• Section 1 - Overview
• Section 2 - Scope
• Section 3 - Rule
• Privacy Context
• Privacy Management Principles
• Collection of information
• Storage of information
• Access and Accuracy
• Use and disclosure
• Privacy concerns and complaints
• Authority and Compliance
• Section 4 - Definitions

Section 1 - Overview

(1) This Rule has been developed under Section 29 of the University of New England Act, 1993. It has been informed by external legislation, being the Privacy Act 1988 (Cth), the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP), the Health Records and Information Privacy Act 2002 (NSW) (HRIP) and any other applicable laws - and is the University's reference instrument for meeting its obligations under these Acts.

(2) Any circumstance where personal information is collected, stored, used or disclosed in a manner that is not in accordance with the 'Privacy Management Principles' must be brought to the attention of the UNE Privacy Officer.

(3) For the purposes of Section 33 of the Privacy and Personal Information Protection Act 1998 (NSW), the Privacy Management Rule is also the University's Privacy Management Plan, demonstrating to the public and the University community, UNE's respect for the privacy of students, staff and others for whom we hold personal information.

Section 2 - Scope

(4) This Rule is binding for all UNE Representatives, as well as the University's decision-making and advisory bodies. It applies to all personal information and health information (including sensitive information) held by the University and its controlled entities and all forms of data capture and information collection, storage, analysis, use, communication, reporting and disclosure, including: email and other correspondence, spreadsheets and other database applications, online and paper-based forms and meeting records. In certain circumstances it applies to verbal communication.

(5) This Rule has been prepared in accordance with Section 33 of the Privacy and Personal Information Protection Act 1998 (NSW).

Section 3 - Rule

Privacy Context

(6) UNE is an Australian public university, established and operating under the University of New England Act 1993 and its associated By-laws. The University holds a vast amount of personal information not only pertaining to the students we serve, but also relating to our staff, patients and those contributing to the teaching of University programs of study. The University will protect privacy with the use of this Plan as a reference instrument.

(7) As a NSW public sector agency responsible for the holding of personal information, the University must comply with the PPIP Act and HRIPA.

(8) In addition, the University must comply with the Privacy Act 1988 (Cth) in relation to:

1. Personal information the University collects and holds regarding student assistance provided by the Commonwealth (which is an obligation under Section 19-60 of the Higher Education Support Act 2003 (Cth)); and
2. Tax file number information (in accordance with the Tax File Number Guidelines, a legislative instrument under the Privacy Act 1988 (Cth)).

(9) Each of the Acts (PPIPA, HRIPA and the Privacy Act 1988 (Cth) focus upon 'privacy principles':

1. The PPIPA covers personal information other than health information, and requires the University to comply with Information Protection Principles (IPPs). The IPPs cover the full 'life cycle' of information, from point of collection through to point of disclosure. They include obligations with respect to data security, data quality (accuracy) and rights of access and amendment to one's own personal information, as well as how personal information may be collected, used and disclosed;
2. The HIPRA covers health-related personal information and requires the University to comply with the Health Privacy Principles (HPPs). Like the IPPs, the HPPs cover the entire information 'life cycle' but also include some additional principles with respect to anonymity, the use of unique identifiers and the sharing of electronic health records; and
3. The Privacy Act regulates the way that personal information is collected, used, disclosed, secured and accessed. It requires the University to comply with the Australian Privacy Principles (APPs) in terms of the information in Clause 8 (above).

(10) As an institution within the higher education sector of Australia, UNE is required to collect and manage a range of personal and health information about our staff, students, patients and those contributing to the teaching of University programs of study. Some information may also be collected for statistical purposes for use in University planning and for government reporting as required.

Privacy Management Principles

(11) The full life cycle of personal information handling at UNE (Click here for life cycle) is based upon University's privacy management principles. These are a combination of the IPPs, HPPs and the APPs. These principles are:

1. That collection of information is lawful, direct, relevant, open and transparent;
2. That information is stored securely, not kept any longer than necessary and disposed of appropriately;
3. That information is accurate and accessible to the person to whom it relates; and
4. That information collected for a particular purpose, is not used or disclosed for another purpose.

Collection of information

(12) Personal and health information is only collected by lawful and fair means and will be held by the University for the purpose it was provided, for purposes necessary to its functioning and for any secondary purposes associated with the functioning of the University. Those functions and the strategic goals to achieve them are outlined within the University of New England Act 1993 and the most recent iteration of the UNE Strategic Plan.

