|
2.1 Personal information
2.2 The 12 IPPs
2.3 Privacy Codes of Practice
2.4 Other legal requirements affecting privacy
2.5 Criminal record checks
2.1 Personal information
Under the Act, personal information is any information (including an opinion) that relates to an identifiable person. This definition covers not only traditional ideas of data storage (such as paper files) but also electronic records, video recordings, biometric information and genetic material.
It is not necessary that the person concerned be specifically identified by the information. It is enough that identity could "reasonably be ascertained from the information" [Section 4(1)].
Examples of personal information collected and held by the University include student records and staff records. Personal information does not include information that is contained in a publicly available publication (such as the University Calendar or the Annual Report).
2.2 The 12 IPPs
The 12 IPPs are detailed in sections 8–19 of the Act. The following is a plain English summary of the principles as they apply to the University.
Personal information may be collected only:
- for lawful purposes directly related to a function or activity of the University and where the collection is necessary for that purpose
- from the individual to whom the information relates, unless otherwise authorised
- in circumstances where the individual from whom it is collected is made aware of the following:
- that personal information is being collected
- the purpose for collecting it
- the intended recipients of the information
- whether supplying the information is mandatory or voluntary
- the right to gain access to and correct the information
- the name and address of the University
- if reasonable steps are taken to ensure that the information is:
- relevant
- accurate
- not excessive
- up to date
and that collection of it does not unreasonably intrude on the individual's personal affairs.
Where the University stores personal information it must:
- ensure that the information is:
- kept no longer than necessary
- disposed of appropriately
- protected by reasonable security safeguards
- protected from unauthorised use or disclosure when made available to a third party for provision of a service to the University
- provide individuals with sufficient information about the University's holdings of personal information to enable individuals to exercise their rights regarding that information
- provide individuals with access to personal information about themselves without unreasonable delay and expense
- comply with individual requests to amend personal information to ensure that it is relevant, up to date, complete and not misleading.
In proposing to use or disclose personal information, the University must:
- take reasonable steps to ensure that the information is accurate
- use it only for:
- the purpose for which it was collected
- a directly related purpose
- a purpose to which the individual has given consent, or
- prevention of a threat to life or health
- disclose it only for a purpose:
- directly related to the purpose of collection and where the individual is unlikely to object
- where the individual has been informed, or is likely to be aware, that the information is usually disclosed to the person or body in question, or
- where disclosure is necessary to prevent or lessen a threat to life or health
- not disclose personal information about a person's ethnic or racial origin, political opinions, religious or philosophical beliefs or trade union membership, and
- not disclose information to individuals or organisations outside New South Wales except under approved circumstances.
Exemptions authorised under the Act
Under Section 25, the University is not required to comply with IPPs 2, 3, 6, 7, 8, 10, 11, or 12 if it is lawfully authorised or required not to comply with the IPP concerned, or if non-compliance is permitted under an Act or other law (such as the State Records Act (1998)).
Under Section 26, the University is not required to comply with:
- IPPs 2 or 3 if compliance would prejudice the interests of the individual to whom the information relates
- IPPs 3, 11 or 12 if the individual to whom the information relates has consented to the non-compliance.
The Act allows that agencies may prepare Privacy Codes of Practice to modify the application of, or to depart from, one or more IPPs or to specify how IPPs are to be applied to particular activities or classes of information. A Code may be needed where the demands of privacy must be balanced against other public interests (such as the reasonable expectation of timely and effective administration).
Codes of Practice in use at UTS
NSW Universities Privacy Code of Practice (see appendix 9.3):
This was drafted by University Solicitors from all universities in NSW and is currently awaiting approval by the Privacy Commissioner. UTS will use the exemptions provided by this Code only where compliance with an IPP would unreasonably interfere with, or divert resources from, the core business of the University.
Investigations Code of Practice (see appendix 9.2):
This was drafted by the Privacy Commissioner and applies to the University's lawful investigative function. This function includes matters involving academic and non-academic misconduct as defined in Rules relating to discipline and appeal for students, and breaches of discipline by staff as defined in Rules relating to staff discipline and appeal committees.
Access to records of public sector agencies for research purposes:
This was drafted by the Privacy Commissioner to facilitate access to personal information for research purposes. It is currently being circulated for comment. The Code permits the University to:
- disclose information to researchers where such disclosure would otherwise breach IPPs 11 and 12
- modify the application of other IPPs in order to facilitate access to and use of personal information by researchers.
The Student Services Unit provides medical and counselling services to students and staff. The following NSW legislation is relevant to the provision of these services:
The University also has a statutory obligation to provide information such as Tax File Numbers and HECS data to Federal Government agencies.
Criminal record checks are required of students who will be involved in clinical practice (Faculty of Nursing, Midwifery & Health) or teaching children (Faculty of Education). These checks are not conducted by the faculties concerned. Rather, each student makes direct application through the relevant state department (the Department of Health or the Department of Education). Students are notified of the result directly by the Department.
Privacy Management Plan home | Next | Previous |
