Policy on Management and Protection of Personal Student Information

Policy intent

The University of Technology, Sydney (UTS) respects the privacy of each individual's personal and health information and is committed to protecting the information it holds and uses about all individuals. This policy provides a framework to ensure that personal student information and health information will be managed in such a way as to protect the privacy of students.

UTS is required to comply with the Privacy and Personal Information Protection Act 1998 (NSW), and the Health Records and Information Privacy Act 2002, which contain information protection principles (see footnote). The Principles establish standards for the collection, use, management and disclosure of personal and health information to which all public sector agencies in NSW, including universities, must adhere. They apply to any personal and health information that a person provides to UTS or which UTS creates or collects about a student. In this privacy policy, a reference to 'information' is a reference to both personal information and health information.

UTS holds some information about students which is a matter of public record (for example, details of an individual student's graduation) and which can be provided to a third party when requested. In addition, UTS has the right to confirm to a third party whether a document which purports to be either a UTS testamur or a UTS academic transcript is an authentic UTS document and whether its contents are consistent with UTS's official records.

Footnote: These Principles can be found within the Acts at Health Records and Information Privacy Act 2002 – Schedule 1 and Privacy and Personal Information Protection Act 1998 – Part 2. For information on these Principles as they apply at UTS, see Compliance requirements for health information and Compliance requirements for personal information.

Policy objectives

The objectives of this Policy are:

• to provide a clear statement about how UTS will collect, manage, use and disclose personal student information
• to provide a clear understanding of the rights and responsibilities of students, staff and others under this Policy and within the context of the relevant legislation.

Policy scope

This Policy applies to all staff and students of UTS and to all others engaged by UTS (whether as a consultant, contractor or otherwise) to provide services to UTS, which may require their having access to personal student information.

Policy statement

UTS treats personal information on individual students as confidential. Personal student information should only be accessed and utilised by staff for official University purposes and should only be revealed to other persons where there is proper permission or where the law requires it.

It should be noted that whilst UTS respects the privacy of personal student information and will use its best endeavours to protect it, nevertheless there is no guarantee that all personal student information (for example, UTS student email addresses) is completely protected by the measures UTS is able to implement.

Definitions

For the purposes of this Policy, the following words shall have the meanings given below.

Disclosure means the act of making known personal information relating to students of UTS.

Health information means personal information that is information or an opinion about:

• the physical or mental health or a disability of an individual
• an individual's express wishes about the future provision of health services to him or her
• a health service provided, or to be provided, to an individual
• other personal information collected in connection with the donation of human tissue
• genetic information that is or could be predictive of the health of an individual or their relatives or descendants
• any other personal information collected to provide, or in providing a health service.

Identifier means an identifying name or code (usually a number) assigned by an organisation to an individual to uniquely identify that individual for the purposes of the operations of the organisation. This does not include an identifier that consists only of the individual's name.

Non-private information means information about a student which is a matter of public record, i.e. details of a student's graduation.

Personal information means information or an opinion (including information or an opinion forming part of a database) that is recorded in any form about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. This includes paper documents and files, electronic records, photographs, genetic material and biometric information such as fingerprints.

Primary purpose means the purpose for which the information was collected, i.e. an official university purpose which is related to the functions of the University as defined by the University of Technology, Sydney, Act 1989 and for which the individual concerned could reasonably expect their information to be used. Collection of information for this purpose may be mandatory or optional.

Secondary purpose means a purpose which is directly related to the primary purpose although this relationship may not necessarily be apparent to the individual concerned, or within their reasonable expectations. Collection of the information for this purpose may be mandatory or optional.

Student means any person, whether or not they also have another role at UTS, such as that of staff member, who has previously been enrolled at, is currently enrolled at, or is applying to be enrolled at, UTS or its antecedent organisations. This includes those enrolled in faculty-based short courses and continuing professional education.

1. Collection of personal information

1.1 In accordance with the current legislation:

• UTS will not collect personal information about an individual unless that information is necessary for one or more of its functions
• UTS will collect personal information about an individual only by lawful and fair means and not in an unreasonably intrusive manner.

1.2 When UTS collects personal information directly from an individual, it will take reasonable steps to ensure that the individual is aware of:

• the fact that the information is being collected
• the purposes for which the information is being collected
• the intended recipients of the information
• UTS's contact details
• any law that requires the collection of the particular information, and
• any consequences (if any) arising from the failure to provide any requested information.

