(1) This Rule has been developed under Section 29 of the University of New England Act, 1993. It has been informed by external legislation, being the Privacy Act 1988 (Cth), the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP), the Health Records and Information Privacy Act 2002 (NSW) (HRIP) and any other applicable laws - and is the University's reference instrument for meeting its obligations under these Acts.
(2) Any circumstance where personal information is collected, stored, used or disclosed in a manner that is not in accordance with the 'Privacy Management Principles' must be brought to the attention of the UNE Privacy Officer.
(3) For the purposes of Section 33 of the Privacy and Personal Information Protection Act 1998 (NSW), the Privacy Management Rule is also the University's Privacy Management Plan, demonstrating to the public and the University community, UNE's respect for the privacy of students, staff and others for whom we hold personal information.
(4) This Rule is binding for all UNE Representatives, as well as the University's decision-making and advisory bodies. It applies to all personal information and health information (including sensitive information) held by the University and its controlled entities and all forms of data capture and information collection, storage, analysis, use, communication, reporting and disclosure, including: email and other correspondence, spreadsheets and other database applications, online and paper-based forms and meeting records. In certain circumstances it applies to verbal communication.
(5) This Rule has been prepared in accordance with Section 33 of the Privacy and Personal Information Protection Act 1998 (NSW).
(6) UNE is an Australian public university, established and operating under the University of New England Act 1993 and its associated By-laws. The University holds a vast amount of personal information not only pertaining to the students we serve, but also relating to our staff, patients and those contributing to the teaching of University programs of study. The University will protect privacy with the use of this Plan as a reference instrument.
(8) In addition, the University must comply with the Privacy Act 1988 (Cth) in relation to:
(10) As an institution within the higher education sector of Australia, UNE is required to collect and manage a range of personal and health information about our staff, students, patients and those contributing to the teaching of University programs of study. Some information may also be collected for statistical purposes for use in University planning and for government reporting as required.
(11) The full life cycle of personal information handling at UNE (Click here for life cycle) is based upon University's privacy management principles. These are a combination of the IPPs, HPPs and the APPs. These principles are:
(12) Personal and health information is only collected by lawful and fair means and will be held by the University for the purpose it was provided, for purposes necessary to its functioning and for any secondary purposes associated with the functioning of the University. Those functions and the strategic goals to achieve them are outlined within the University of New England Act 1993 and the most recent iteration of the UNE Strategic Plan.
(13) Personal information is to be collected directly from the individual about whom it relates. When collecting personal information, the purpose for collection will be clearly explained - and will not be collected from an individual without their consent, unless:
(14) In the cases referred to at 13(b) - (d) above, the decision to collect information, the rationale for doing so and the purpose for which it was required, should be formally documented and filed as a corporate record to clearly demonstrate that due diligence and appropriate processes have been followed to collect the information.
(15) Personal information is to be collected in an open and transparent manner. When the University for the purpose of undertaking its official functions and responsibilities collects personal information (eg. at the point of enrolment or when an employee is appointed to a position within the University), the University must ensure transparency of purpose - confirming that those concerned are aware of the following (either at the point of collection or as soon as possible thereafter):
(16) Personal information must only be collected when it is relevant to the activities and functions of the University. It should be accurate, complete and up-to-date - and limited (ie. not excessive). Collection of personal information must not unreasonably intrude into the personal affairs of an individual.
(17) When dealing with the University, an individual must have the option of not identifying himself or herself, or of using a pseudonym should they wish. However, this option would not be feasible and does not apply if the University:
(18) Where it is not necessary to identify the person that information relates to (for example, if information is being collected via a show of hands, survey tools, generic data generation) then information should be collected in such a way as to ensure anonymity. This may include the use of unique identifiers (eg. numbers) if it is reasonably necessary to differentiate one person's response from another's in order to carry out a particular function efficiently.
(19) Health related personal information will only be collected from the person concerned, unless it is unreasonable or impracticable to do so. Examples of instances where the University collects and subsequently uses health-related information include:
(20) If health information about a person is collected from a third party, the University must take reasonable steps to notify the person either at the time of collection, or as soon as possible thereafter (and in writing) that this has occurred.
(21) Sensitive information cannot be used for direct marketing.
(22) Sensitive information cannot be shared by related bodies corporate in the same way that they may share other personal information.
(23) When collecting personal information from an individual using online or hard copy media (or face-to-face) reference will always be made to the UNE Privacy Management Rule in writing or verbally (whichever is appropriate).