(13) Personal information is to be collected directly from the individual about whom it relates. When collecting personal information, the purpose for collection will be clearly explained - and will not be collected from an individual without their consent, unless:

1. It is collected from a third party who can provide evidence that they have collected the information from the individual concerned, with their consent; or
2. It is collected from a third party by way of a grievance/complaint about an individual, or in the course of an investigation; or
3. It is collected from a parent or legal guardian of the individual concerned (in the event that the individual is under the age of 16 years); or
4. The individual is involved in a life threatening, health or other emergency; or
5. It is unreasonable or impractical to do so.

(14) In the cases referred to at 13(b) - (d) above, the decision to collect information, the rationale for doing so and the purpose for which it was required, should be formally documented and filed as a corporate record to clearly demonstrate that due diligence and appropriate processes have been followed to collect the information.

(15) Personal information is to be collected in an open and transparent manner. When the University for the purpose of undertaking its official functions and responsibilities collects personal information (eg. at the point of enrolment or when an employee is appointed to a position within the University), the University must ensure transparency of purpose - confirming that those concerned are aware of the following (either at the point of collection or as soon as possible thereafter):

1. The purpose for which the information is being collected (which should relate to the key functions of the University);
2. The intended recipients of the information;
3. Whether the information collected is required by law or is being requested on a voluntary basis. If information is requested on a voluntary basis, participants must be provided with a means to 'opt out'.
4. Any consequences that might arise as a result of not providing information upon request;
5. Any third parties that might also be entitled to this information, including whether the University is likely to disclose the personal information to recipients from other jurisdictions;
6. The incorporation of cookies in webpages;
7. The existence of any right of access to, or correction of the information by the individual concerned;
8. Information about where the collected material will be held and by whom; and
9. Information about how an individual may lodge a privacy complaint.

(16) Personal information must only be collected when it is relevant to the activities and functions of the University. It should be accurate, complete and up-to-date - and limited (ie. not excessive). Collection of personal information must not unreasonably intrude into the personal affairs of an individual.

(17) When dealing with the University, an individual must have the option of not identifying himself or herself, or of using a pseudonym should they wish. However, this option would not be feasible and does not apply if the University:

1. Is required or authorised by or under an Australian law, or a court order, to deal with specific individuals; or
2. Finds it impractical to address the issues raised by the individual without knowing their true identity.

(18) Where it is not necessary to identify the person that information relates to (for example, if information is being collected via a show of hands, survey tools, generic data generation) then information should be collected in such a way as to ensure anonymity. This may include the use of unique identifiers (eg. numbers) if it is reasonably necessary to differentiate one person's response from another's in order to carry out a particular function efficiently.

Special protocols - Health Information

(19) Health related personal information will only be collected from the person concerned, unless it is unreasonable or impracticable to do so. Examples of instances where the University collects and subsequently uses health-related information include:

1. At student enrolment, or as required, should a student wish to include details about a disability that may require adjustment(s) to the delivery of learning materials or learning environments;
2. At the point of lodging medical certificates and accident report forms, counselling records etc. relating to staff sick leave and/or student special considerations for exams or study purposes;
3. At a staff member's point of employment or as needed, should they wish to advise the University of a disability that may require adjustments to be made to their workplace in order to undertake their work;
4. At the point of attending the UNE Medical Service, to receive attention and healthcare services; and
5. Where prospective donors provide health-related information in relation to the donation of their body, via the UNE Body Donor Program.

(20) If health information about a person is collected from a third party, the University must take reasonable steps to notify the person either at the time of collection, or as soon as possible thereafter (and in writing) that this has occurred.

Special protocols - Sensitive Information

(21) Sensitive information cannot be used for direct marketing.

(22) Sensitive information cannot be shared by related bodies corporate in the same way that they may share other personal information.

Special protocols - other

(23) When collecting personal information from an individual using online or hard copy media (or face-to-face) reference will always be made to the UNE Privacy Management Rule in writing or verbally (whichever is appropriate).

Special exemptions

(24) Unsolicited information. For the purpose of state legislation, personal information is not collected if receipt by the agency is unsolicited. Certain provisions do not apply to unsolicited information under NSW legislation. If unsolicited personal information is received by UNE from a third party, it should be determined whether the University would have been permitted to have collected the information in any case, under the APPs. If not, the University should de-identify the information or dispose of it using secure means outlined within its Records Management Rule.

