|
4.1 Classes of personal information
4.2 Compliance with the IPPs
4.3 Compliance with the Public Register provisions
4.4 Applications for access to personal information
| Type of record |
Personal information held in record |
| Student records — maintained in hardcopy files and on SAS database, includes past students |
Personal details (name, address, phone), date of birth, previous education, aboriginality, country of origin, subjects, marks/grades; may include special entry application details, special needs details, discipline reports, grievance reports, progress reports, special consideration applications, withdrawal details, tax file number, fees and debts |
| Staff files — maintained in hardcopy files and on Lattice database |
Personal details, date of birth, employment application, CV, previous employment details, referee reports, employment contract, medical details, salary and banking details, performance reviews, discipline reports, leave applications, medical certificates, EEO details, tax file number |
| Alumni records — maintained on File-Maker-Pro database |
Personal details |
| Medical records |
Personal details, confidential health details |
| Counselling records |
Personal details, confidential personal details, notes of interviews, referral |
| Subject folders |
List of students; assignments identified by student name and ID, assignment mark and comments |
| Grievance records |
Personal details, statements, summary of grievance and outcome |
| Pay records — maintained in hardcopy and on Perpay database |
Personal details, banking and deduction details, tax file number |
| Supervisor files |
Personal details, progress reports on research students |
| Housing Service files |
Personal details, next of kin, smoker/non-smoker status, application could contain confidential personal information (eg, health details, hardship, abuse) |
| inpUTS applications |
Personal details, confidential personal details (eg, hardship, abuse), supporting documentation (eg, medical reports) |
| Workers compensation files |
Personal details, previous medical history, medical reports, medical certificates, rehabilitation reports |
| Research applications |
Personal details, nature and topic of research |
| Research data |
Personal details (occasionally), confidential personal information |
| Razor's Edge database |
Personal details of executive contacts |
| Graduand lists |
Names, (mailing address in some instances), faculty, course |
4.2.1 Collection
| Issues of compliance |
Compliance |
Comments, relevant exemptions, action required for compliance |
| Principle 1 |
| Is personal information collected for a lawful purpose that is directly related to a function of the University? |
Yes |
|
| Could the University perform its functions without collecting such information? |
No |
Some unnecessary duplication of staff and student records held in faculties. These should be returned to Human Resources or Student Administration Units, or sent to Central Records Branch for disposal. |
| Is personal information collected by automated means (such as video cameras)? |
Yes
a) security cameras are used at specified locations on campus
b) video cameras are used to assess clinical practice (Faculty of Nursing, Midwifery & Health)
c) video cameras are used to assess moots (Faculty of Law) |
a) regulated by the University's Code of Practice on Closed Circuit Television Monitoring, which includes the provision of signs notifying people that security cameras may be in operation
b) tapes are returned to students after use; human patients are not filmed (dummies are used)
c) tapes are erased or returned to students after assessment. |
| Principle 2 |
| a) Is personal information collected directly from the person to whom it relates? or, if not,
b) has that person authorised collection of such information from another source? |
Yes |
Students apply for admission through Universities Admissions Centre (UAC). University receives information from UAC in compliance with Sections 17 & 18. |
| Principle 3 |
| Where personal information is collected from an individual, is that person informed of the following:
a) the purpose for collecting that information?
b) the intended recipients of that information?
c) whether supply of that information is compulsory or voluntary?
d) the person's right to gain access to and correct that information? |
Yes:
International Student applications
Applications (usually a CV) by students for work placement
EEO data collection form
Postgraduate Equity Scholarship applications
Research data
etc.
No:
Enrolment form
Clinical Practice form |
Appropriate information will be added to non-compliant forms. |
| Principle 4 |
| Where personal information is collected from an individual, does the University ensure that:
a) the information is accurate, relevant and not excessive?
