1.4.     The fifteen Health Privacy Principles (“the HPPs”) in the HRIP Act are legal obligations describing the manner in which NSW public sector agencies and private sector organisations such as health services and medical practices must handle health information. They describe what must be done regarding the collection, storage, use and disclosure of health information and also cover access and correction rights.

2.      Definitions

2.1     “Personal Information”

The PPIP Act defines personal information as:

“information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about a person whose identity is apparent or can reasonably be ascertained from the information or opinion.”

This means that under the Act personal information is any information which relates to an identifiable person. The definition covers not only traditional means of data storage such as paper files but also genetic material, electronic records, video recordings, photographs and biometric information such as fingerprints.

Certain types of information are excluded from the definition. Personal information does not include, for example:

  • information about a person who has been dead for more than 30 years;
  • information about a person which is contained in a publicly available publication;
  • information or an opinion about a person’s suitability for employment or appointment as a public sector official;  and
  • a number of exceptions relating to law enforcement investigations.

In addition, the definition does not generally cover information about a number of people which has been aggregated or presented in a statistical form. It would also not usually cover information about corporations or organisations, or information about persons when they are acting in a public or business capacity.

2.2     “Health Information”

The HRIP Act defines “Health Information” as

personal information that is information or an opinion about the physical or mental health or disability of a person; express wishes about the future provision of health services; a health service provided or to be provided; any other personal information collected to provide or in providing a health service.”

2.3     The “University”

The “University” in the context of this Plan means the University and its controlled entities.

2.4     “The University Privacy Officer” means the Director, Complaints and Information Management.

3.      The Information Protection Principles

The Information Protection Principles in Part 2 of the PPIP Act cover matters relating to the collection, storage, use and disclosure of personal information and reflect international standards for the protection of personal information.

The Principles establish standards for collecting and dealing with personal information so as to minimise the risk of misuse of that information. They also allow individuals to exercise a reasonable degree of control over what happens to their own personal information.

Principle 1     Collection of personal information for lawful purposes.

The University will not collect personal information unless:

  • the information is collected for a lawful purpose which is directly related to a function or activity of the University; and
  • the collection of the information is reasonably necessary for that purpose.

The University will not collect personal information by any unlawful means.

Principle 2     Collection of personal information directly from the person.

The University will, when collecting personal information:

  • collect it directly from the person to whom it relates unless the person has authorised the collection of the information from someone else; or
  • where the information relates to a person under the age of 16 years, ensure that the information has been provided by a parent or guardian of the person.

The PPIP Act recognises that in some cases the collection of information directly from persons will not always be practical and includes a number of exceptions. These include the collection of information:

  • in connection with proceedings before a court or tribunal;
  • in the investigation of a complaint which could be referred to an investigative agency;
  • where the University is lawfully authorised or required not to comply or non-compliance is otherwise permitted or reasonably contemplated under any Act or law;
  • where compliance would prejudice the interests of the person to whom the information relates.

Principle 3     Requirements when collecting personal information.

The University will take reasonable steps before collecting the information or as soon as practicable after collecting it, to inform the person to whom the information relates:

  • of the fact that the information is being collected;
  • of the purposes for which it is being collected;
  • of the intended recipients of the information;
  • whether supplying the information is voluntary or required by law and the consequences for the person if it is not required;
  • the existence of any right of access to and correction of the information;
  • who is to hold the information.

In accordance with this requirement the University will, as far as possible, include the necessary information on any application forms or notices (paper or electronic) and in the case of electronic communications will acknowledge any personal information received.

Principle 4     Other requirements relating to collection of personal information.

The University will, when it collects personal information from a person, take reasonable steps to ensure that:

  • the information collected is relevant to the purpose for which it is collected, is not excessive and is accurate, up-to-date and complete; and
  • the collection of the information does not intrude to an unreasonable extent on the personal affairs of the person to whom the information relates.

In determining what are ‘reasonable steps’ the University will take into account:

  • the purpose for which the information was collected;
  • the sensitivity of the information;
  • how many people will have access to the information;
  • the importance of accuracy to the proposed use of the information;
  • the potential effects for the person concerned if the information is inaccurate, out-of-date or irrelevant;
  • the opportunities to subsequently correct the data; and
  • the ease with which the University can check the data.

While the University will determine what is ‘reasonable’ or ‘unreasonable’ on a case-by-case basis the use of techniques which minimise the invasion of privacy is its preferred option.

