|Establishment:||Vice-President (Corporate Services), 22 June 2016|
|Nature of Amendment:|
|Date Last Reviewed:|
|Responsible Officer:||Director, Integrity Governance and Risk|
All policies and procedures are being reviewed as part of this project. This document is pending review, but remains in effect until the review is carried out.
|Establishment:||Vice-President (Corporate Services), 22 June 2016|
|Nature of Amendment:|
|Date Last Reviewed:|
|Responsible Officer:||Director, Integrity Governance and Risk|
Ensure you are aware of your responsibilities for the personal information you collect, use or hold.
Failure to comply with these procedures may result in disciplinary action in accordance with the relevant disciplinary procedures. These are:
|Collection of Personal Information||
|Purpose of Collection, Use and Disclosure||
|Access to and correction of Personal Information||Individuals generally have a right to access the information we hold about them, but access can be withheld in certain circumstances. There are strict limitations on access by any other persons or agencies.|
|Unauthorised Disclosure or Loss of Personal information||Immediately notify the relevant manager and the Privacy Officer of any breach of privacy. Ensure immediate action is taken to secure all Personal Information.|
|Complaints about breaches of privacy||For procedures for handling complaints by students, refer to the policy on Student Information. Refer complaints from individuals other than students to the Privacy Officer.|
(a) health, health treatment, or other medical needs;
(b) race, ethnicity or religion;
(c) professional or political affiliations and memberships;
(d) criminal record;
All University staff, volunteers, adjunct staff, contractors and any other persons acting on the University’s behalf who have reason to collect, access, use or deal with Personal Information are responsible for:
Supervisors/Managers are responsible for:
Integrity Governance and Risk Division is responsible for:
Information Technology Services is responsible for:
1.1 Ensure that Personal information requested from individuals is the minimum needed for one or more of the University’s functions or activities.
1.2 Collect the information in a way that is transparent and not intrusive.
1.3 Collect Personal Information about an individual only from the individual unless it is unreasonable or impracticable to do so.
1.4 Where you are collecting information for the purposes of undertaking research, you must ensure that you gain appropriate research ethics approval.
Example: If you manage an email list of people who ask to receive information by email, eg a newsletter, record only their name and email address. Do not ask for or record unnecessary information such as their home address or phone number.
1.5 Obtain express consent (e.g. signed consent forms) wherever possible.
1.6 Sensitive information may only be collected with informed consent.
1.7 Staff should seek advice from the Privacy Officer when seeking to rely on implied consent or before relying on any of the following exemptions from collecting Personal Information without the person’s consent:
a) the collection is required or authorised by Australian law or a court; or
b) it is unreasonable or impracticable to obtain consent and there is evidence that the information is needed to lessen or prevent a serious threat to the life, health or safety of an individual or the public; or
c) there is evidence that the information is needed in order to take action on suspected unlawful activity or misconduct of a serious nature (se also 4.7 below); or
d) the information is reasonably necessary for a legal defence or claim by the University; or
e) the information is health-related and is required for the provision of a health service to the person and the information is collected in accordance with professional confidentiality; or
f) the information is health-related and:
Examples: The University wishes to use information about successful students in a course for promotional purposes. Information on their success is available from the Student Information System, but you should not identify any students in such promotions without their consent. Nor should photos of students in class or on field trips be used for promotional purposes without consent. Students would need to be invited to be identified in the promotional activity, must consent to it in writing and must be given a Privacy Statement. See also 3.2 below.
You are on an interview panel for a staff vacancy and you make a note that an applicant appears to have a physical disability. Making such a note would amount to the collection of sensitive information without the consent of the individual.
If you collect Personal Information that is to be sent on to another organisation, such as another university, be sure to inform students prior to collection that this is the intention.
If a student joins a University club, they must provide their personal details to the club themselves. You should not release information to the club without the student’s consent.
Anonymity and Pseudonymity
1.8 Unless required by law to verify identity or it is impracticable to deal with individuals if they have not identified themselves, consider whether individuals can be dealt with on an anonymous or pseudonymous basis.
Examples: The name field on survey forms should not be mandatory unless it is intended to make follow-up contact with the individual.
The University must enrol a student and award their degree using the true name of the student.
NB, the fact that a student graduated, the name of their particular degree and year of graduation are public knowledge, but their results are not.
