The Commonwealth Privacy Act 1988 applies to the University. The Act requires that the University meet a number of principles in relation to the collection, storage, use and dissemination of personal information. The University has introduced policies and procedures relating to access to such information and the review of decisions relating to access.

Legislative and Policy Requirements

In addition to the University’s own standards, often embodied in statutes, rules and policies, the University is subject to the Privacy Act 1988 (Cth) and is accountable for reporting on a regular basis to the Office of the Federal Privacy Comissioner.

The Privacy Act 1988 include 11 Information Privacy Principles

• Principle 1 - Manner and purpose of collection of personal information
• Principle 2 – Solicitation of personal information from individual concerned
• Principle 3 – Solicitation of personal information generally
• Principle 4 – Storage and security of personal information
• Principle 5 – Information relating to records kept by record-keeper
• Principle 6 – Access to records containing personal information
• Principle 7 – Alteration of records containing personal information
• Principle 8 – Record-keeping to check accuracy etc of personal information before use
• Principle 9 – Personal information to be used only for relevant purposes
• Principle 10 – Limits on use of personal information
• Principle 11 – Limits on disclosure of personal information

The University must comply with these principles.

In a number of specific circumstances the University is permitted to provide personal information to authorised agencies such as the police or ambulance services. A guide for University staff provides advice on these circumstances. The guide Personal Information Disclosure Protocol is accessible only by University staff.

In addition to the Privacy Act 1988, other legislation may require the University to protect privacy, such as the Telecommunications (Interception) Act 1979 (Cth) , or may obligate the University to disclose personal information to government authorities, especially education and immigration agencies.

A number of University professional staff, such as medical practitioners and counsellors, are bound by confidentiality codes relating to their profession. The National Health and Medical Research Council and other agencies have issued guidelines on ethics relating to research, including privacy. The University has a number of policies which include provisions relating to privacy and access to personal information:

• Code of professional ethics
• Access to personal files

Personal Information

Personal information is any information that would allow an individual to be identified, for example their name, age or physical characteristics. It can be an opinion about an individual, which need not be true, or anything from which the person's identity could be reasonably ascertained. Personal information can be stored on a variety of media such as paper, electronic database, photographic and video image, digital form and may also extend to body sample and biometric data.

The University collects, stores and uses personal information to administer a variety of business related and administrative programs. The Personal Information Digest provides a comprehensive list of the types of personal information the University collects and, if appropriate, third parties to which the information may be provided.

Individuals can obtain information regarding access to their personal information by reference to the Personal Information Digest. Records may relate to persons with a current, former or prospective relationship with the University. In general, the University will not use or disclose personal information unless the person about whom the information was collected is aware of, or has consented to that use or disclosure. However, the University may use or disclose personal information where required by law, or where it is necessary for certain types of law enforcement, or where it is necessary to protect against a serious and imminent threat to a person's life or health.

Procedure to Gain Access to Personal Information

Individuals can obtain information about personal information which the University may hold about them and can request access to that information. Refer first to the Personal Information Digest. Alternatively, contact the Privacy Contact Officer, Audit and Governance Unit, University of Canberra, ACT, 2601, Australia. Individuals can also contact the Privacy Contact Officer to request an amendment to the personal information held by the University about them, or to request an internal review of a decision made in response to a request for access or amendment. Requests may be made by letter or by e-mail.

Review Procedure

If an individual believes that their personal information has not been dealt with in accordance with an Information Privacy Principle they may make a complaint to the Privacy Contact Officer, Audit and Governance Unit, University of Canberra, ACT, 2601, Australia. Requests must be made in writing and must be made within six months from the date when the breach was suspected to have occurred. Requests will be accepted via e-mail or by letter.

Requests will be acknowledged in writing within 14 days from the date on which the application was received, and the University will process the request within 60 days from the date on which the application was received. Applicants will be advised in writing of the University's decision.

If an applicant does not agree with the University's decision they may request an internal review by writing to the Vice Chancellor and President. The Vice Chancellor and President will arrange for an internal review to be carried out by a senior officer who has not previously been involved in the matter. This will be done within 45 days. The applicant will receive a response in writing.