Members of the University have a number of obligations and responsibilities in relation to privacy. The 11 Information Privacy Principles are the foundation to these obligations and responsibilities. These principles apply to the University as a corporate body and all staff of the University acting as agents of the University. The concepts embodied in these Principles are included in the following information. In addition the University is subject to periodic audits by the Office of the Federal Privacy Commissioner. These audits are designed to examine the University’s compliance with legislative requirements but also to recommend practices and processes to meet best practice in the sector.

• Information must be collected for lawful purposes

The information collected by the University must be collected for a lawful purpose and one directly related to the operation and responsibilities of the University. In some circumstances the information is collected by the University as an agent for another party, normally a government authority. In these cases the University has a statutory obligation to collect and communicate the information to that authority, including education and immigration agencies. The information may be in aggregate form or relate to identified individuals.

• Collection of information and advice to individual concerned

At the time of collection of personal information, or as soon as practical afterwards, the University must ensure the individual is aware of:

- purpose for which the information is collected;

- if the collection is authorised or required by or under a law, the fact that this is so; and

- third parties (eg. government agencies) to which the information may be passed.

If the information is collected by use of a form, these details should be printed on the form.   All forms should contain a short statement clearly stating why the information is collected, who may use or access the information and details of the dissemination of the information. For example, a student administration form may have the following declaration:

This information is collected to administer and support your enrolment in the University. It is used by staff in student administration and may be provided to staff responsible for teaching your units. The information may be provided to government agencies to meet legislative requirements.

Relevancy and security of information

The University must ensure that the information collected is relevant for the purpose, is complete and current and does not intrude to an unreasonable extent upon the personal affairs of the individual concerned.

The person in control or possession of the information must ensure that the information is protected against unauthorised access, loss, use, modification, misuse and disclosure and that third parties receiving the information have similar safeguards.  This includes practicing a ‘clean desk’ policy; ensuring that all files containing personal information are secured when not in active use. This includes securing files in locked drawers or cabinets when an office is unoccupied, even for only a short time or overnight.

• Awareness of information

The University is required to maintain a record setting out details of the nature of personal information collected and related details and make such details publicly available. The Personal Information Digest of the University performs this function. It is updated annually and mounted in the public domain by external government agencies. The Digest is the responsibility of the University’s Privacy Contact Officer.

• Access to information

A record-keeper (ie. University staff member) having possession or control of personal information must provide access to a person entitled to access the information except when a record-keeper is not permitted by law to provide access.

The Personal Information Digest of the University contains details of how to access personal information.

• Alteration of records containing personal information

A record-keeper should ensure that appropriate corrections, deletions and additions are made to personal information held by the University.

To achieve this objective the University ensures reasonable steps are taken to advertise mechanisms for checking and altering personal information or advising the University of changes to the information. For example, some student information can be reviewed and revised through OSIS, the student portal on UC Online, while much of the personal information held on staff in the HR database can be reviewed and revised through OPUS, the staff portal on UC Online.

• Accuracy of information

A record-keeper should take reasonable steps to ensure personal information is accurate, current and complete before it is used.

• Limits on use of personal information

A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose cannot use the information for any other purpose unless:

- the individual concerned has consented to the use of the information for that purpose;

- the record-keeper has a reasonable belief that the use of the information for the other purpose is necessary to prevent or lessen a serious or imminent threat to the life or health of the individual concerned or another person;

- use of the information for the other purpose is required or authorised by or under law;

- use of the information for the other purpose is reasonably necessary for enforcement of the criminal law or for the protection of the public revenue; or

- the purpose for which the information is used is directly related to the purpose for which it was originally obtained.

In the circumstances above a record should be maintained indicating the reason the information was used and for what purpose.

• Limits on the disclosure of personal information

A record-keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose cannot disclose the information to another person or organisation (other than the individual concerned) unless:

- the individual concerned has consented to the disclosure;

- the individual concerned is reasonably likely to be aware, or made aware (eg. stated on a form), that information of the kind is usually passed to that person or organisation;

- the record-keeper has a reasonable belief that the disclosure of the information is necessary to prevent or lessen a serious or imminent threat to the life or health of the individual concerned or another person; or

- disclosure of the information is reasonably necessary for enforcement of the criminal law or for the protection of the public revenue.

In the circumstances above a record should be maintained indicating the reason the information was disclosed and to whom it was disclosed.

The University has produced a Personal Information Disclosure Protocol to assist decision makers in identifying whether a request for personal information meets the tests for exemptions under the Privacy Act 1988 (Cth.) The Protocol is accessible only by University staff.

Some possible scenarios:

• The police contact you. They wish to know the address of a suspect in a criminal investigation who is also a member of the University.

The Information Privacy Principles generally prohibits the use of information for a purpose other than that for which it was collected. However, there is an exemption where the use of the information is reasonably necessary for enforcement of the criminal law.

If you chose to release the information to the police a record of this action must be made on the relevant official University file. You are not legally bound to provide the information unless the police first obtain a warrant but you can provide the information at your discretion.

Note that the University’s policy is that such questions are directed to the Academic Registrar but there may be circumstances when this is not practical and you need to respond.) Refer to the Personal Information Disclosure Protocol - accessible only by University Staff.

• The ambulance service contacts you. A person seriously injured in an accident has a University ID card indicating they are a student of the University. The ambulance service wishes to know if the University has details of next of kin to assist it identify if the victim suffers from any known allergies.

The Information Privacy Principles generally prohibits the use of information for a purpose other than that for which it was collected. However, there is an exemption where the use of the information is necessary to prevent or lessen a serious or imminent threat to the life or health of the individual concerned.

If you chose to release the information to the ambulance service a record of this action must be made on the relevant official University file.  For guidance on exemptions refer to the Personal Information Disclosure Protocol - accessible only by University Staff.

• A student’s parent contacts you inquiring how well (or otherwise) their son/daughter is doing in his course.

You cannot disclose such information without the consent of the student.

More generally, parents often do not appreciate that once their son or daughter reaches 18 years of age he/she is an adult and the University cannot provide them with details without the consent of their son or daughter.

• A collection agency has contacted the University to try to ascertain the current financial institution details of a member of staff. Can I provide this information?

No. Not without the consent of the staff member. A private collection agency is not a law enforcement authority which can claim special status under the exemptions to the Principles.

• A student is doing a group assignment and asks you to provide contact details for a member of the project group who is not attending project meetings.

Unless members of the group have specifically consented to such information being released in these circumstances, you cannot provide this information. However, you may respond that you will contact the student and advise that other members of the group wish to make contact and provide, with consent, the contact information of the inquirer.