UNSW Privacy Management Plan

Plan Details

Introduction

The NSW Privacy and Personal Protection Act 1998 ("the Act") regulates how public sector agencies, which include universities, must deal with personal information. Each agency is required to produce and implement a Privacy Management Plan ("the Plan") explaining how it intends to comply with the provisions of the Act

The Act set up the Office of the Privacy Commissioner and defined its powers, which include research, advising on privacy, and investigating complaints. It contains offence provisions specifying penalties for wrongful disclosure of personal information and for corrupt practices. Secondly, the Act introduced a set of information protection principles ("the Principles") applicable to the management of personal information.

The Plan

The Plan indicates how UNSW will meet its statutory obligations in the management of personal information and covers:

• the review and, if necessary, revision of policies and procedures to ensure their compliance with the Act;
  
• the dissemination of those policies and procedures within the University;
  
• procedures to be adopted for internal reviews (under Part 5 of the Act); and
  
• any other matters relevant to privacy and the protection of personal information at the University.

UNSW maintains a general policy of openness regarding the information it holds, pursuant to the Freedom of Information Act 1989, at the same time recognising the privacy rights of individuals. The Plan enables the integration of the Principles given in the Act into existing policies, guidelines and procedures that address issues of privacy in the University.

Implementation of the Plan is by stages. The table in Appendix A shows the stages and the steps to be taken and completion date for each stage. The Plan is to be reviewed after running for three years, or earlier if required.

What is Personal Information?

Personal information is defined in the Act as meaning "… information or an opinion about an individual … whose identity is apparent or can reasonably be ascertained from that information or opinion". Personal information therefore includes, for instance, names, addresses, telephone numbers, dates of birth, medical records, student ID ("SID"), passport numbers, fingerprints and body samples.

The Act also provides that the definition of personal information does not include such information in certain circumstances, such as:

when it relates to a person who has been dead for more than 30 years;
when it is contained in a publicly available publication; and
when it refers to a person's suitability for employment as a public sector official.

Hence, in the context of UNSW, referees' reports for staff, names and awards shown in graduation programs, and staff or student details published on an authorised University website, for example, are not considered to be personal information for the purposes of the Act.

Personal information is not limited to information that is sensitive or confidential, although the degree of sensitivity or confidentiality may influence the way in which the Principles are applied in particular instances. Many of the Principles only require that "reasonable steps" be taken with regard to all circumstances, and so, for example, office procedures that protect a person's home address may be inadequate to protect that person's medical records too.

The Principles

The Principles given in the Act for protecting personal information are reproduced in Appendix B to this document.

The Principles are binding on the University, although some flexibility is possible in the event that one or more appear unworkable in certain circumstances. Then an exemption from or a modification to any such principle can be sought from the NSW Privacy Commissioner through a privacy code of practice.

A privacy code of practice can be made in respect of:

a particular type of personal information (eg student records);
a particular organisation or type of organisation (eg universities); and
a type of activity (eg whenever information is sent overseas).

Any privacy code of practice that may be approved in the future will appear on the University's website.

Privacy at UNSW

Administrative operations in the university, especially those related to its teaching and research activities, require the collection, use and retention of personal information about individual staff and students, prospective students, and alumni. In all instances the collection and management of the information for the "agency" (i.e. UNSW) must be done with due regard for the Principles.

Issues of privacy and confidentiality are addressed in various policy and procedural documents of the University, including:

• the UNSW Code of Conduct;
  
• the Code of Conduct for Members of Council;
  
• UNSW Administration Manual;
  
• Policies and Procedures of the Equity and Diversity Unit.

These documents appear on the University's website at http://www.unsw.edu.au

There are also other legal instruments that relate to handling personal information at UNSW, in particular, the Medical Practitioners Act, Workers Compensation Act, Occupational Health and Safety Act, Workplace Relations Act Protected Disclosures Act and the Commonwealth Privacy Act.

Responsibilities

Overall responsibility for privacy at UNSW resides with the Registrar and Deputy Principal. The responsibility for day-to-day management has been delegated to the UNSW Privacy Officer, who is located in the Policy Management Unit.