(24) Unsolicited information. For the purpose of state legislation, personal information is not collected if receipt by the agency is unsolicited. Certain provisions do not apply to unsolicited information under NSW legislation. If unsolicited personal information is received by UNE from a third party, it should be determined whether the University would have been permitted to have collected the information in any case, under the APPs. If not, the University should de-identify the information or dispose of it using secure means outlined within its Records Management Rule.
(25) Information collected before 1 July 2000 (as the PPIPA does not apply to material collected before this date).
(27) UNE may embed a link to a third party site, within a webpage. Where this is the case, the UNE site operates as a launching page to the third party site. The third party site will have its own privacy statement or other relevant information - which may deal with personal information differently to the UNE Privacy Management Rule.
(28) Information that an individual may disclose in online forums or other interactive media associated with the University is considered public information by both UNE and common law and is not protected under the PPIPA.
(29) If you send us a message, the University will record your email address. This email address will only be used for the purpose in which you have provided it (and it will not be disclosed to anyone without your consent). Some email traffic may be de-identified and monitored for statistical and quality purposes.
(30) Prospective staff who may be applying for a vacant position at UNE, include a range of personal information as part of their job application. This material has been provided to the University for a specific purpose and is kept for the duration of the recruitment process associated with the role that the person had applied for. Once the recruitment has been finalised, all applicants will be notified using the contact details provided to HRS and the applications for unsuccessful candidates will be destroyed.
(31) Staff may be engaged in filming or photo activity at events held by the University — or may participate in and use image media for promotional purposes. When we take photos or film events, we will always seek permission of people (including our own staff) before we include them in captured media - and we will advise how we will manage that information. We will ask people to sign a consent form for this purpose - and the images will only be used for that purpose and will be kept securely in our corporate records management system. We will also respect the wishes of those who do not wish to be photographed or filmed.
(32) When UNE units deliver or participate in seminars, conferences or other events, we will consider our privacy obligations when organising these events and aim to notify affected people how we will manage their personal and health information if we collect it, such as on registration forms.
(33) If an event management company assists the University with delivering an event, UNE will ensure that company has appropriate privacy management practices in place.
(34) Personal information collected by the University, will be stored securely. It is to be protected from misuse, interference and loss; from unauthorised access, modification or disclosure; retained as a corporate record in accordance with the University's Records Management Rule and the State Records Act, 1998 (NSW).
(35) Personal information is to be created and captured within the University's approved record keeping system, and is not to be held in Schools and/or business units for any longer than is necessary to support the purpose for which it was collected.
(36) If the University stores personal information about an individual and that information is no longer required for any purpose associated with the University (and provided it is not contained in a Commonwealth record and not required by or under an Australian law, or court/tribunal order) the information should be de-identified or destroyed in a secure manner, in accordance with the University's Records Management Rule.
(37) The University stores and holds health information in a variety of forms, for example:
(38) Third party organisations who may be contracted by the University to perform a particular service (eg. conducting surveys, staff or student elections, or ongoing management of personal information) must confirm that they will comply with appropriate University of New England policy documents in relation to the collection, storage, use and disclosure of personal information. Personal information is to be encrypted during transfer to ensure its secure transmission.
(39) Personal information held by Schools and business units for the purpose of job interviews, is to be placed in locked confidential waste bins for shredding after the selection process has been completed.
(42) The University upon request by an individual, will provide them with access to their personal and health information:
(43) If the University holds personal and health information about an individual it must, upon the individual's request, give them access to that information (and within a reasonable period after the request is made) unless:
(44) If the University refuses to provide an individual with access to their personal or health information for any of the reasons outlined above, the University must advise the individual in writing, outlining:
(45) If the personal information has been shared with a third party for purposes of the University conducting its business, the University will advise the third party of the amendment unless it is impractical or unlawful to do so.
(46) UNE systems should enable individuals to maintain the accuracy of personal information held about them. Access may be provided securely via an online login and password system for staff (using WebKiosk facilities via the Staff section of the UNE webpages) and students (via the myUNE section of the UNE webpage), or where this is unavailable, via the appropriate and available UNE forms and associated procedures.
(49) Where it is not possible to amend or correct personal information (eg. if a corporate system is temporarily unavailable; if a system will not allow it; if the change is in conflict with legislation, the University's Records Management Rule or other UNE policy; or if the question of accuracy is contentious) the request for change is to be recorded on an official record (eg. alternate online or hard copy record) in lieu of making the change upon a corporate personnel system or database. The record should be made available as an addendum to any system or record where the original information is kept, so that users at the original information source are aware of the discrepancy. The information should be updated and the corporate record amended as soon as possible.
