Document Comments

Bulletin Board - Review and Comment

Step 1 of 4: Comment on Document

How to make a comment?

1. Use this Protected Document to open a comment box for your chosen Section, Part, Heading or clause.

2. Type your feedback into the comments box and then click "save comment" button located in the lower-right of the comment box.

3. Do not open more than one comment box at the same time.

4. When you have finished making comments proceed to the next stage by clicking on the "Continue to Step 2" button at the very bottom of this page.

 

Important Information

During the comment process you are connected to a database. Like internet banking, the session that connects you to the database may time-out due to inactivity. If you do not have JavaScript running you will recieve a message to advise you of the length of time before the time-out. If you have JavaScript enabled, the time-out is lengthy and should not cause difficulty, however you should note the following tips to avoid losing your comments or corrupting your entries:

  1. DO NOT jump between web pages/applications while logging comments.

  2. DO NOT log comments for more than one document at a time. Complete and submit all comments for one document before commenting on another.

  3. DO NOT leave your submission half way through. If you need to take a break, submit your current set of comments. The system will email you a copy of your comments so you can identify where you were up to and add to them later.

  4. DO NOT exit from the interface until you have completed all three stages of the submission process.

 

Privacy Management Plan

Section 1 - Overview

(1) This Plan has been developed under Section 29 of the University of New England Act, 1993 and its associated University of New England By-law 2005. It has been informed by external legislation, being the Privacy Act 1988 (Cth), and (as the University is a Public Sector organisation responsible for the holding of personal information) the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA), the Health Records and Information Privacy Act 2002 (NSW) (HRIPA) and any other applicable laws.

(2) The Privacy Act 1988 (Cth) is applied in relation to:

  1. Personal information the University collects and holds regarding student assistance provided by the Commonwealth (which is an obligation under Section 19-60 of the Higher Education Support Act 2003 (Cth)); and
  2. Tax file number information (in accordance with the Tax File Number Guidelines, a legislative instrument under the Privacy Act 1988 (Cth)).

(3) The Privacy Act 1988 (Cth) as well as the PPIPA and the HRIPA, are underpinned by a suite of ‘privacy principles’ that act as a guiding framework for UNE’s Privacy Management Plan:

  1. The PPIPA covers personal information other than health information, and requires the University to comply with Information Protection Principles (IPPs). The IPPs cover the full 'life cycle' of information, from point of collection through to point of disclosure. They include obligations with respect to data security, data quality (accuracy) and rights of access and amendment to one's own personal information, as well as how personal information may be collected, used and disclosed;
  2. The HIPRA covers health-related personal information and requires the University to comply with the Health Privacy Principles (HPPs). Like the IPPs, the HPPs cover the entire information 'life cycle' but also include some additional principles with respect to anonymity, the use of unique identifiers and the sharing of electronic health records; and
  3. The Privacy Act, governs the way that personal information is collected, used, disclosed, secured and accessed. It requires the University to comply with the Australian Privacy Principles (APPs) in terms of the information in Clause 2 (above).

(4) In addition to describing the application of the above legislation within the context of UNE, this Plan also acknowledges the European General Data Protection Regulation (the GDPR) and its application to staff, students and alumni who are European citizens. The principles ascribed to the management of information for that cohort have been applied to the Plan and integrated into existing information wherever appropriate, to ensure a consistent, and well-considered ‘privacy by design’ approach to the management of personal information.

(5) This Plan is the University’s reference document for meeting its obligations under the legislative instruments referred to above. It demonstrates UNE’s respect for the privacy of all students, staff, and others for whom it holds personal information.

(6) Any circumstance where personal information is collected, stored, used or disclosed in a manner that is not in accordance with the privacy management principles outlined throughout this Plan must be brought to the attention of the UNE Privacy Officer.

Top of Page

Section 2 - Scope

(7) This Plan applies to all UNE Representatives, as well as the University's decision-making bodies and any other individuals providing personal information to the University. It provides instruction in relation to the management of all personal information and health information (including sensitive information) held by the University and its controlled entities, and all forms of data capture and information collection, storage, analysis, use, communication, reporting and disclosure, including: email and other correspondence, spreadsheets and other database applications, online and paper-based forms and meeting records. In certain circumstances, it also applies to verbal communication.

Top of Page

Section 3 - Rule

Privacy Context

(8) As an Australian university with worldwide reach, UNE manages personal information pertaining to the global community of its students, to local and international alumni, staff, patients/clients, as well as to individuals contributing to UNE research and the teaching of University programs of study. Personal information may also be collected from these cohorts for statistical purposes, for the purpose of University planning, and for government reporting as required.