Principle 5     Retention and security of personal information.

The University will ensure that:

  • the information is kept for no longer than is necessary for the purposes for which it may lawfully be used;
  • the information is disposed of securely and in accordance with any other requirements for the retention and disposal of personal information
  • the information is protected, using reasonable safeguards, against loss, unauthorised access, use, modification or disclosure.
  • if it is necessary for the information to be given to an outside party that everything reasonable within the its power is done to prevent unauthorised disclosure of the information.

This Principle does not authorise the University to destroy or dispose of records once they are no longer useful for their original purpose as it is also required to comply with the provisions of the State Records Act 1998.

Where personal information is disclosed to organisations or persons outside the University, the University will take reasonable steps to ensure that the third parties do not use the information inappropriately. Depending on the nature of the service being provided by the outside agency the University may:

  • include provisions in its contracts to minimise the opportunities for misuse of the information;
  • audit or monitor the performance of the provider of the service;
  • control the disposal of the information or require that the information be returned to the University once the service is completed;
  • minimise the amount of personal information given out;
  • include an indemnity clause in its contracts to ensure that the University is able to pass on the costs of any compensation paid out owing to the actions of the provider.

Principle 6     Information about personal information held by agencies.

The University will take reasonable steps to enable any person to find out:

  • whether the University holds personal information relating to her or him;
  • the nature of the information;
  • the main purposes for which the information is used;
  • how the person may gain access to the information.

In determining what are ‘reasonable steps’ the University will take a number of factors into consideration including:

  • the potential for damage the information may have; and
  • the credibility of the information; and
  • the method of storing the information; and
  • any other future consequences the information may have.

As a general rule the University will endeavour to be as open as possible in its dealings with people on whom it holds personal information. There are however some constraints on the University in both providing information as to whether it holds personal information and on providing access to that information.

In the first instance the response of the University will depend on the way the information is stored. Where there is an index or readily accessible database the University will use informal procedures to confirm or deny the existence of personal information. In cases where indexing is poor or non-existent or where a more thorough investigation is required the University may determine that the enquiry is more appropriately dealt with under the Government Information (Public Access) Act 2009 (GIPA Act).

Principle 7     Access to personal information held by agencies

The University will, where it holds personal information on a person, provide that person with access to the information without excessive delay or expense.

As a result of the interaction between the PPIP Act and the Government Information Public Access Act 2009 the provisions for 'refusal on public interest grounds' may restrict the ability of the University to provide certain types of personal information. The University will refuse access only in cases where on balance the interest supporting the exception outweighs the public interest in access to the information.

Principle 8     Alteration of personal information

The University will, at the request of the person to whom the information relates, make appropriate amendments (by corrections, deletions or additions) to ensure that the personal information is accurate, relevant, up-to-date, complete and not misleading.

In circumstances where an application is made for a significant or substantial amendment of a record of a permanent or semi-permanent nature the University will require the application to be made in accordance with the procedures contained in the Government Information (Public Access) Act 2009 (GIPA Act). However, where the application relates to a minor or short-lived record and an amendment is timely and its accuracy can be verified, the University may use the provisions of the PPIP Act.

If the University decides that it is not prepared to make the amendments requested it will, if the applicant requests, take reasonable steps to attach to the information any statement provided by the applicant. Where personal information is so amended the University will notify, as far as is practicable, the recipients of that information that it has been amended.

In determining the ‘reasonableness’ of notifying recipients of amendments to personal information the University will take into account:

  • who the recipients of the information are;
  • the purpose for which the information was collected;
  • the sensitivity of the information;
  • the number of people who will have access to the information;
  • the importance of the accuracy of the information;
  • the potential effects on the person concerned if the information is inaccurate, out-of-date or irrelevant;
  • any future opportunities to correct inaccuracies before the information is used;
  • the ease of notifying recipients; and
  • the costs of notifying recipients.

Principle 9     Agency must check the accuracy of personal information before use.

The University will try to ensure that all personal information used by it is relevant, accurate, up-to-date, complete and not misleading.

In deciding what is a reasonable level of checking to enable it to comply with this principle the University will take the following factors into account:

  • the purpose for which the information was collected;
  • the sensitivity of the information;
  • the number of people who will have access to the information;
  • the importance of accuracy or relevance of the information;
  • the potential effects for the person concerned if the information is inaccurate, out-of-date or irrelevant;
  • any opportunities to correct inaccuracies before the information is used;
  • the difficulty in checking the information; and
  • the cost involved in checking the information.