(50) As per Clause 43 above.
(52) The use and disclosure of personal and health information will be limited by the University and restricted to the purpose for which it was collected, unless the individual to whom the information relates, provides their consent; or the use of the information directly relates to the purpose for which it was collected; or, the information is provided to a third party in order to prevent or lessen a serious or imminent threat to a person's health or safety.
(53) In addition, the University may collect, use and disclose personal information where it is required, authorised or permitted by legislation, a court order or other enforcement body to do so. The University must ensure that all requests for disclosure will be in writing (and where applicable on corporate letterhead). Specific details relating to New South Wales, Commonwealth or other jurisdictions, are outlined within 'Special Protocols' at Clauses 54 - 61 of this Rule).
(54) Health Information Privacy Principles provide additional usage and disclosure protocols, as follows:
(55) Sensitive information must be safeguarded and will not be disclosed unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned, or another person.
(56) Personal information must not be disclosed to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:
(57) Where the University engages a third party contractor to undertake functional activities (eg. mailing houses, IT support agencies, online voting services, specialist contractors) UNE's privacy obligations also apply to the third party and must be incorporated into any contract or contractual obligations between them and the University.
(58) Personal information must not be used or disclosed for the purpose of direct marketing, unless:
(59) In each direct marketing communication with the individual, the University is to include a statement that an individual may request to not receive any further direct marketing communique (eg. via an unsubscribe option for online marketing channels).
(60) If the University intends to disclose personal information to third party marketing organisations, it must explain its intention and ensure individuals have an option to not take part in third party operations.
(61) Disclosure of personal information to recipients (also referred to as 'cross-border' disclosures) in other jurisdictions:
(62) As per Clause 43 above.
(63) Online forums or other interactive/social media. Information disclosed in online forums or other interactive/social media (including chat rooms, discussion forums, message boards, news groups, blogs etc.) is considered by common law to be public information. Engaging with these online communication channels is an opt-in event and it is important that any UNE representative considering developing or joining an online forum understand that owners of forum sites will require details (eg. your email address, name etc.) to be transmitted to third parties. Staff and students as a result of their association with the University should exercise caution when engaging with online communication channels and social media — and when posting material should ensure that they do not post any confidential information, or material that has the potential to damage the reputation of the University or others. UNE representatives should refer to policy information surrounding the social media environment (via the UNE Social Media Policy) in relation to this issue.
(64) Mailing and contact lists. The University and individual units within the University may keep subscriber, mailing and contact lists that contains personal information. The lists will not be used for any other reason than those explained to subscribers when they were invited to join the list and the University requested and received their consent to include their personal information within it. With each piece of promotional or other correspondence generated using the mailing/contact list, the University will also include an 'opt-out' provision, to allow subscribers to unsubscribe should they wish.
(65) The University maintains a number of public registers that highlight a connection between the organisation and those who support it. These include:
(66) The University's Privacy Officer should be informed of all privacy concerns and complaints, including potential breaches of privacy associated with the University and its controlled entities in the management of its operations and obligations.
(67) Complaints may be addressed in one of two ways:
(68) Informal complaints can be addressed by the UNE Privacy Officer in collaboration with the UNE area concerned, without the need to lodge an internal review request.
(69) Formal complaints are addressed by lodging an internal review request (form link to: http://www.ipc.nsw.gov.au/form-privacy-complaint ), in accordance with Section 53 of the PPIP Act. The internal review request must be lodged within six months of the affected individual becoming aware of the conduct in question.
(70) In most cases, it is possible to address informal complaints without the need to lodge an internal review request.
(71) The UNE Privacy Officer will address informal complaints collaboratively, with a view to alleviating privacy concerns and identifying/developing future activities to raise awareness of privacy issues and ensure privacy breaches do not occur.
(72) If you are dissatisfied with the outcome of the informal complaint, you may request an internal review be conducted in relation to the privacy issue raised.
(73) A request for internal review must be lodged within six months of the affected individual becoming aware of the conduct in question. Later applications will be considered once the UNE Privacy Officer has determined that it is appropriate to accept the late application.
(74) Internal reviews are undertaken in line with legislative requirements outlined by Privacy NSW, in their Internal Review Checklist form (link to: http://www.ipc.nsw.gov.au/form-privacy-complaint ).
(75) The UNE Privacy Officer will usually undertake the internal review and decide how the University should respond to the issues raised.