The Privacy Officer is the first point of contact for privacy matters, including complaints, requests for amendment of records, and requests for internal reviews. The Privacy Officer is responsible for reporting privacy matters to the NSW Privacy Commissioner, and for preparing relevant statistical information and a statement of activities undertaken in compliance with the Act for the University's Annual Report.

Access to Personal Information at UNSW

In all circumstances, UNSW is conscious of its obligations under the Act, and personal information is not released outside the University, except in response to a legal requirement such as a subpoena. In a case of emergency or in other exceptional circumstances, the Deputy Registrar or a more senior officer, at his or her discretion, may authorise a release. In other situations, the release of personal information is governed by the Freedom of Information Act 1989, which is administered by the University's Policy Management Unit. As a general practice, information about a student or member of staff at UNSW is not disclosed to a third party without the individual's consent.

The Act allows individuals to request access to information about themselves, or to request that information about themselves be amended to ensure that their personal records are accurate, complete and not misleading. If such requests cannot be dealt with appropriately by the Privacy Officer, then relevant provisions of the Freedom of Information Act 1989 may be applied.

NewSouth Q (the Student Office) has routine administration procedures in place to handle requests from individuals for copies of their academic transcripts, or for corrections to personal details. Requests by staff or students for access to personal information for other purposes should be addressed to the Privacy Officer.

There are privacy provisions in the Act relating to public registers. (The term applies to a register of personal information that is required by law to be publicly available or open to public inspection.) The University of New South Wales Act 1989 does not require any public register to be maintained.

Complaints

A person who has a complaint relating to a breach of a Principle or of a privacy code of practice by which UNSW is bound is entitled under Part 5 of the Act to request the University to conduct an internal review. Such application must be made in writing to the Privacy Officer within 6 months of the applicant becoming aware of the breach, and it should state the basis of the complaint and be specific about details as far as possible. There is no fee for lodging an application.

Complaints can also be made directly to the Privacy Commissioner, although individuals are encouraged to approach the Privacy Officer in the first instance.

Internal Review

Normally an internal review will be conducted by the UNSW Privacy Officer, but another University officer may deal with it if the Privacy Officer is substantially involved in the matter or if the matter would be handled more appropriately by someone else. An internal review must be completed as soon as reasonably practicable, and within 60 days of the receipt of the application. The applicant will be advised of the finding within 14 days of the completion of the review.

Within 14 days of receiving an application, the UNSW Privacy Officer will notify the Privacy Commissioner, and will then keep the Commissioner informed of the progress of the internal review through an interim briefing 30 days after its commencement. A summary of the findings of the review, which may include proposed actions, will be given to the Commissioner within 14 days of its completion.

An applicant who is dissatisfied with the findings, or with the consequent action by the University, or by the period of the internal review exceeding 60 days, may apply next to the Administrative Decisions Tribunal for a review of the matter which was the subject of the original application.

Contact

Advice or information on the Privacy and Personal Information Protection Act or its implementation may be obtained from:

The UNSW Privacy Officer
Policy Management Unit
UNSW Sydney NSW 2052

Phone: (02) 9385 2860
Fax: (02) 9385 2000
Email: privacy@unsw.edu.au

Appendix A

Privacy Implementation Plan

To enable the University to comply with the requirements of the Act, it is essential for the staff to be properly informed about the issues involved and the principles of privacy protection so that they will understand their own responsibilities. The stages in implementing the Plan, the steps to inform and train the staff, and the relevant target dates are set out below.

The UNSW Privacy Officer will coordinate the implementation and report progress to the University Executive.

Appendix B

The Information Protection Principles

The Principles below are reproduced from the Privacy and Personal Information Protection Act 1998, Part 2, Sections 8 - 19. Note that Sections 8 - 11 do not apply in respect of information collected by the University before 1 July 2000.

Part 2 Information protection principles

8 Collection of personal information for lawful purposes

1. A public sector agency must not collect personal information unless:
   (a) the information is collected for a lawful purpose that is directly related to a function or activity of the agency, and
   (b) the collection of the information is reasonably necessary for that purpose.
   