b) collection of the information is not unreasonably intrusive? |
Yes |
|
4.2.2 Storage
| Issues of compliance |
Compliance |
Comments, relevant exemptions, action required for compliance |
| Principle 5 |
| Is personal information:
a) protected against unauthorised access and disclosure? |
Yes. Some units (eg, Student Services and D.A.B.) have already taken action to address the matter. |
|
| b) kept for no longer than is necessary? |
Yes. Most information is kept for the period specified by the University's Disposal Schedule. |
Some ad hoc databases are kept for longer (usually through oversight) than is either necessary or useful. |
| c) disposed of in accordance with State Records Authority guidelines? |
Yes. The University Disposal Schedule is based on the State Records Act. |
There is a need for consistent practices with respect to the storage and preservation of research data. |
| d) protected from unauthorised use or disclosure when made available to a third party for provision of a service to the University? |
Not always. |
Some contracts with third parties do not specify the use and manner of disposal of personal information supplied to them. |
4.2.3 Notification, Access and Correction
| Issues of compliance |
Compliance |
Comments, relevant exemptions, action required for compliance |
| Principle 6 |
| Are there procedures that allow individuals to inquire about personal information held by the University? |
Yes |
Information may be obtained from the University's website, through the Privacy Contact Officer in each unit, or through the Privacy Officer. |
| Principle 7 |
| Are there procedures that allow individuals to gain access to their personal information? |
Yes |
Access may be obtained through the Privacy Contact Officer in each unit or through the Privacy Officer (as appropriate. See 4.4) |
| Principle 8 |
| Are there procedures that allow individuals to amend their personal information so that it is accurate, relevant, up to date, complete and not misleading? |
Yes |
Individuals may add notes and comments to their personal file, but may not delete information (except in exceptional circumstances). |
4.2.4 Use
| Issues of compliance |
Compliance |
Comments, relevant exemptions, action required for compliance |
| Principle 9 |
| Before personal information is used, are reasonable steps taken to ensure that it is accurate, relevant, up to date, complete and not misleading |
Yes |
Information transferred from UAC may be corrected by students at enrolment. |
| Principle 10 |
| If personal information is used for a purpose other than those for which it was collected:
a) have the individuals concerned consented to the use of their information for that other purpose?
b) is that other purpose directly related to the purpose for which the information was collected? |
i) Yes
ii) Employment information from professional groups or prospective employers is occasionally sent to selected groups of students by the Careers Service Branch. |
i) Personal information (such as lists of students) is supplied to units and faculties for purposes directly related to assessment, timetabling etc.
ii) Dissemination of such information is part of a careers service provided to students. The University considers that such services are directly related to the purpose for which students' personal information is collected. |
4.2.5 Disclosure
| Issues of compliance |
Compliance |
Comments, relevant exemptions, action required for compliance |
| Principle 11 |
| If personal information is disclosed, is that disclosure:
a) directly related to the purpose for which the information was collected?
b) something of which the individuals concerned have been made aware or are reasonably likely to have been aware? |
Yes |
The Graduation & Ceremonial Branch supplies a commercial photographer with name & address labels for all graduands [as provided in Section 18(1)(a)&(b)]. |
| Principle 12 |
| Are there procedures to ensure that sensitive personal information (such health, sexual activities, racial or ethnic origin, religion, political opinion) is not disclosed? |
Yes: sensitive data is disclosed to other agencies in statistical form only. |
Sensitive information is collected by the Equity & Diversity Unit on a voluntary basis and is disclosed only with consent (as provided in Section 26). |
| If personal information is disclosed to a person or body outside NSW, is that information protected by a relevant privacy law within that jurisdiction? |
Not always: data may be disclosed to support applications for research or study overseas. |
Consent to disclose information is given by researchers and students on relevant application forms (as provided in Section 26). |
Note: in response to businesses or other agencies that might contact the University to inquire whether a prospective employee is a graduate of UTS, the University may supply the following information:
- confirmation that the person concerned is or is not a graduate
- the degree program completed
- the faculty in which the person graduated.
This information is made publicly available at graduation ceremonies and is therefore not personal information under the Act.
The University does not hold or maintain any public registers.
Note: the University maintains an electoral Roll of Convocation. The Roll is a list of Convocation members who are eligible to vote in the election of four members of Convocation to Council. Access to the Roll is restricted to those members who are registered on it and is granted only for purposes directly related to an election. The Roll is, therefore, a non-public register.
Applications should be made to the Human Resources Unit (for staff records) or to the Student Administration Unit (for student records). If the applicant wishes only to gain access to records held in a particular unit, then application should be made to the Privacy Contact Officer within that unit. If, having inspected his or her file, the applicant lawfully alters personal information on that file, the Privacy Contact Officer will send a copy of that alteration to the Human Resources Unit or Student Administration Unit (as appropriate) for attachment to the applicant's personal file.
Applications that might entail searches for extensive documentation located in various units should be referred to the University's Privacy Officer. These applications will be handled in a manner consistent with reasonable use of the University's resources and without impeding the University's core business. Applications of a frivolous nature, or that would involve a substantial and unreasonable diversion of University resources, will not be accepted.
Privacy Management Plan home | Next | Previous |
|