Privacy Management Principles

(9) The full life cycle of personal information handling at UNE (Click here for life cycle) is based upon the application of the University’s privacy management principles. These are a combination of the Australian Privacy Principles (APPs) found at Schedule 12 of the Privacy Act 1988 (Cth), the Health Privacy Principles (HPPs) found at Schedule 1 of the Health Records and Information Privacy Act 2002, and the key principles associated with the processing of personal data under the European General Data Protection Regulation. For the purposes of this Plan, those principles have been consolidated and summarised. Collectively, they maintain that:

  1. The collection of information is lawful, direct, relevant, open and transparent;
  2. Information is stored securely, not kept any longer than necessary and disposed of appropriately;
  3. Information is accurate and accessible to the person to whom it relates; and
  4. Information collected for a particular purpose, is not used or disclosed for another purpose.

Collection of information

(10) Personal and health information is only collected by lawful and fair means and will be held by the University for the purpose it was provided, for purposes necessary to its functioning, and for any secondary purposes associated with the functioning of the University (eg. third-party organisations, as deemed appropriate). Those functions and the strategic goals to achieve them are outlined within the University of New England Act 1993 and the most recent iteration of the UNE Strategic Plan.

(11) Personal information is to be collected in an open and transparent manner and unless otherwise permitted by law, can only occur on the basis of having the consent of an individual, where consent is specific, and freely given on an informed and unambiguous basis.

(12) Personal information is to be collected directly from the individual about whom it relates. It will not be collected from an individual without their consent, unless:

  1. It is collected from a third party who has authority to produce/disclose it; or
  2. Unless otherwise permitted by law (eg. to provide emergency support to an individual involved in a health or life-threatening, critical incident).

(13) When the University collects personal information (eg. at the point of enrolment or when an employee is appointed to a position within the University) it must ensure transparency of purpose so that the individual concerned is aware of the following:

  1. The purpose for which the information is being collected;
  2. The intended recipients of the information;
  3. Whether the information collected is required by law or is being requested from the individual on a voluntary basis;
  4. Any repercussions that might arise if an individual chooses not to provide their personal information upon request (eg. access to services);
  5. Whether the information may be disclosed to third parties;
  6. The incorporation of cookies in web pages;
  7. The right of access to, or correction of the information by the individual concerned;
  8. Information about where the collected material will be held; and
  9. Information about how an individual may lodge a privacy complaint.

(14) Personal information must only be collected when it is relevant to the activities and functions of the University. It should be accurate, complete and up-to-date, and limited (ie. not excessive). Collection of personal information must not unreasonably intrude into the personal affairs of an individual.

(15) When engaging with the University an individual must have the option of not identifying himself or herself, or of using a pseudonym if they wish. However, this option would not be feasible and does not apply if the University is required or authorised by or under a law, or court order, or a UNE policy document to deal with specific individuals.

Health Information

(16) Examples of instances where the University collects and subsequently uses health-related information include:

  1. At student enrolment, or as required, should a student wish to include details about a disability that may require adjustment(s) to the delivery of learning materials or learning environments;
  2. At the point of lodging medical certificates and accident report forms, counselling records etc. relating to staff sick leave and/or student special considerations for exams or study purposes;
  3. At a staff member’s point of employment or as needed, should they wish to advise the University of a disability that may require adjustments to be made to their workplace in order to undertake their work;
  4. At the point of attending the UNE Medical Centre to receive attention and healthcare services; and
  5. Where prospective donors provide health-related information in relation to the donation of their body, via the UNE Body Donor Program.

Privacy Impact Assessment (PIA)

(17) A Privacy Impact Assessment should be completed at the start of any new Project involving the collection, use or processing of personal and/or health information, or whenever there is a change to a project/system/process that may impact privacy.

Storage of Information

(18) Personal information collected by the University will be stored securely. It is to be protected from misuse, interference and loss; from unauthorised access, modification or disclosure; and retained as a corporate record in accordance with the University’s Records Management Rule and the State Records Act, 1998 (NSW).

(19) Personal information is to be created and captured within the University's approved record keeping system and subject to the University’s Records Management Rule and the State Records Act 1998 (NSW), is not to be held in Schools and/or business units for any longer than is necessary to support the purpose for which it was collected.

(20) If the University stores personal information about an individual and that information is no longer required for any purpose associated with the University (and provided it is not contained in a Commonwealth record and not required by or under an Australian law, or court/tribunal order) the information should be de-identified or destroyed in a secure manner, in accordance with the University's Records Management Rule.

Health Information

(21) The University stores and holds health information in a variety of forms, for example:

  1. Certificates from healthcare providers, patient records at the UNE Medical Centre, staff and student records at the UNE Counselling Service and at other UNE clinics such as the UNE Psychology Clinic, held in secure health management systems;
  2. Staff related health information such as sick leave applications (with or without medical certificates); workers' compensation case records and rehabilitation records, held in online corporate record systems in accordance with the UNE Records Management Rule;
  3. Student-related health information such as Special Consideration forms and professional practitioner certificates; accident report forms; counselling records; and records of other student services such as those concerned with disability services or financial assistance which may hold information relating to students' health. This information is also held in online corporate record systems, in accordance with the UNE Records Management Rule.