1.3 UTS will collect personal information directly from an individual to whom the information relates where it is reasonable and practicable to do so. Where UTS collects information about an individual from a third party (for example, if a student authorises a parent, spouse or partner to act for them on their behalf), UTS will take reasonable steps to ensure that the individual is aware of the details set out above.

1.4 While UTS generally collects personal information directly from the relevant individual, in some instances it may be collected from a third party, such as the Universities Admissions Centre (UAC) or other public bodies/organisations.

1.5 UTS is required by law to collect certain personal information so that it can provide this information to government bodies/organisations, such as the Department of Education, Science and Training (DEST), the Australian Taxation Office (ATO), Centrelink, and the Department of Immigration and Multicultural and Indigenous Affairs (DIMIA).

2. Creation of personal student information

Throughout an individual student's course of study at UTS, certain personal information will be created which relates to that particular student, including examination/assessment results and reports. Personal student information of this nature will be accorded the same levels of management and protection as personal student information provided to UTS by the student or a third party, (as set out in Section 1), except where it is regarded as non-private student information (i.e. a matter of public record).

3. Location of personal student information

UTS's principal repository of physical and electronic files of student information is the Student Administration Unit. By virtue of a provider/client relationship, the following units may also hold personal student information:

• faculties, schools, departments, centres and institutes
• individual academics responsible for the conduct of subjects and courses, assessments, and other academic and related purposes
• the Student Ombud
• the Equity and Diversity Unit
• the University Library which keeps records relating to a student's use of library facilities
• the Registrar's Division which keeps records relating to others including:
  • records of formal committee deliberations, graduations and student disciplinary matters
  • records relating to individual students including medical, counselling and other services provided to students
• the University Graduate School which keeps records relating to research degree candidature and scholarships
• the Human Resources Unit which may keep records relating to the employment at UTS of students
• the International Office which keeps records relating to overseas students
• the Research and Commercialisation Office which may keep records relating to research projects in which students have participated
• UTS Graduate Connections which may keep records relating to alumni of UTS.

4. Use and disclosure

In the use and disclosure of personal student information, UTS will not use or disclose personal information about an individual for a purpose other than that for which it was collected or created (the stated primary purpose) unless:

• for a secondary purpose that is related to the primary purpose, or
• it was reasonable for the individual to expect UTS to use or disclose the information for a secondary purpose, or
• the individual has consented to use of the information for a secondary purpose, or
• an authorised officer of UTS has determined that its use or disclosure is necessary to lessen or prevent:
  • a serious and imminent threat to an individual's life, health or safety, and
  • a serious threat to public health or public safety, or
• the use or disclosure is required or authorised by or under law.

5. Quality of data

UTS will take all reasonable steps to ensure that any personal student information it collects, creates, uses or discloses is accurate, complete and up to date.

6. Security

6.1 UTS will take all reasonable measures to ensure that personal student information is held securely and is protected from misuse, loss, and unauthorised access, modification or disclosure.

6.2 UTS will destroy or permanently de-identify personal student information when required by, and in accordance with, legislative requirements.

6.3 Personal information may be stored in hard copy documents, as electronic data, or in UTS's software or systems. UTS protects personal student information in the following ways:

• confidentiality requirements on the use of information by UTS staff and students
• policies and procedures on document storage, retention and security
• security measures for access to UTS's computer systems
• controlling access to those parts of UTS's premises where data is stored
• website protection measures.

6.4 UTS expects each student to respect the privacy of fellow students' personal information, whether the information is stored in hard copy documents, as electronic data, in UTS's software of systems, or in the records management systems of partner institutions outside NSW.

7. Access to personal information

7.1 UTS will, on request, inform an individual about the nature of personal information that it holds relating to that individual, the main purposes for which the information is used, and the individual's entitlement to gain access to that information.

7.2 Upon request, UTS will provide an individual with access to the information UTS holds relating to that individual unless there is an exception applying under law such as:

• access would pose a serious threat to the life or health of any individual
• access would have an unreasonable impact on the privacy of others
• access would be unlawful or the denial of access is required or authorised by law
• access would prejudice enforcement activities relating to criminal activities and other breaches of law
• the information is to be used for legal dispute resolution proceedings.