Where the University relies on information collected by other agencies it will use its best endeavours to ensure that adequate standards for data exchange are introduced to ensure that the information has the same meaning for both parties.

Principle 10   Limits on the use of personal information

The University will not use the personal information it holds for any purpose other than that for which it was collected unless:

  • the person concerned consents to its use for another purpose; or
  • the other purpose is directly related to the purpose for which the information was collected; or
  • the use of the information for the other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the person to whom the information relates or to another person.

If the University intends to use personal information for a purpose not directly related to the purpose for which it was collected, it will, as far as is practicable, seek to obtain the consent in writing of the subject of the personal information.

Principle 11   Limits on disclosure of personal information

The University will not disclose personal information to a person (other than the person to whom the information relates) or other body whether or not that person or body is a public sector agency unless:

  • the disclosure is directly related to the purpose for which the information was collected and the University has no reason to believe that the person concerned would object to the disclosure; or
  • the person concerned is reasonably likely to have been aware, or has been made aware, that the information is usually disclosed to that other person or body; or
  • the University believes on reasonable grounds that disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the person concerned or another person.

Where the University intends to disclose personal information to another person or agency in accordance with this principle, it will notify the person concerned at the time of collection that the information will be disclosed and to whom.

Exemptions which allow disclosure

The University may disclose personal information where:

  • the disclosure is made in connection with proceedings for an offence or for law enforcement purposes;
  • the disclosure is to a law enforcement agency to locate a person who has been reported as missing to the police;
  • the disclosure is authorised by a subpoena, search warrant or statutory instrument;
  • the disclosure is reasonably necessary for the protection of the public revenue;
  • the disclosure is reasonably necessary in order to investigate an offence where there are reasonable grounds to believe an offence has been committed;
  • where the person expressly consents.

The University may also disclose personal information:

  • to an investigative agency where compliance might detrimentally affect or prevent the proper exercise of any investigative function;
  • to any public sector agency which is investigating or otherwise handling a complaint which could be referred or made to an investigative agency;
  • to the Department of Local Government for the purpose of investigating a complaint or other matter;
  • where the University is lawfully authorised or required not to comply or non-compliance is otherwise permitted or reasonably contemplated under any Act or law;

The first five of these exemptions do not override the University’s entitlement to refuse to disclose information in the absence of a subpoena, warrant or other lawful requirement, particularly as the University may be bound by legal or professional obligations of confidentiality.

Principle 12   Special restrictions on disclosure of personal information

The University will not disclose personal information relating to a person’s ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the person concerned or another person.

The University is exempted from compliance with this Principle in the following circumstances:

  • where the disclosure is reasonably necessary in order to investigate an offence where there are reasonable grounds to believe an offence has been committed or may be committed;
  • where the University is lawfully authorised or required not to comply or non-compliance is otherwise permitted or reasonably contemplated under any Act or law;
  • where the person expressly consents.

3.1.     Privacy Code of Practice

A Privacy Code of Practice made under the Act is a statement of how the University proposes to depart from the Information Protection Principles. The University may from time to time prepare its own Codes of Practice or adopt those prepared by the Privacy Commissioner.

4.      The Health Privacy Principles

Principle 1     Purposes of collection of health information

The University cannot collect health information unless:

  • the information is collected for a lawful purpose directly related to a function or activity of the University; and
  • the collection of the information is reasonably necessary for that purpose.

The University will not collect information by any unlawful means.

Principle 2    Information must be relevant, not excessive, accurate and not intrusive

The University will endeavour to ensure that:

  • any health information it collects from a person is up-to-date, complete, accurate and not excessive;
  • the collection of the information does not intrude to an unreasonable extent on the personal affairs of the person.

Principle 3     Collection to be from the person concerned

  • The University will only collect information about a person only from that person unless it is unreasonable or impracticable to do so;
  • The Health Information will be collected in accordance with any guidelines issued by the Privacy Commissioner.

Principle 4     Person to be made aware of certain matters

The University, when it collects health information from a person will ensure that, at or before the time it collects the information, the person is notified of:

  • the purposes for which the information is collected;
  • the persons (or types of person) to whom the University usually discloses the information;
  • his or her right of access to the information;
  • any law which requires the information to be collected;
  • the main consequences (if any) for the person if the information is not provided.