Third party organisations providing goods/services

(22) The University contracts with third parties who provide it with various goods and services. In these circumstances, the University takes appropriate steps to ensure third-party organisations (eg. those conducting surveys, staff or student elections, or ongoing management of personal information)comply with the same privacy requirements that apply to the University.

Access and Accuracy

(23) The University upon request from an individual, must provide them with access to their personal and health information without delay or expense, and provide it in a structured, commonly used and machine-readable format.

(24) If the University refuses to provide an individual with access to their personal or health information for any reason, the University  must advise the individual in writing, outlining:

  1. The reasons for the refusal (unless given the grounds for refusal, it would be unreasonable to do so); and
  2. The mechanisms available to the individual, to complain about the refusal (provided at the Privacy Concerns and Complaints section of this Rule).

(25) Where it is technically feasible, an individual may request their personal information be transmitted directly to another party in a structured, commonly used machine-readable format.

(26) The University must upon request from an individual, make appropriate amendments (whether by corrections, deletions or additions) to the individual’s personal information to ensure that the personal information – 

  1. Is accurate; and
  2. Is relevant, up to date, complete, and not misleading.

(27) If the personal information has been shared with a third party for purposes of the University conducting its business, the University will advise the third party of the amendment unless it is impractical or unlawful to do so.

(28) UNE systems should enable individuals to maintain the accuracy of personal information held about them. Access may be provided securely via an online login and password system for staff (using WebKiosk facilities via the Staff section of the UNE webpages) and students (via the myUNE section of the UNE webpage) or where this is unavailable, via the appropriate and available UNE forms and associated procedures.

(29) Where it is not possible to amend or correct personal information (eg. if a corporate system is temporarily unavailable; if a system will not allow it; if the change is in conflict with legislation, the University's Records Management Rule or other UNE policy; or if the question of accuracy is contentious) the request for change is to be recorded on an official record (eg. alternate online or hard copy record) in lieu of making the change upon a corporate personnel system or database. The record should be made available as an addendum to any system or record where the original information is kept so that users at the original information source are aware of the discrepancy. The information should be updated and the corporate record amended as soon as possible.

Use and Disclosure

(30) The use and disclosure of personal and health information will be limited by the University and restricted to the purpose for which it was collected, unless the individual to whom the information relates, provides their consent, or disclosure is authorised or permitted by legislation, a court order or other enforcement body. 

(31) The University must, wherever it is practicable to do so, ensure that all requests for disclosure by third parties will be in writing.

(32) The University must take reasonable steps to ensure that any entity in receipt of personal information from the University, does not breach the Australian Privacy Principles (at Schedule 1 of the Privacy Act 1988)in relation to the management and use of that information.

(33) The University will take reasonable steps to ensure the safe transfer of personal information across systems during transit. 

Health Information

(34) The Health Privacy Principles (at Schedule 1 of the Health Records and Information Privacy Act 2002 (NSW)) provide additional usage and disclosure protocols, as follows:

  1. Identifiers may be used to protect an individual’s identity. The identifier represents the individual and protects their identity and health-related data. University researchers may use identifiers to ensure anonymity of research participants. Identifying details (names, dates of birth and addresses) are replaced by a unique identifier, preferably a running number. If the de-identification of data is adequate, the data is no longer subject to Privacy Acts or associated legislation.
  2. Linkage of health records and information. The University must not include health information about any individual in a health records linkage system unless the person involved has provided their consent for this to occur. Where linkages occur across state borders (eg. with the intention of providing better health services and a more centralised health records management approach) the transfer of health information must not occur unless the individual involved has provided their consent for this to take place and, the transfer is in accordance with Clause 30 of this Rule. 

Key messages relating to the use and disclosure of personal information at UNE

(35) Information disclosed in online forums or other interactive/social media (including chat rooms, discussion forums, message boards, news groups, blogs etc.) may be deemed to be public information. Engaging with external social media is an opt-in event and it is important that any UNE Representative considering developing or joining an online forum understand that owners of forum sites will require details (eg. an individual’s email address, name etc.) to be transmitted to third parties. Staff and students as a result of their association with the University should exercise caution when engaging with online communication channels and social media — and when posting material should ensure that they do not post any confidential information or material that has the potential to damage the reputation of the University or others. UNE Representatives should refer to policy information surrounding the social media environment (via the UNE Social Media Policy) in relation to this issue.

(36) The University and individual units within the University may keep subscriber, mailing and contact lists that contain personal information. The lists will not be used for any other reason than those explained to subscribers when they were invited to join the list, and when the University requested and received their consent to include their personal information within it.