7.3 If a request for access to personal student information is refused, UTS will provide written reasons for the refusal, stating where possible which of the above exceptions has been relied upon.

7.4 Any request to provide access to personal student information will be dealt with in a reasonable time and UTS may recover from a student the reasonable cost of accessing and supplying this information.

8. Amendment of personal student information provided to UTS

8.1 Students are required under the Rules of the University to notify the Registrar of any change in contact details. This should be done in writing or online using My Student Admin.

8.2 From time to time students may wish to amend other personal information that they have provided to UTS if they believe that it is out of date, incorrect or inaccurate. Substantiating documents showing evidence of the change necessitating the amendment of personal student information may be required. For record-keeping purposes, documentation of the changes that are made may need to be kept.

8.3 If a request for amendment to personal student information is refused, UTS will provide written reasons for the refusal.

8.4 If UTS is not prepared to make amendments to personal information in accordance with a request from an individual, in appropriate circumstances UTS may make arrangements to attach to that information a statement provided by that individual setting out their reasons for the request for amendment and the reasons for the request being denied.

8.5 Any request to alter information will be dealt with in a reasonable time and UTS may recover from a student the reasonable cost of accessing, considering the request, and if appropriate, altering such information.

9. Amendments to personal student information created by UTS

9.1 A student who considers that information created by UTS is not recorded correctly on their student record should forward a request for amendment, together with relevant supporting documentary evidence, to the Director, Student Administration Unit. Each case will be considered on its merit and the University will determine whether the information should or should not be amended.

9.2 A student who disagrees with the substance of an academic or administrative action, process or outcome, as distinct from the issue of whether the record of the University correctly documents it, retains the right to pursue these matters as part of any relevant academic appeal or grievance process as provided for by Rules and policies of the University. When in these situations, a student should in the first instance direct inquiries to the relevant faculty office.

10. Commonwealth and State government identifiers

10.1 UTS will not use Commonwealth or State government identifiers as its own identifier nor will it disclose such identifiers to other parties, except where required by law.

10.2 UTS provides its own identifier where necessary in the form of a student identification number.

11. Transborder data flows

11.1 In the course of its business, UTS may provide personal student information to organisations outside New South Wales. UTS will only provide this information under the following conditions:

• where it is required by law to do so, or
• where an individual consents to the transfer of information, and
• where the relevant staff member at UTS has reasonably concluded that the recipient is subject to similar privacy laws and policies to its own.

11.2 UTS will take all reasonable steps to ensure that any information which is transferred to a partner institution outside New South Wales is held, used or disclosed on a basis that is substantially similar to that required by this Policy.

11.3 UTS will also take all reasonable steps to ensure that any information which is created at a partner institution outside New South Wales (including offshore partner institutions) is held, used or disclosed on a basis that is substantially similar to that required by this Policy.

12. Grievances

If an individual believes that there has been a breach of the principles expressed in this Policy, they should contact the Privacy Contact Officer. The Privacy Contact Officer will advise them of the most appropriate means of having their complaint considered, and will assist them with contacting the relevant person.

13. Breach of this Policy

Breaches by staff

13.1 If a staff member breaches this Policy, depending upon the circumstances, appropriate disciplinary action may be taken.

Breaches by a student

13.2 If a student breaches this Policy, and the breach is considered to constitute an offence under the Rules of the University, appropriate disciplinary action may be taken.

Related information

University of Technology, Sydney, Act 1989

Privacy and Personal Information Protection Act 1998 (NSW)

Privacy Act 1988 (Cwlth)

Health Records and Information Privacy Act 2002 (NSW)

Freedom of Information Act 1989 (NSW)

State Records Act 1998

Previous policies

Policy on Privacy of Student Records (Approved by Council, December 1996 – COU/96/152)

Related policies and guidelines

Privacy Management Plan (Approved by Council, 5 June 2000)

Records Management Policy (Approved by Council, 10 October 2002)

Requirements for Staff on the Management and Protection of Personal Student Information

Requirements for Students on the Management and Protection of Personal Student Information

Responsibilities and contacts

Implementation of the Policy

Registrar

Monitoring and evaluation of the Policy

Registrar

Development/revision of the Policy

Registrar

Contacts

Administrative contact: Privacy Contact Officer

Administrative update on this Policy: October 2007