(25) Information collected before 1 July 2000 (as the PPIPA does not apply to material collected before this date).

Key messages

Personal information gathered via the use of UNE online systems/websites

(26) Whilst visitors to the UNE website are able to access the site anonymously - and to access information without revealing their identity, the University may collect information about visitors to sites via the use of cookies or other automated means including server logs. A cookie is a packet of data that a website puts on a visitor's computer's hard disk to identify them as a visitor to that site for a limited time. This information could include: your server address; your domain name; your IP address; the date, time and duration of your visit; the page accessed before your visit to our site; the pages accessed and documents downloaded from our site; the previous site visited; the type of browser you used. You may choose to disallow cookies through your web browser settings.

(27) UNE may embed a link to a third party site, within a webpage. Where this is the case, the UNE site operates as a launching page to the third party site. The third party site will have its own privacy statement or other relevant information - which may deal with personal information differently to the UNE Privacy Management Rule.

(28) Information that an individual may disclose in online forums or other interactive media associated with the University is considered public information by both UNE and common law and is not protected under the PPIPA.

Email

(29) If you send us a message, the University will record your email address. This email address will only be used for the purpose in which you have provided it (and it will not be disclosed to anyone without your consent). Some email traffic may be de-identified and monitored for statistical and quality purposes.

Human Resource Services (HRS)

(30) Prospective staff who may be applying for a vacant position at UNE, include a range of personal information as part of their job application. This material has been provided to the University for a specific purpose and is kept for the duration of the recruitment process associated with the role that the person had applied for. Once the recruitment has been finalised, all applicants will be notified using the contact details provided to HRS and the applications for unsuccessful candidates will be destroyed.

Publishing to the UNE website, photography, filming and media

(31) Staff may be engaged in filming or photo activity at events held by the University — or may participate in and use image media for promotional purposes. When we take photos or film events, we will always seek permission of people (including our own staff) before we include them in captured media - and we will advise how we will manage that information. We will ask people to sign a consent form for this purpose - and the images will only be used for that purpose and will be kept securely in our corporate records management system. We will also respect the wishes of those who do not wish to be photographed or filmed.

Public seminars and conferences

(32) When UNE units deliver or participate in seminars, conferences or other events, we will consider our privacy obligations when organising these events and aim to notify affected people how we will manage their personal and health information if we collect it, such as on registration forms.

(33) If an event management company assists the University with delivering an event, UNE will ensure that company has appropriate privacy management practices in place.

Storage of information

(34) Personal information collected by the University, will be stored securely. It is to be protected from misuse, interference and loss; from unauthorised access, modification or disclosure; retained as a corporate record in accordance with the University's Records Management Rule and the State Records Act, 1998 (NSW).

(35) Personal information is to be created and captured within the University's approved record keeping system, and is not to be held in Schools and/or business units for any longer than is necessary to support the purpose for which it was collected.

(36) If the University stores personal information about an individual and that information is no longer required for any purpose associated with the University (and provided it is not contained in a Commonwealth record and not required by or under an Australian law, or court/tribunal order) the information should be de-identified or destroyed in a secure manner, in accordance with the University's Records Management Rule.

Special protocols — Health Information

(37) The University stores and holds health information in a variety of forms, for example:

1. Certificates from healthcare providers, patient records at UNE Medical Service, staff and student records at the UNE Counselling Service and at other UNE clinics such as the UNE Psychology Clinic, held in secure health management systems;
2. Staff related health information such as sick leave applications (with or without medical certificates); workers' compensation case records and rehabilitation records, held in online corporate record systems in accordance with the UNE Records Management Rule;
3. Student related health information such as Special Consideration forms and professional practitioner certificates; accident report forms; counselling records; and records of other student services such as those concerned with disability services or financial assistance which may hold information relating to students' health. This information is also held in online corporate record systems, in accordance with the UNE Records Management Rule.

Special protocols - Third party organisations

(38) Third party organisations who may be contracted by the University to perform a particular service (eg. conducting surveys, staff or student elections, or ongoing management of personal information) must confirm that they will comply with appropriate University of New England policy documents in relation to the collection, storage, use and disclosure of personal information. Personal information is to be encrypted during transfer to ensure its secure transmission.