1.9 Where statistical information only is required, the information must be de-identified.
Example: The University collects health information from a student through an application for supplementary assessment on medical/compassionate grounds. The information should only be used to assess the application and not for any other purpose. Any summary of the number or nature of such applications must not include information that might identify individuals.
Notification – Privacy Statement
1.10 At or before the time of Personal Information collection (or as soon as practicable after), ensure individuals are aware of the Privacy Statement relating to the collection of that Personal Information. The Privacy Statement should include:
“This information is being collected by or on behalf of Flinders University’s [University School/Division..., contact:…].
**Additional text depending on the circumstances:
If there is a law requiring the Personal information to be collected:
The information is being collected in accordance with [state relevant legislation here…]
If you know there is need for the Personal Information to be disclosed to a third party:
“The University will need to disclose your Personal Information to [insert purpose of collection, third party name and contact/ location]”.
If there will be significant consequences if Personal Information is not provided:
If you do not provide the information, [insert consequence:...].”
Example: A researcher wants to survey persons in a specific area for a research project. The researcher obtains names and addresses from the electoral roll. The researcher should ensure that the survey sent to the individual explains where the researcher has obtained their details from and includes a Privacy Statement.
Example: Where you use a form on a web-page to collect information, ensure that the web-page provides a Privacy Statement and requires the user to tick a box agreeing to the terms and conditions of the Privacy Statement.
Unsolicited personal Information
2.1 If unsolicited Personal information is received, determine whether it could have been collected for one of more of the University’s functions or activities. If not, it must be destroyed or de-identified.
Security of Personal Information
2.2 Take reasonable steps to protect any Personal Information that is held from misuse, interference, loss, unauthorised access, modification or unauthorised disclosure, by:
a) using locked filing cabinets and office security for hard copy Personal Information;
b) using file access controls for Personal Information in digital form;
c) using encryption (contact the ITS Helpdesk for assistance) for digital transfer of Personal Information outside the University;
d) ensuring that appropriate data handling and security measures are in place, where Personal Information is disclosed to recipients overseas;
e) reviewing existing agreements with third parties overseas that we engage to handle Personal Information, to ensure those third parties meet appropriate privacy and security management standards.
2.3 Consult the Manager, University Records, about destruction or de-identification of Personal information if it is no longer needed for any purpose for which it may be used or disclosed, and that is not required by law to be retained.
Example: Staff in Schools should not keep their own files of student information that is already stored on the Student System. Student information not retained on the Student System should be lodged with Enrolment Services for storage in the central student file.
Disclosure to third parties
2.4 Permitted disclosures of Personal Information to third parties include:
a) Government departments and agencies to satisfy statutory reporting requirements;
b) the University’s controlled entities or subsidiaries, to the extent such Personal Information is required by the controlled entity or subsidiary to provide services to or on behalf of the University;
c) external advisers and service providers to the extent such Personal Information is required for that party to provide services to the University;
d) collaborating parties (eg other education institutions) where Personal Information is required for the collaborative activity to be undertaken;
e) IT service providers to enable the provider to establish user accounts for University staff, students and others connected with the University, or to enable information storage or processing.
Example: Where students’ details are given to an outside organisation that provides work placements for students, the students must be informed. Only information essential for providing the placement should be provided to the organisation; refer to the Work Integrated Learning policy and procedures.
Centrelink can require the University to provide enrolment information about a student.
The University must provide the Australian Health Professional Regulation Authority with details of students in certain medical, nursing and health sciences courses to enable those students to be registered by AHPRA.
The University must report any student visa breaches to the Department of Immigration and Citizenship.
The Law Society of SA is authorised to inquire whether a person who has applied for admission to legal practice has been guilty of dishonest conduct or any other conduct relevant to whether the applicant is a fit and proper person to be admitted as a legal practitioner.
2.5 Before Personal Information is disclosed to an overseas recipient, steps must be taken to ensure that the overseas recipient does not breach the Australian Privacy Principles.
Examples of overseas disclosure include:
2.5.1 At least one of the following conditions must be met before there is any disclosure of Personal Information to third parties overseas:
2.5.2 In determining the acceptability of disclosure to offshore third parties, staff must also consider the types of information to be disclosed, the location of the provider’s facilities and the provider’s data security protocols. The provisions of the University’s Information Classification Framework should be adhered to.
2.5.3 A risk assessment must be completed and the business owner must accept any identified risks prior to any arrangement or contract is entered into with a provider. Where the arrangement with the overseas third party is for information management, ITS must complete the risk assessment and provide recommendations. Where the arrangement is with an overseas educational institution, or relates to a course of study (for example overseas student placement), the International Centre should be asked to provide the risk assessment.