Exemptions to notifying persons

In some circumstances notifying the person is not necessary or appropriate. The University is not required to notify the person if:

  • the person has expressly consented to not being notified;
  • the University is lawfully authorised or required not to notify the person;
  • not notifying the person is permitted or implied by legislation;
  • notifying the person would prejudice his or her interests;
  • the information has been collected for law enforcement purposes.

Collecting information from other persons

The University is required to notify a person when it has collected health information about him or her from someone else. There are two exceptions to this requirement:

  • where notifying the person would pose a serious threat to the life or health of any person; or
  • the University complies with the Privacy Commissioner’s statutory guidelines.

Principle 5     Retention and Security

The University will ensure that health information is:

  • kept for no longer than is necessary;
  • disposed of securely;
  • protected against loss and unauthorised access.

Where it is necessary for the information to be given to a person who is providing a service to the University, the University will do everything reasonably within its power to ensure that there is no unauthorised use or disclosure of the information.

Principle 6     Information about Health Information held by the University

The University will take reasonable steps to ensure that any person can ascertain whether the University holds any health information relating to the person and if it does:

  • the nature of that information; and
  • the main purposes for which the information is used; and
  • the person’s entitlement to request access to the information.

The University is not required to comply with this Principle where non-compliance is permitted under any law including the State Records Act 1998.

Principle 7    Access to Health Information

The University will provide, when requested by the person concerned, access to the information it holds relating to that person without excessive delay or expense.

The University is not required to comply with this Principle where non-compliance is permitted under any law including the State Records Act 1998.

Principle 8     Amendment of Health Information

The University may amend a person’s health information (by way of corrections, deletions or additions) when requested by that person.

The University may refuse to amend a person’s health information if it is satisfied that:

  • the health information is not incomplete, incorrect, irrelevant, out of date or misleading; or
  • the request contains information that is incorrect or misleading.

If it is not prepared to make the amendment the University will if requested take reasonable steps to attach to the record the person’s statement requesting the amendment

The University is not required to comply with this Principle where non-compliance is permitted under any law including the State Records Act 1998.

Principle 9     Accuracy

When collecting health information the University will rely on the person providing it to give information which is relevant, accurate, up-to-date and not misleading.

Before using the information the University will take reasonable steps to ensure the quality and integrity of the information. The factors it may consider include:

  • how recently the information was collected;
  • the reliability of the source providing the information;
  • the likelihood that the information is accurate, up-to-date and not misleading;
  • the proposed use of the information.

Principles 10 and 11  Limits on the Use of Health Information

The University will not use health information for a purpose (“the secondary purpose”) other than the purpose for which it was collected (“the primary purpose”) unless:

  • the person has consented to the use of the information; or
  • the secondary purpose is directly related to the primary purpose and the person would reasonably expect the University to use the information for the secondary purpose; or
  • the use of the information is necessary for the funding, management, planning or evaluation of health services or training of employees or for research or for the compilation of statistics but only where:
    • the use or disclosure is reasonably necessary for those purposes; and
    • the University takes steps to de-identify the information or the purpose cannot be served by using or disclosing the de-identified information and it is impracticable to seek the person’s consent; and
    • if the information could be expected to identify people, it is not going to be published in a generally available publication; and
    • the use or disclosure of the information is in accordance with the Privacy Commissioner’s Statutory Guidelines.
  • the information is to be used by a law enforcement agency for locating a missing person; or
  • the University has reasonable grounds to suspect that unlawful activity has been or may be engaged in or the person has or may have engaged in conduct that may be unsatisfactory professional conduct or an employee of the University has engaged in conduct that may be grounds for disciplinary action.

The University is not required to comply with this Principle where non-compliance is permitted under any law including the State Records Act 1998.

Principle 12  Identifiers

An identifier is defined in the HRIP Act as something (usually a number) which an organisation has created and assigned to a person in order that the person may be uniquely identified.

The University will only assign an identifier to a person where it is reasonably necessary for it to carry out its functions efficiently.

Principle 13  Anonymity

Where it is lawful and practicable, persons will be given an opportunity to not identify themselves when entering into transactions with or receiving health services from the University.