1. Where personal information has been held by a third party for a particular purpose, the University requires assurance either contractually or via a statement of attestation, that the information will be destroyed once the purpose has been completed.
2. Where personal information is stored by a third party provider to deliver an ongoing service to the University, independent assurance needs to be provided to the University on a regular basis, that they are continually maintaining compliance with appropriate privacy legislation. Such an arrangement needs to be incorporated into any binding contractual arrangements to ensure personal information is appropriately protected at all times.

Special protocols - Human Resource Services

(39) Personal information held by Schools and business units for the purpose of job interviews, is to be placed in locked confidential waste bins for shredding after the selection process has been completed.

Special exemptions

(40) No

Key messages

(41) No

Access and Accuracy

(42) The University upon request by an individual, will provide them with access to their personal and health information:

1. Within a reasonable period after the request is made;
2. Without expense to the individual for general record keeping purposes (unless the access is being sought in accordance with a formal GIPA request); and
3. For the purposes of amending their personal information to ensure accuracy.

(43) If the University holds personal and health information about an individual it must, upon the individual's request, give them access to that information (and within a reasonable period after the request is made) unless:

1. The University believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or safety; or
2. Giving access would have an unreasonable impact on the privacy of other individuals; or
3. The individual's request for access was frivolous or vexatious; or
4. The information relates to existing or anticipated legal proceedings between the University and the individual; or
5. Giving access would reveal the intentions of the University in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
6. Giving access would be likely to prejudice one or more enforcement related activities conducted by or on behalf of, an enforcement body; or
7. Giving access would reveal evaluative information generated within the University, in connection with a commercially sensitive decision-making process; or
8. Giving access would be unlawful; or
9. Denying access is required or authorised by or under an Australian law or a court/tribunal order; or
10. Both of the following apply:
    1. The University has reason to suspect that unlawful activity, or misconduct of a serious nature that relates to the University's functions or activities has been, is being or may be engaged in; and
    2. Giving access would be likely to prejudice the taking of appropriate action in relation to the matter.

(44) If the University refuses to provide an individual with access to their personal or health information for any of the reasons outlined above, the University must advise the individual in writing, outlining:

1. The reasons for the refusal (unless given the grounds for refusal, it would be unreasonable to do so); and
2. The mechanisms available to the individual, to complain about the refusal (at the Privacy Concerns and Complaints section of this Rule).

(45) If the personal information has been shared with a third party for purposes of the University conducting its business, the University will advise the third party of the amendment unless it is impractical or unlawful to do so.

(46) UNE systems should enable individuals to maintain the accuracy of personal information held about them. Access may be provided securely via an online login and password system for staff (using WebKiosk facilities via the Staff section of the UNE webpages) and students (via the myUNE section of the UNE webpage), or where this is unavailable, via the appropriate and available UNE forms and associated procedures.

Special protocols — Health Information

(47) No

Special protocols — Sensitive Information

(48) No

Special protocols — Other

(49) Where it is not possible to amend or correct personal information (eg. if a corporate system is temporarily unavailable; if a system will not allow it; if the change is in conflict with legislation, the University's Records Management Rule or other UNE policy; or if the question of accuracy is contentious) the request for change is to be recorded on an official record (eg. alternate online or hard copy record) in lieu of making the change upon a corporate personnel system or database. The record should be made available as an addendum to any system or record where the original information is kept, so that users at the original information source are aware of the discrepancy. The information should be updated and the corporate record amended as soon as possible.

Special exemptions

(50) As per Clause 43 above.

Key messages

(51) No

Use and disclosure

(52) The use and disclosure of personal and health information will be limited by the University and restricted to the purpose for which it was collected, unless the individual to whom the information relates, provides their consent; or the use of the information directly relates to the purpose for which it was collected; or, the information is provided to a third party in order to prevent or lessen a serious or imminent threat to a person's health or safety.

(53) In addition, the University may collect, use and disclose personal information where it is required, authorised or permitted by legislation, a court order or other enforcement body to do so. The University must ensure that all requests for disclosure will be in writing (and where applicable on corporate letterhead). Specific details relating to New South Wales, Commonwealth or other jurisdictions, are outlined within 'Special Protocols' at Clauses 54 - 61 of this Rule).

