UNSW Division of the Registrar and Deputy Principal
  Policy Management Unit
 
People & Services
FoI
Elections
Policy Management
Go to the Copyright website
Privacy at UNSW
 

 

PRIVACY AND THE UNIVERSITY

UNSW staff need to be aware that there are two pieces of legislation directing how privacy issues are to be handled at UNSW.

  • The Privacy and Personal Information Protection Act 1998 (NSW) applies to State public sector agencies, which, by definition, include the majority of academic and administrative units at UNSW and other State universities.

  • The Privacy Amendment (Private Sector) Act 2000 (Commonwealth) applies to organizations in the private sector.

Generally units at the University will be covered by one Act or the other, but it is possible that some will need to comply with both. The UNSW Privacy Officer can advise individual units about relevant legislation.

The Privacy and Personal Information Protection Act 1998 (NSW)

The Act has introduced Information Protection Principles to ensure personal information held by public sector agencies is not modified, used or accessed by unauthorized people; and it applies to personal information collected on and after 1 July 2000. The Principles regulate the handling of personal information, and cover its collection, storage, use, disclosure and disposal. Exemptions from the Principles are allowed in limited circumstances, for example, where non-compliance is permitted under another act or law.

Personal information is defined in the Act as being information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion. Personal information includes, for example, names, addresses, telephone numbers, dates of birth, medical records, student ID ("SID"), passport numbers and body samples.

There are circumstances in which, under the Act, information about an individual is not considered to be personal information, including:

  • when it relates to a person who has been dead for more than 30 years;
  • when it is contained in a publicly available publication; and
  • when it refers to a person's suitability for employment as a public sector official.

Hence, in the context of UNSW, staff referees' reports, names and awards shown in graduation programs, and staff or student details published on an authorised University website, for example, are not considered to be personal information for the purposes of the Act.

Administrative operations related to the teaching and research activities of the University and which require the collection and retention of personal information, in particular for staff and student records, must comply with the legislation.

The Act allows individuals to request access to information about themselves, or to request information about themselves to be amended so as to ensure that their records are accurate, complete and not misleading. The University has mechanisms in place to handle routine requests from individuals for copies of their academic transcripts, or for corrections to personal details. Other requests for access to personal information should be made to the UNSW Privacy Officer.

The Act makes provision for an individual whose privacy has been breached by the University to request an internal review. Advice on applying for a review should be sought from the Privacy Officer.

As required by the Act, the University has prepared a Privacy Management Plan, which is available through the web at
http://www.privacy.unsw.edu.au/pmp.htm.
The Information Protection Principles appear in an appendix to the plan. Staff are strongly advised to consult the website and take particular note of the 12 Principles, for the University is required by law to comply with them.

The requirements to be met when collecting personal information from students or staff include that:

  • personal information must be collected directly from the individual it applies to;
  • the individual must be told the purpose for which the information will be used;
  • the individual must be told who will have access to the information.

Personal information can be used only for the purpose for which it was collected. It is imperative that any statement advising the individual of that purpose is specifically worded to ensure that breaches of the Act are avoided. In the student area, for instance, personal information obtained for enrolments cannot be used at another time for, say, marketing unless the students were informed of the latter purpose when the information was collected.

The release of personal information to other people or organisations is constrained by conditions specified in the Act. Part 62 prescribes substantial penalties for people using or disclosing personal information other than in connection with their lawful functions. There are no personal indemnification provisions. It is strongly recommended that each unit provides appropriate guidelines for their staff so that they know their responsibilities under the Act and are not unwittingly exposed to its penalties.

In general, personal information must not be released outside the University, except in response to a legal requirement such as a subpoena. Otherwise, information about a student or member of staff at UNSW must not be disclosed to a third party unless the student or staff member specifically requests it.

Documentation and procedures used within each unit should be amended as necessary in order to comply with the 12 Principles. For example, appropriate privacy statements must appear on certain forms (paper and electronic copies) and in other published material.

The UNSW Privacy Officer is available to advise on the Act and its implications.

Other references:


The Privacy Amendment (Private Sector) Act 2000 (Commonwealth)

The Commonwealth Act applies to organizations in the private sector. An organization can be an individual, a body corporate, a partnership, an unincorporated association or a trust, but must be specifically one of the following:

  • a business with a turnover of $3 million or more,
  • a not-for-profit organization such as a charitable body, sports club or union,
  • a Federal Government contractor,
  • an organization that carries on a business that collects or discloses personal information for a benefit, service or advantage (even though its turnover is less than $3 million),
  • a health service provider that holds health information (even though its turnover is less than $3 million),
  • a small business with a turnover of less than $3 million that chooses to opt in,
  • any organization that regulations specify as being covered by the Act.


Contact

The Privacy Officer
UNSW Sydney NSW 2052
Phone: (02) 9385 2860
Email: privacy@unsw.edu.au

l
 

| PMU Home| | People & Services |
| Copyright| Elections | Privacy | Policy Management| | FoI | 

Last update April 2006