Principle 14   Data flows

The University will only transfer health information out of New South Wales where:

  • the recipient is subject to substantially similar privacy standards or laws;
  • the person has consented to the transfer;
  • the transfer is necessary for the performance of a contract between the University and the person concerned;
  • the transfer is for the benefit of the person and it is impracticable to obtain their consent, and if it were practicable to obtain such consent, the person would be likely to give it;
  • the transfer is reasonably believed to be necessary to lessen or prevent a serious or imminent threat to the life, health or safety of any person, or a serious threat to public health or public safety;
  • it has taken reasonable steps to ensure that the information to be transferred will not be held, used or disclosed by the recipient inconsistently with the HPPs;
  • the transfer is permitted or required by an Act (including an Act of the Commonwealth) or any other law.

Principle 15  Linkage of Health Records

The University will not include health information in a state or national electronic health records scheme unless:

  • the person has expressly consented to the information being included; or
  • the University is authorised or not required to comply with this Principle.

4.1.     Statutory Guidelines

The Health Privacy Principles establish general standards for handling health information and exemptions to those standards. The Statutory Guidelines provide more detailed information about the exemptions.  They are legally binding documents.  Use the link to Privacy NSW in Appendix 1 for copies of the Guidelines.

Statutory Guideline on the Management of Health Services

Where the University seeks to use or disclose health information without the person’s consent and relies on the “management of health services” exemption in HPPs 10 and/or 11, it must comply with this Guideline.

The Guideline sets out the type of funding, management, planning and evaluation of health services which need to be considered under the exemption and requires proposals for these activities to be reviewed by the University’s Human Research Ethics Committee.

Proposals will only be approved in circumstances where the Committee determines that the public interest in the management activity outweighs the public interest in maintaining the level of privacy established by the HPPs.

Statutory Guideline on Training

Where the University seeks to use or disclose health information without the person’s consent and relies on the “training” exemption in HPPs 10 and/or 11, it must comply with this Guideline.

Under this Guideline the University is required to prepare a written statement of reasons for the training activity. The statement must be retained for five years and can be accessed by the NSW Privacy Commissioner during that time.

Every person working with the University who will be trained or able to access the health information during the training activity must sign an agreement stating that they are aware of the HPPs and agree to comply with them.

Statutory Guideline on Research

Where the University seeks to use or disclose health information without the person’s consent and relies on the “research” exemption in HPPs 10 and/or 11, it must comply with this Guideline.

This Guideline requires research proposals to be reviewed by the University’s Human Research Ethics Committee. Proposals will only be approved where the Committee determines that the public interest in the research substantially outweighs the public interest in maintaining the level of privacy established by the HPPs.

Statutory Guideline on the Collection of Information from a Third Party

This Guideline sets out specific circumstances in which the University can be exempt from notifying a person of certain information at or before the time it collects information about the person from a third party.

The circumstances include those where the collection from the third party is necessary, directly relevant, where the person to whom the information relates is unlikely to suffer harm or to be prejudiced by its collection and where the information collected will not be used to make decisions about the person.

5.      Public Registers

The University is required by law to maintain a Public Register of its commercial activities. The University can only disclose personal information contained in this Register if it is satisfied that the information is to be used for a purpose relating to:

  • the purpose for which the Register is kept; or
  • the law under which the Register is kept.

6.      Procedure for Internal Review

6.1.     The right to an internal review

Where a person believes that the University has breached his or her privacy or might do so in the future, in accordance with s53 of the PPIP Act and s21 of the HRIP Act the University will conduct an internal review of that alleged breach or alleged disclosure of personal information.

6.2.     Internal review procedure

An application for an internal review should be addressed to the University Privacy Officer who will notify the Privacy Commissioner that an application has been received. The University Privacy Officer will constitute the Review Panel together with such other persons as from time to time he or she may determine.

Once a review has been completed the University will notify the applicant in writing of:

  • the findings of the review;
  • the reasons for the finding;
  • the action proposed to be taken;
  • the reasons for the proposed action;
  • the applicant’s right to have the findings and the reasons for the findings reviewed by the Administrative Decisions Tribunal.

6.3.     Review by the Administrative Decisions Tribunal

Persons may apply to the Administrative Decisions Tribunal for a review of the decision made by the University following the internal review. It is also open to persons to complain to the Tribunal about the action the University has taken in respect of their request, including the length of time taken to conduct the review or the failure of the University to notify them of their right to seek a review.