Special protocols - Health Information

(54) Health Information Privacy Principles provide additional usage and disclosure protocols, as follows:

1. Identifiers may be used to protect individuals identities. The identifier represents the individual and protects their identity and health-related data. University researchers may use identifiers to ensure anonymity of research participants. Identifying details (names, dates of birth and addresses) are replaced by a unique identifier, preferably a running number. If the de-identification of data is adequate, the data is no longer subject to Privacy Acts or associated legislation.
2. Linkage of health records and information. The University must not include health information about any individual in a health records linkage system unless the person involved has provided their consent for this to occur. Where linkages occur across state borders (eg. with the intention of providing better health services and a more centralised health records management approach) the transfer of health information must not occur unless the individual involved has provided their consent for this to take place and, the transfer is in accordance with Clause 56 of this Rule.

Special protocols - Sensitive Information

(55) Sensitive information must be safeguarded and will not be disclosed unless the disclosure is necessary to prevent a serious and imminent threat to the life or health of the individual concerned, or another person.

Special protocols - Other

(56) Personal information must not be disclosed to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:

1. It is legally required via an Australian law, court/tribunal order or enforcement agency and presented to the University in writing (and on corporate letterhead);
2. A relevant privacy law that applies to the personal information concerned is in force in that jurisdiction or applies to that Commonwealth agency; or
3. The disclosure is permitted under a relevant Privacy Code of Practice (Part 3, Division 1 of the PPIPA).

(57) Where the University engages a third party contractor to undertake functional activities (eg. mailing houses, IT support agencies, online voting services, specialist contractors) UNE's privacy obligations also apply to the third party and must be incorporated into any contract or contractual obligations between them and the University.

(58) Personal information must not be used or disclosed for the purpose of direct marketing, unless:

1. It has been made clear to the individual at the time of collecting the information, that it would be used for direct marketing purposes; and
2. The University provides individuals with a simple means by which they may easily consent to or request not to receive any further direct marketing communications.

(59) In each direct marketing communication with the individual, the University is to include a statement that an individual may request to not receive any further direct marketing communique (eg. via an unsubscribe option for online marketing channels).

(60) If the University intends to disclose personal information to third party marketing organisations, it must explain its intention and ensure individuals have an option to not take part in third party operations.

(61) Disclosure of personal information to recipients (also referred to as 'cross-border' disclosures) in other jurisdictions:

1. The University must take reasonable steps to ensure that any entity in receipt of personal information from its records, does not breach the APPs in relation to the management and use of that information.
2. Personal information will not be disclosed to entities associated with other jurisdictions unless the disclosure had been requested when the information was collected, and the individual concerned had consented to its disclosure. Personal information may be disclosed however, if:
   1. It is required or authorised in writing (and on corporate letterhead) by or under an Australian law or a court/tribunal order, or an enforcement body.
   2. The overseas entity is an agency and:
      1. the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or
      2. the entity reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by or on behalf of an enforcement body; and the recipient is a body that performs functions or exercises powers that are similar to those performed or exercised by an enforcement body.

Special exemptions

(62) As per Clause 43 above.

Key messages

(63) Online forums or other interactive/social media. Information disclosed in online forums or other interactive/social media (including chat rooms, discussion forums, message boards, news groups, blogs etc.) is considered by common law to be public information. Engaging with these online communication channels is an opt-in event and it is important that any UNE representative considering developing or joining an online forum understand that owners of forum sites will require details (eg. your email address, name etc.) to be transmitted to third parties. Staff and students as a result of their association with the University should exercise caution when engaging with online communication channels and social media — and when posting material should ensure that they do not post any confidential information, or material that has the potential to damage the reputation of the University or others. UNE representatives should refer to policy information surrounding the social media environment (via the UNE Social Media Policy) in relation to this issue.

(64) Mailing and contact lists. The University and individual units within the University may keep subscriber, mailing and contact lists that contains personal information. The lists will not be used for any other reason than those explained to subscribers when they were invited to join the list and the University requested and received their consent to include their personal information within it. With each piece of promotional or other correspondence generated using the mailing/contact list, the University will also include an 'opt-out' provision, to allow subscribers to unsubscribe should they wish.

(65) The University maintains a number of public registers that highlight a connection between the organisation and those who support it. These include:

1. Student registers, including:
   1. Graduate lists; and
   2. Lists of scholarship and prize recipients.
2. Alumni registers, including:
   1. Distinguished Alumni Award recipients; and
   2. Donor lists.
3. Staff registers, including:
   1. Staff contact lists.
4. Council/Board members including:
   1. UNE Council and Council subcommittees;
   2. UNE Academic Board; and
   3. UNE Life Pty Ltd Board.
5. Business registers including:
   1. Register of Government Contracts; and
   2. Disclosure log of information released under the GIPA Act.