Example: Where a contract with an overseas university is being negotiated, ensure you obtain advice on the terms of the contract concerning information privacy from Legal Services and the International Centre.
Example: If you want to use a third party cloud provider to store Personal Information, you should contact ITS and ensure you observe existing Cloud Storage Security Requirements. Any agreement or formal contract with a cloud service provider must be assessed to ensure the provider securely stores and transmits Personal Information. All such contracts must be approved by ITS.
Be careful also with storing Personal Information in Dropbox (or similar services such as OneDrive, Box, Google Drive etc). These services do not guarantee the privacy or security of your data. Sensitive University data must not be stored using these services unless approved by ITS.
3.1 The use of Personal Information is restricted to purposes related to our functions and activities. The purpose for which you collect Personal Information is the primary purpose and you must not use or disclose the information for a secondary purpose.
Exceptions include where:
a) consent is obtained;
b) authorised or required by law;
c) certain health situations or law enforcement situations arise;
d) the individual would reasonably anticipate the secondary purpose and the purpose is related to the primary purpose.
3.2 Direct marketing can only occur if a simple opt-out mechanism is provided and the individual has not asked to opt out. You must have each individual’s express or implied consent and the individual should reasonably expect the University to use or disclose the Personal Information for that purpose.
3.3 Carefully manage direct marketing processes and mail out lists, including opt-outs.
Government related identifiers
3.4 Government related identifiers such as Tax File Numbers and Medicare numbers must not be adopted by the University to identify individuals.
3.5 Do not use or disclose Government-related identifiers unless required or authorised by law, or where:
a) reasonably necessary to verify the person’s identity for the purpose of the University’s business;
b) required to fulfil obligations to a Government agency;
c) reasonably necessary for law enforcement.
4.1 Before Personal Information is used or disclosed, consider whether it is accurate, up-to-date, complete and relevant. At least annually, remind individuals whose Personal Information is held on an ongoing basis to confirm the accuracy of their Personal Information.
Example: Include in newsletters a reminder to notify changes of address etc. and include a blank form, email address or link to a web-page for doing so.
Persons seeking access to their own Personal Information
4.2 In most cases and subject to verification of identity, individuals have a right to access, correct, or update their Personal Information. You should respond to requests for access or correction in a timely manner (within 30 days).
4.3 Current and former students can access their Personal Information in accordance with the relevant provisions of the policy on Student Information.
4.4 Employees and academic status holders can contact Human Resources to make an appointment to view their centrally-held appointment file in the presence of a Human Resources officer. Where personnel files are maintained by the local area to which the employee or academic status holder is appointed, the employee or academic status holder may submit a request to their Dean of School/portfolio manager to view their local personnel file in the presence of a School/portfolio officer.
4.5 Identity verification requirements include:
4.5.1 In person, picture ID eg student or staff card or driver’s licence;
4.5.2 By telephone, questions to verify a range of details, e.g., FAN, Student or staff ID, Date of Birth, Course, address;
4.5.3 Via e-mail, other than a Flinders University e-mail address, ask the person to log in using their FAN and password to authenticate themselves and submit their request via their Flinders e-mail. If the person no longer has a Flinders e-mail address, verify their identity by asking a series of questions, as above.
4.6 Persons other than staff, affiliates or students seeking access to their own Personal Information held by the University about them should be directed to the Freedom of Information Officer.
Limitations on Access
4.7 Documents may be withheld or redacted if the University determines that it would not be appropriate for access to be granted. Access by an individual to their Personal Information may be denied for the following reasons:
a) There would be an unreasonable impact on the privacy of other individuals (e.g. personally identifying information of referees on a staff appointment file);
b) the request for access is frivolous or vexatious;
c) the documents are subject to confidentiality obligations or legal professional privilege;
d) granting access would compromise the University in anticipated legal proceedings or commercially sensitive decision-making processes;
e) there is a potential threat to life, health or safety.
4.8 An individual who is denied access to a document or who has had their correction request refused must be given reasons for the refusal and should be advised of their entitlement to submit a Freedom of Information application.
Example: A student seeks copies of correspondence between the University and its solicitors concerning a legal matter involving the student. Correspondence between the University and its solicitors is subject to legal professional privilege and should not be released.