After reviewing the matter the Tribunal may decide to take no further action or may make orders requiring the University to do one or more of the following:

  • to refrain from conduct or action which breaches an IPP or Code;
  • to perform an IPP or Code;
  • to correct information disclosed by the University;
  • to take steps to remedy loss or damage;
  • to refrain from disclosing information in a public register;
  • pay damages of up to $40,000 for loss or damage suffered where:
    • the conduct complained of occurs 12 months after the starting date of the internal review provisions; and
    • where the applicant has suffered financial loss or psychological or physical harm as a result of the conduct.

7.      Review by the Privacy Commissioner

In certain circumstances a person may choose to make a complaint to Privacy NSW instead of directly to the University. A decision to accept or decline the complaint is at the discretion of the Privacy Commissioner. Generally, the Privacy Commissioner will consider a complaint where the complainant reasonably believes that:

  • a request for an Internal Review would be declined by the University on the basis that it is out of time;
  • ill-health, communication difficulties or other reasons make it difficult for the complainant to articulate her or his request for an Internal Review;
  • the complainant would suffer repercussions as a result of making an Internal review request;
  • the University cannot determine the matter in an impartial matter and there is a further impediment to taking the matter to the ADT.

8.      Implementation

8.1.     Privacy Management

The Deputy University Complaints Manager will implement training and information sessions for all University staff.

As soon as is practicable the University will undertake a risk-based audit of personal and health information handling practices, with a primary focus being those areas which hold significant personal or health information or are likely to constitute a major compliance risk.

Following completion of the audit an Operational Plan will be prepared highlighting in respect of each IPP and HPP, the objectives, strategy, responsible unit, and timeframe for each area identified in the survey.

The Executive Committee will review the Privacy Management Plan annually and may conduct further audits if this is considered necessary. More immediate issues of non-compliance will be referred to the Deputy Vice-Chancellor for action.

8.2.     Code of Conduct

The University will take steps to ensure that its Code of Conduct refers specifically to obligations on all staff to handle personal and health information in accordance with the relevant legislation.

8.3.     Codes of Practice

The Codes of Practice the University has in place are:

  • Code of Practice for Responsible Conduct in Research and related policies and procedures.

The Codes of Practice which the University intends to prepare are:

  • Code of Practice for Inter-Agency Transfers.

8.4.     Third parties

The University will use its best endeavours to ensure that any contractual terms negotiated with  a contractor, agent or consultant engaged to undertake work for the University and who is likely to handle personal or health information, include a requirement to use, disclose and secure the information in a manner consistent with the University’s obligations under privacy legislation.

8.5.     Workplace Surveillance

The University will establish procedures to ensure compliance with the Workplace Surveillance Act (NSW).

8.6.     Publication

The policies and practices of the University concerning the protection of personal and health information will be included in:

  • Induction seminars and information packs given to new employees; and
  • Privacy Website
  • Privacy Brochure
  • Online training program
  • Special purpose seminars for Heads of Schools and Pro Vice-Chancellors of Faculties.  

APPENDIX 1

Privacy Complaint: Application for an Internal Review

APPENDIX 2

Link to the Office of the NSW Privacy Commissioner

http://www.ipc.nsw.gov.au/privacy/ipc_index.html

 

Approval AuthorityVice-Chancellor
Date Approved21 October 2008
Date Last Amended15 November 2012
Date for Review21 October 2011
Policy SponsorVice-Chancellor
Policy OwnerDeputy Vice-Chancellor (Academic)
Policy ContactDeputy University Complaints Manager
Amendment History

Minor amendment to Definitions and Clause 6.2 replacing DVC(A) with Director, Complaints and Information as the University's Privacy Officer, Deputy University Complaints Manager, 23 April 2013.

Minor amendment to web link for the Office of the NSW Privacy Commissioner in Appendix 2, Governance and Policy, 15 January 2012.

Amended Clause 6.2 replacing DVC(R) with DVC(A), effective from 1 January 2013, as approved by VC, 15 November 2012.

Amended Clause 6.2 to change DVC(A&GR) to DVC(R) pending arrival of new DVC(A), approved VC 15 November 2012. Also updated policy owner from DVC(A&GR) to DVC(A).

Minor amendment to update GIPA Act to GIPA Act 2009 and update Deputy Vice-Chancellor (Academic and Global Relations) title, 29 May 2012

Updated FOI reference in Principle 6 and 8 to refer to GIPA and wording altered in Principle 7, 21 February 2012.

Updated FOI to GIPA provisions, 28 September 2010.

Amended by VC to insert new clause 1.2 re FOI 15 May 2009

Approved by Vice-Chancellor and President 21 October 2008