Privacy concerns and complaints

(66) The University's Privacy Officer should be informed of all privacy concerns and complaints, including potential breaches of privacy associated with the University and its controlled entities in the management of its operations and obligations.

Making a complaint

(67) Complaints may be addressed in one of two ways:

1. Informally, via the UNE Privacy Officer; or
2. Formally, via an internal review request to privacy@une.edu.au , but only in relation to their own personal or health information. People cannot seek an internal review for a breach of someone else's privacy, unless they are authorised representatives of the other person.

(68) Informal complaints can be addressed by the UNE Privacy Officer in collaboration with the UNE area concerned, without the need to lodge an internal review request.

(69) Formal complaints are addressed by lodging an internal review request (form link to: http://www.ipc.nsw.gov.au/form-privacy-complaint ), in accordance with Section 53 of the PPIP Act. The internal review request must be lodged within six months of the affected individual becoming aware of the conduct in question.

Informal complaint process

(70) In most cases, it is possible to address informal complaints without the need to lodge an internal review request.

(71) The UNE Privacy Officer will address informal complaints collaboratively, with a view to alleviating privacy concerns and identifying/developing future activities to raise awareness of privacy issues and ensure privacy breaches do not occur.

(72) If you are dissatisfied with the outcome of the informal complaint, you may request an internal review be conducted in relation to the privacy issue raised.

Internal review process

(73) A request for internal review must be lodged within six months of the affected individual becoming aware of the conduct in question. Later applications will be considered once the UNE Privacy Officer has determined that it is appropriate to accept the late application.

(74) Internal reviews are undertaken in line with legislative requirements outlined by Privacy NSW, in their Internal Review Checklist form (link to: http://www.ipc.nsw.gov.au/form-privacy-complaint ).

(75) The UNE Privacy Officer will usually undertake the internal review and decide how the University should respond to the issues raised.

(76) The University is required to inform the NSW Privacy Commissioner of any applications for internal review, and to provide the Commissioner with a copy of:

1. The internal review application;
2. A draft review report; and
3. Final review report.

(77) The Commissioner will be provided with an opportunity to make a submission to the University before the review process is complete, in relation to the privacy matter and the University's findings.

(78) The University is to complete the internal review within 60 days after receipt of an internal review application.

(79) The internal review investigation will usually include:

1. An assessment of the information provided, against definitions of personal information or health information, as appropriate;
2. Identification of the relevant Privacy Principles outlined within this Rule, in accordance with the Information Protection Principles (under Part 2 of the NSW Privacy and Personal Information Protection act 1998) ( link: http://www.legislation.nsw.gov.au/#/view/act/1998/133/whole ) or the Health Privacy Principles (under Schedule 1 of the NSW Health Records and Information Privacy Act 2004) ( link: http://www.austlii.edu.au/au/legis/nsw/consol_act/hraipa2002370/sch1.html );
3. A review of documents relating to the matter, with such documents to be obtained by the UNE Privacy Officer making reasonable searches or requests for documents held in the University's recordkeeping systems, as well as business systems, network and email folders;
4. A review of relevant business processes; and
5. Interviews with staff who may have been involved with the matter in question, or who provide or manage the related business process.

(80) If it is considered that the information being investigated is not specifically related to personal or health information, the Privacy Officer will not investigate the conduct in question any further. The matter will be forwarded to the appropriate member of the UNE Senior Executive team, for consideration and appropriate action.

(81) If it is considered that the review relates to a University business process, the review may include the relevant member of UNE's Senior Executive responsible for the process (or activity).

Administrative review application

(82) An applicant who is not satisfied with the outcome of an internal review, can request the New South Wales Civil and Administrative Tribunal (NCAT) to review the conduct and subsequent decision complained about. The request must be lodged within 28 days of completion of the review. Please refer to the Privacy Complaint Management section located at the University's Compliance System Register via the following link: https://compliance.une.edu.au/overview.php?id=4 .

(83) If an internal review is not completed within the 60 day timeframe allowed, the 28 day time limit to request an NCAT review begins from the later of the following two dates:

1. The date the applicant was notified of the outcome of the internal review, or
2. The day on which the 60-day time limit expires.