A student seeks copies of correspondence between two lecturers concerning accusations about the student’s behaviour. The student should seek the information under the Freedom of Information Act and should be referred to the Freedom of Information.
A lawyer claiming to act for a student seeks that student’s academic record. The student must provide written consent for that information to be released.
If a lawyer is acting in a court case against a student or a staff member, Personal Information may only be released to the lawyer if the court issues a subpoena or similar order.
Third parties seeking access to Personal Information
4.9 Permitted disclosures to third parties are set out in paragraph 2.4 above. The examples listed below address some common requests for access from third parties.
4.9.1 Access to Student Personal information must be in accordance with relevant provisions of the policy on Student Information.
4.9.2 Any request from the police for access to any person’s Personal Information, or the presentation of any form of warrant by police, must be referred to Legal Services for advice. Legal Services will provide advice to the relevant senior manager on the release of any information or action to be taken.
4.9.3 Requests for access by Government agencies should cite the authority upon which the request is made. If uncertain about the bona fides of the request, seek advice from the Integrity Governance and Risk Division before releasing any information.
4.9.4 Personal Information must not be disclosed in response to a lawyer’s request except with the consent of the person to whom the information relates, or if required by law or a subpoena or court/tribunal order.
Examples: A member of the public contacts your department and asks for the contact details of another staff member. You could refer them to the Staff Directory, as it is publicly available information that staff know is disclosed, but if the caller wants private information, take the caller’s contact details and refer the details to the staff member so that they can contact the caller.
A member of the public claiming to be the relative of a student contacts you to seek information about the student. You should not provide any information, or even acknowledge that they are a student, except where the student has given written permission for specified information to be released to specified individuals. Where permission has been given, ensure you verify the caller’s identity first and then make a record of the disclosure.
Police wish to know if a person is enrolled at the University and their study details. The police submit a warrant or police letter quoting the Act that entitles them to request the information or a letter from someone of suitable authority stating that the information is reasonably necessary for the investigation of an offence. The matter should be referred to Legal Services for advice.
If a staff member is suspected of illegal activities, the University may disclose the staff member’s Personal Information to the Police or other authorised investigator.
Personal Information Breach
5.1 The relevant area manager must be notified immediately of any breach of privacy, whether it affects electronic records or other forms of information. The manager must take immediate action to contain the loss or unauthorised disclosure or access where possible (e.g. by stopping the unauthorised practice; recovering the records; advising persons who have received the information by mistake to destroy that information).
The area manager must notify the Privacy Officer and, in the case of electronic records, the ITS Service Desk, about the privacy breach and the matter will be investigated to determine what further steps are necessary, having regard to the following factors:
The Office of the Australian Information Commissioner (OAIC) and affected individuals should be notified following a serious data breach in which personal information held by the University about one or more individuals is subject to unauthorised access or unauthorised disclosure or loss that puts any of those individuals at real risk of serious harm.
Examples: A staff member accidentally sends a list of personal details of students to an incorrect personal email address.
Do not send Personal Information outside the University unless it is appropriately secured or encrypted. Always check email addresses before sending.
A staff member loses a USB storage device, containing Personal Information about some staff, in a public place.
Do not put Personal Information on your private USB. Any Personal Information placed on a University USB must be encrypted or password protected and the USB must be securely stored.
See also the IT Security Quick Reference Guide.
It appears that the security of a data base containing Personal Information has been breached.
Report the incident immediately to ITS. Be sure to distinguish privacy breaches from other data breaches. Do not take any further action without consulting ITS.
Students have been sent marketing material, having previously indicated that they wished to opt out of receiving such material.
Issue an apology to the students and ensure that opt-out information for those students is correctly recorded.
Notifying affected individuals
5.2 If there is a risk of serious harm to the affected individuals, a report must be submitted to the Office of the Vice-Chancellor advising the nature of the breach and the possible consequences of it (in the terms outlined in 6.1 above), with a recommendation as to whether the affected individuals should be notified. Any such notification might include the following:
a) a brief description of the incident and timing;
b) a description of the Personal Information involved in the breach;
c) an apology and an indication of the steps that have been or will be taken to control or reduce any adverse impact;
d) suggestions on what other steps the individual can take to minimise any adverse impact;
e) any assistance the University can provide; and
f) University contact details for further information.
In cases of breaches of privacy involving electronic data, the report to the Office of the Vice-Chancellor will be submitted by ITS and in all other cases it must be submitted through the Privacy Officer.
