What information is regarded as personal information?

The Privacy and Personal Information Protection Act 1998 (NSW) only applies to information that falls within the definition of personal information set out in the Act.

The Act defines personal information as:

information or an opinion … about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. (Section 4 of the Act)

The definition covers methods of data storage such as paper files, electronic records and databases, video recordings and photographs, and biometric information such as fingerprints, retina prints, body samples and genetic characteristics.

What information is not included in the definition of personal information?

Personal information about an anonymous individual or information that has been de-identified does not identify an individual and is not covered by the Act.

Are there any circumstances where personal information is not protected?

• Information about individuals contained in publicly available publications. Examples of publicly available publications at UTS are the Calendar, the Handbook, programs for activities such as Graduation ceremonies, or material in student and staff newspapers. Consequently, the University can release information that states that a person of the name of 'John Smith' is a graduate of the University without seeking the permission of 'John Smith' to release the information.
• Information about an individual's suitability for public sector employment in relation to recruitment and selection processes includes employment by UTS.

The University may occasionally apply the following exemptions to the definition of personal information in the Act.

• Information about a person who has been dead for more than 30 years. For example, past members of the academic, administrative or student body who have been dead for thirty years might be released.
• Information contained in a protected disclosure or collected in the course of investigating a protected disclosure under the Protected Disclosures Act 1994 (NSW).
• There is a limited exemption from the provisions of the Act where the information collected is unsolicited by the University.
• Information used in the exercise of the judicial functions of a court or tribunal are exempt. This would apply where the University prepares information that is to go before a court or tribunal.

Compliance requirements

The University is permitted to collect, store, use and disclose personal information, but it must comply with the following Information Protection Principles:

Collection of personal information by the University

• The purpose of collecting the personal information must be lawful and directly related to the University's activities and necessary for that purpose. The University's activities are set out in the University of Technology, Sydney Act 1989 (NSW).
• The information must be collected directly from the person to whom it relates unless that person has given their consent for it to be collected from another person or organisation. If the person is under the age of 18 years then a parent or guardian can give the necessary consent.
• The collection of the information must be undertaken in an open manner with people being told why it is being collected and who will be storing it and using it. The University must also tell the person how they can see and correct the information we are collecting.
• The information must be relevant, accurate, up-to-date and not excessive.

Storage of personal information by the University

• The information must be reasonably secure from unauthorised access, use or disclosure. The information must not be kept for any longer than necessary for the identified use and have an appropriate disposal system.

Access to personal information by the person to whom the information relates

• The University must adopt a transparent approach to the information it holds by providing a person with enough detail about the personal information that it stores, why it is stored and information about their rights of access to the information.
• The University must ensure information is accessible by allowing a person to access their personal information without unreasonable delay and expense.
• The University must ensure information is correct by allowing a person to update, correct or amend personal information where necessary.

Use by the University for its purposes and directly related purposes

• The University must ensure that the information is accurate before it is used.
• The University can only use information in a limited way, that is, 'for the purpose for which it was collected, for a directly related purpose or for a purpose for which the person has given their consent'. The information can be used without consent to deal with a serious and imminent threat to a person's health and safety.

Disclosure of information by the University to a third party

• The University is restricted in relation to the disclosure of information to a third party. Disclosure can occur with the consent of the person or if the person was told at the time the information was collected that it would be disclosed. Information can be disclosed for a related purpose if it is believed that the person would not object. The information can be used without consent to deal with a serious and imminent threat to a person's health and safety.
• Some information that the University collects is particularly sensitive, such as details of a person's ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership. This information is safeguarded from disclosure, which can only occur with the consent of the person, or to deal with a serious and imminent threat to someone's health or safety.

The Information Protection Principles are set out in Sections 8–19, in Part 2, Division 1, of the Act.