(76) The University is required to inform the NSW Privacy Commissioner of any applications for internal review, and to provide the Commissioner with a copy of:
(77) The Commissioner will be provided with an opportunity to make a submission to the University before the review process is complete, in relation to the privacy matter and the University's findings.
(78) The University is to complete the internal review within 60 days after receipt of an internal review application.
(79) The internal review investigation will usually include:
(80) If it is considered that the information being investigated is not specifically related to personal or health information, the Privacy Officer will not investigate the conduct in question any further. The matter will be forwarded to the appropriate member of the UNE Senior Executive team, for consideration and appropriate action.
(81) If it is considered that the review relates to a University business process, the review may include the relevant member of UNE's Senior Executive responsible for the process (or activity).
(82) An applicant who is not satisfied with the outcome of an internal review, can request the New South Wales Civil and Administrative Tribunal (NCAT) to review the conduct and subsequent decision complained about. The request must be lodged within 28 days of completion of the review. Please refer to the Privacy Complaint Management section located at the University's Compliance System Register via the following link: https://compliance.une.edu.au/overview.php?id=4 .
(83) If an internal review is not completed within the 60 day timeframe allowed, the 28 day time limit to request an NCAT review begins from the later of the following two dates:
(84) UNE representatives are to fully cooperate with any privacy-related investigation, providing access to any relevant or requested documentation as requested. Where UNE representatives are aware of activities relating to the potential request of personal information (eg. legal action or a privacy investigation) any material relating to the investigation on corporate record and IT systems is to be preserved until the investigation is finalised and any external appeal timeframes have been met.
(85) Information relating to compliance obligations for appropriate privacy training of staff is located at the University's Compliance System Register via the following link: https://compliance.une.edu.au/overview.php?id=4
(86) Information relating to non-compliance and offences under the PPIP Act and the HRIP Act are located at the University's Compliance System Register via the following link: https://compliance.une.edu.au/overview.php?id=4
(87) Contact details for the NSW Civil and Administrative Tribunal, as well as for the NSW Privacy Commissioner, are located at the University's Compliance System Register via the following link: https://compliance.une.edu.au/overview.php?id=4
(88) If an individual suspects that any corrupt conduct has been entered into in relation to the management by the University of personal or health information, the matter should be addressed in accordance with UNE's Public Interest Disclosure Rule and its associated procedures.
(89) The UNE Council, pursuant to Section 29 of the University of New England Act, makes this University Rule.
(90) University Representatives must observe it in relation to University matters.
(91) The Rule Administrator is authorised to make procedures and guidelines for the operation of this University Rule. The procedures and guidelines must be compatible with the provisions of this Rule.
(92) This Rule operates as and from the Effective Date.
(93) Previous Privacy Statement, Privacy Management Plan and related documents, are replaced and have no further operation from the Effective Date of this new Rule.
(94) Notwithstanding the other provisions of this University Rule, the Vice-Chancellor may approve an exception to this Rule where it is determined that the application of the Rule would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor under this clause must be documented in writing and must state the reason for the exception.
(95) Collection (of personal information) means the way the university acquires the information, for example:a written form, a verbal conversation, an online form, or taking a picture with a camera.
(96) Consent refers to the written consent from an individual for the University to undertake a particular action in relation to personal information, such as an additional use or disclosure to another party.
(97) Disclosure refers to the provision of personal information to a party or person external to the University. Provision of personal information internally may also be considered a disclosure where the personal information is about a staff member, or the information is health information.
(98) Effective Date means the day on which this Rule is published or on such later day as may be specified in this Rule.
(99) Holding of personal information: The University will be considered to be 'holding' personal information if it is in the University's possession or control, or if it is held by a contractor or service provider on our behalf. Most of the privacy principles apply to when the University is 'holding' personal information, which means we remain responsible for what our contractors or service providers do on our behalf.
(100) Personal information refers to information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. In accordance with Section 4 of the Privacy and Personal Information Protection Act 1998 (NSW). It includes such things as:
(101) Sensitive personal information relates to information about a person's racial or ethnic origin, political perspectives, religious/philosophical beliefs, sexual activities or union membership.
(102) UNE Act means the University of New England Act 1993 No 68 (NSW).
(103) UNE Representative means a University employee (casual fixed term and permanent), student, contractor, agent, appointee, UNE Council member, adjunct, visiting academic and any other person engaged by the University to undertake some activity for or on behalf of the University. It includes corporations and other bodies falling into one or more of these categories.
(104) Unsolicited personal information is information that the University receives, but has taken no active steps to collect. For example: an employment application sent to the University on an individual's own initiative and not in response to an advertised vacancy.