5.3 The Privacy Officer will work with the area manager and other relevant areas (e.g. Information Security) to determine and implement any possible actions to prevent future breaches. The University will, if required by law, notify the relevant government agency of the privacy breach. If the breach was a result of theft or other crime, the University will report the matter to the police.
6.1 For procedures for handling complaints from students, refer to the policy on Student Information, clause 10.
6.2 The procedures set out below must be followed in the case of complaints received from individuals other than students.
|1. Submitting a complaint about the university's handling of an individuals's personal information|
1.1 All complaints must be submitted to the Privacy Officer in the first instance.
1.2 The Privacy Officer will check that the individual making the complaint is the individual whose personal information has been affected. If not, the Privacy Officer will clarify the complainant’s authority to act for the individual whose privacy is the subject of the complaint.
1.4 If there has been a breach of electronic information security, the Privacy Officer will notify Information Technology Services immediately.
1.5 If the Privacy Act does not apply to the complaint, the Privacy Officer will consider whether the complaint can be dealt with under the University's other complaint handling procedures.
|2. Acknowledging receipt of the complaint|
2.1 The Privacy Officer will acknowledge all complaints in writing within 5 working days and clarify their understanding of the complaint.
2.2 If the complaint cannot be resolved through this initial contact with the Privacy Officer, the matter will be referred to the appropriate area for investigation.
|3. Referring the complaint to the appropriate area for investigation|
3.1 Where investigation of the complaint is required, the Privacy Officer will refer the complaint promptly to the appropriate senior officer for investigation:
3.3 The senior officer may undertake the investigation of the complaint and prepare a response or nominate an officer to do so. The investigating officer must be independent of the person/s responsible for the alleged conduct.
3.4 Where the complaint is referred for investigation, the Privacy Officer will notify the complainant of the name, title, and contact details of the investigating officer handling the complaint.
3.5 The investigating officer will contact the complainant within 30 days of the complaint being lodged.
3.6 Where the complaint involves a breach of electronic information security, the investigation of the complaint will be coordinated by Information Technology Services (ITS), Information Security, Quality and Risk.
|4. Investigating the complaint by staff in the Division, School or Entity to which the complaint has been referred by the Privacy Officer|
4.1 Matters for the investigating officer to consider:
4.2 Where a complaint is found to have been substantiated, the staff member handling the matter will take steps to redress the concerns raised by the complainant and notify the complainant of the actions taken. Examples of outcomes may be: an apology, together with a review and revision of policy, forms, procedures and/or staff training and/or improvement of security safeguards and/or initiation of disciplinary procedures.
4.3 Where it appears that a staff member has deliberately or maliciously disclosed or given unauthorised access to information or breached confidentiality or may be guilty of serious misconduct as a result of the misuse of information, a recommendation may be referred to the Director, Human Resources, to initiate disciplinary procedures under the relevant industrial award.
4.4 The senior officer and/or the investigating officer should consider any systemic issues raised by the complaint and possible responses, such as:
|5. Communication with the complainant|
5.1 The investigating officer must reply to the complainant in writing within 30 calendar days of the complaint being lodged, informing the complainant of:
5.2 The investigating officer should write to the complainant:
5.3 Arrange for the issuing of an apology if the area did not comply with the relevant privacy obligation/s and consider whether any additional outcomes may be appropriate.
The apology should be issued by the appropriate senior officer:
|6. Complainant's response|
6.1 If the complainant seeks further action or is not satisfied with the outcome:
6.2 If the complainant is not satisfied with the outcome, the investigating officer should first attempt to resolve the matter informally, through discussion and mediation and in accordance with the principles of natural justice and procedural fairness. The investigating officer and/or the complainant can seek mediation from the Privacy Committee of South Australia. The Privacy Committee has no formal responsibility with respect to universities, but is willing to assist in the resolution of privacy complaints involving South Australian universities.
|7. If the complainant is still not satisfied with the outcome|
|7.1 If still not satisfied, a complainant who has made a complaint which has been substantiated may seek, where applicable, to have the matter resolved through a process consistent with clause 17 of the University’s Grievances procedures.|
|8. Record the Outcome of the Investigation of the Complaint|
|8.1 The senior officer or investigating officer should ensure that all records of the complaint and the investigation and outcome are confidentially secured and, following completion of the investigation, submitted to the Privacy Officer. All complaint records should be stored securely and in accordance with the Records Management Policy.|