2. A public sector agency must not collect personal information by any unlawful means.

9 Collection of personal information directly from individual

A public sector agency must, in collecting personal information, collect the information directly from the individual to whom the information relates unless:
(a) the individual has authorised collection of the information from someone else, or
(b) in the case of information relating to a person who is under the age of 16 years-the information has been provided by a parent or guardian of the person.

10 Requirements when collecting personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances to ensure that, before the information is collected or as soon as practicable after collection, the individual to whom the information relates is made aware of the following:
(a) the fact that the information is being collected,
(b) the purposes for which the information is being collected,
(c) the intended recipients of the information,
(d) whether the supply of the information by the individual is required by law or is voluntary, and any consequences for the individual if the information (or any part of it) is not provided,
(e) the existence of any right of access to, and correction of, the information,
(f) the name and address of the agency that is collecting the information and the agency that is to hold the information.

11 Other requirements relating to collection of personal information

If a public sector agency collects personal information from an individual, the agency must take such steps as are reasonable in the circumstances (having regard to the purposes for which the information is collected) to ensure that:
(a) the information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete, and
(b) the collection of the information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates.

12 Retention and security of personal information

A public sector agency that holds personal information must ensure:
(a) that the information is kept for no longer than is necessary for the purposes for which the information may lawfully be used, and
(b) that the information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information, and
(c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse, and
(d) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or disclosure of the information.

13 Information about personal information held by agencies

A public sector agency that holds personal information must take such steps as are, in the circumstances, reasonable to enable any person to ascertain:
(a) whether the agency holds personal information, and
(b) whether the agency holds personal information relating to that person, and
(c) if the agency holds personal information relating to that person:

(i) the nature of that information, and
(ii) the main purposes for which the information is used, and
(iii) that person's entitlement to gain access to the information.

14 Access to personal information held by agencies

A public sector agency that holds personal information must, at the request of the individual to whom the information relates and without excessive delay or expense, provide the individual with access to the information.

15 Alteration of personal information

1. A public sector agency that holds personal information must, at the request of the individual to whom the information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information:
   (a) is accurate, and
   (b) having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading.
   
2. If a public sector agency is not prepared to amend personal information in accordance with a request by the individual to whom the information relates, the agency must, if so requested by the individual concerned, take such steps as are reasonable to attach to the information, in such a manner as is capable of being read with the information, any statement provided by that individual of the amendment sought.
   
3. If personal information is amended in accordance with this section, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the public sector agency.

16 Agency must check accuracy of personal information before use

A public sector agency that holds personal information must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading.

17 Limits on use of personal information

A public sector agency that holds personal information must not use the information for a purpose other than that for which it was collected unless:
(a) the individual to whom the information relates has consented to the use of the information for that other purpose, or
(b) the other purpose for which the information is used is directly related to the purpose for which the information was collected, or
(c) the use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person.

18 Limits on disclosure of personal information

1. A public sector agency that holds personal information must not disclose the information to a person (other than the individual to whom the information relates) or other body, whether or not such other person or body is a public sector agency, unless:
   (a) the disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or
   (b) the individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or
   (c) the agency believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person.
   
2. If personal information is disclosed in accordance with subsection (1) to a person or body that is a public sector agency, that agency must not use or disclose the information for a purpose other than the purpose for which the information was given to it.

19 Special restrictions on disclosure of personal information

1. A public sector agency must not disclose personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or another person.
   
2. A public sector agency that holds personal information must not disclose the information to any person or body who is in a jurisdiction outside New South Wales unless:
   (a) a relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or
   (b) the disclosure is permitted under a privacy code of practice.
   
3. For the purposes of subsection (2), a relevant privacy law means a law that is determined by the Privacy Commissioner, by notice published in the Gazette, to be a privacy law for the jurisdiction concerned.
   
4. The Privacy Commissioner is, within the year following the commencement of this section, to prepare a code relating to the disclosure of personal information by public sector agencies to persons or bodies outside New South Wales.
   
5. Subsection (2) does not apply:
   (a) until after the first anniversary of the commencement of this section, or
   (b) until a code referred to in subsection (4) is made,
   whichever is the later