(84) UNE representatives are to fully cooperate with any privacy-related investigation, providing access to any relevant or requested documentation as requested. Where UNE representatives are aware of activities relating to the potential request of personal information (eg. legal action or a privacy investigation) any material relating to the investigation on corporate record and IT systems is to be preserved until the investigation is finalised and any external appeal timeframes have been met.

(85) Information relating to compliance obligations for appropriate privacy training of staff is located at the University's Compliance System Register via the following link: https://compliance.une.edu.au/overview.php?id=4

(86) Information relating to non-compliance and offences under the PPIP Act and the HRIP Act are located at the University's Compliance System Register via the following link: https://compliance.une.edu.au/overview.php?id=4

(87) Contact details for the NSW Civil and Administrative Tribunal, as well as for the NSW Privacy Commissioner, are located at the University's Compliance System Register via the following link: https://compliance.une.edu.au/overview.php?id=4

(88) If an individual suspects that any corrupt conduct has been entered into in relation to the management by the University of personal or health information, the matter should be addressed in accordance with UNE's Public Interest Disclosure Rule and its associated procedures.

Authority and Compliance

(89) The UNE Council, pursuant to Section 29 of the University of New England Act, makes this University Rule.

(90) UNE Representatives must observe it in relation to University matters.

(91) The Rule Administrator is authorised to make procedures and guidelines for the operation of this University Rule. The procedures and guidelines must be compatible with the provisions of this Rule.

(92) This Rule operates as and from the Effective Date.

(93) Previous Privacy Statement, Privacy Management Plan and related documents, are replaced and have no further operation from the Effective Date of this new Rule.

(94) Notwithstanding the other provisions of this University Rule, the Vice-Chancellor and Chief Executive Officer may approve an exception to this Rule where it is determined that the application of the Rule would otherwise lead to an unfair, unreasonable or absurd outcome. Approvals by the Vice-Chancellor and Chief Executive Officer under this clause must be documented in writing and must state the reason for the exception.

Section 4 - Definitions

(95) Collection (of personal information) means the way the university acquires the information, for example:a written form, a verbal conversation, an online form, or taking a picture with a camera.

(96) Consent refers to the written consent from an individual for the University to undertake a particular action in relation to personal information, such as an additional use or disclosure to another party.

(97) Disclosure refers to the provision of personal information to a party or person external to the University. Provision of personal information internally may also be considered a disclosure where the personal information is about a staff member, or the information is health information.

(98) Holding of personal information: The University will be considered to be 'holding' personal information if it is in the University's possession or control, or if it is held by a contractor or service provider on our behalf. Most of the privacy principles apply to when the University is 'holding' personal information, which means we remain responsible for what our contractors or service providers do on our behalf.

(99) Personal information refers to information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. In accordance with Section 4 of the Privacy and Personal Information Protection Act 1998 (NSW). It includes such things as:

1. a person's name, address, information about a person's family life, information about a person's sexual preferences, financial information, photos, contact details, opinions, health conditions or illnesses, housing or tenancy information, work history, education and criminal histories;
2. an individual's fingerprints, retina prints, body samples or genetic characteristics;
3. payroll details, information about next of kin, emergency contacts, superannuation fund and tax file numbers.
4. Health information, in accordance with Section 6 of the Health Records and Information Privacy Act 2002 (NSW), incorporating information or opinions about:
   1. The physical or mental health or a disability (at any time) of an individual, or
   2. An individual's express wishes about the future provision of health services to him or her, or
   3. A health service provided, or to be provided, to an individual, or
   4. Other personal information collected to provide a health service, or in providing a health service, or in connection with the donation of human tissue or body parts; or
   5. Genetic information that is or could be predictive of the health of a person or their relatives or descendants.
5. Some things (such as information about an individual who has been dead for more than 30 years and information about an individual that is contained in a publicly available publication) are exempt from the definition of "personal information" and these are listed in full, under Section 4(3) of the PPIPA.

(100) Sensitive personal information relates to information about a person's racial or ethnic origin, political perspectives, religious/philosophical beliefs, sexual activities or union membership.

(101) Unsolicited personal information is information that the University receives, but has taken no active steps to collect. For example: an employment application sent to the University on an individual's own initiative and not in response to an advertised vacancy.