(37) The University may be required from time to time to maintain a public register, being a register of certain personal information that is required by law to be made publicly available or made open to public inspection.

Privacy Concerns and Complaints

(38) The University's Privacy Officer should be informed of all privacy concerns and complaints in the first instance, via the following contact information: by phone (+612 6773 4552) or by email (to privacy@une.edu.au ).

(39) The Privacy Officer will take action to assess an eligible data breach, and notify individuals affected by data breaches in accordance with the Australian Notifiable Data Breaches (NDB) Scheme under Part IIIC of the Privacy Act 1988 (Cth).

Making a Complaint

Informal Complaint Process

(40) In most cases, it is possible to address informal complaints without the need to lodge an internal review request.

(41) The UNE Privacy Officer will address informal complaints collaboratively, with a view to alleviating privacy concerns and identifying/developing future activities to raise awareness of privacy issues and ensure privacy breaches do not occur.

(42) If an individual is dissatisfied with the outcome of the informal complaint, they may request an internal review to be conducted in relation to the privacy issue raised.

Internal Review Process

(43) A request for internal review must be lodged within six months of the date when the conduct/issue became apparent. If more than six months have passed, the complainant will need to ask the University for special permission to lodge a late application.

(44) Internal reviews are undertaken in accordance with any relevant legislative requirements and guidelines.

(45) The University will appoint an Internal Review Officer to undertake the internal review. The Internal Review Officer must be someone who was not substantially involved in any matter relating to the conduct/issue complained about previously.

(46) The University is required to inform the Information Privacy Commission of any applications for internal review, and to provide them with:

  1. The internal review application;
  2. A draft review report;
  3. A final review report; and
  4. Any other information the Information Privacy Commission may request in relation to the matter.

(47) If it is considered that the information being investigated is not specifically related to personal or health information, the Internal Review Officer will not investigate the conduct in question any further. If appropriate, the matter will be forwarded to the relevant member of the UNE Senior Executive team, for consideration and any appropriate action.

(48) If the Internal Review Officer determines that the review should be brought to the attention of a particular member of the UNE Senior Executive (eg. if the matter was related to a business practice within their portfolio), the matter will be shared with that member of the Senior Executive for their consideration and any appropriate action.

(49) An applicant who is not satisfied with the outcome of an internal review will be informed of their further review rights, if any.

(50) UNE Representatives are to fully co-operate with any privacy-related investigation, providing access to any relevant or requested documentation as requested. Where UNE Representatives are aware of any activities relating to the potential request of personal information (eg. legal action or a privacy investigation) any material relating to the investigation on corporate record and IT systems is to be preserved until the investigation is finalised and any external appeal timeframes have been met.

(51) If an individual suspects that any corrupt conduct has been entered into in relation to the management by the University of personal or health information, the matter should be addressed in accordance with the University’s Public Interest Disclosure Rule and its associated procedures. 

Authority and Compliance

(52) The UNE Council, pursuant to Section 29 of the University of New England Act, makes this University Rule.

(53) University Representatives must observe it in relation to University matters.

(54) The Rule Administrator is authorised to make procedures and guidelines for the operation of this University Rule. The procedures and guidelines must be compatible with the provisions of this Rule.

(55) This Rule operates as and from the Effective Date.

(56) Previous Privacy Statements, Privacy Management Plans and related documents, are replaced and have no further operation from the Effective Date of this new Rule.

(57) Notwithstanding the other provisions of this University Rule, the Vice-Chancellor and Chief Executive Officer may approve an exception to this Rule where it is determined that the application of the Rule would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor and Chief Executive Officer under this clause must be documented in writing and must state the reason for the exception.

Top of Page

Section 4 - Definitions related to this Plan

(58) Collection (of personal information) means the way the University acquires the information (eg. by use of a written form, a verbal conversation, an online form, or taking a picture with a camera).

(59) Consent refers to the written consent from an individual for the University to undertake a particular action in relation to personal information, such as an additional use or disclosure to another party.

(60) Disclosure refers to the provision of personal information to a party or person external to the University. Provision of personal information internally may also be considered a disclosure where the personal information is about a staff member, or the information is health information.

(61) Effective Date means the day on which this Rule is published or on such later day as may be specified in this Rule.

(62) Health information has the meaning given to it in accordance with Section 6 of the Health Records and Information Privacy Act 2002 (NSW).

(63) Holding of personal information: The University will be considered to be 'holding' personal information if it is in the University's possession or control, or if it is held by a contractor or service provider on the University’s behalf. 

(64) Personal information has the meaning given to it in accordance with Section 4 of the Privacy and Personal Information Protection Act 1998 (NSW).

(65) Unsolicited personal information is information that the University receives but has taken no active steps to collect. For example: an employment application sent to the University on an individual's own initiative and not in response to an advertised vacancy.