Policy Redesign Project

All policies and procedures are being reviewed as part of this project. This document is pending review, but remains in effect until the review is carried out.

Privacy Management Procedures

Establishment: Vice-President (Corporate Services), 22 June 2016
Last Amended:  
Nature of Amendment:  
Date Last Reviewed:  
Responsible Officer: Director, Integrity Governance and Risk

This document provides guidance as to how the principles of the Privacy Policy should be applied and is based on the the Australian Privacy Principles.

Key Obligations
Responsibilities

Ensure you are aware of your responsibilities for the personal information you collect, use or hold. 

Failure to comply with these procedures may result in disciplinary action in accordance with the relevant disciplinary procedures. These are:

Collection of Personal Information
  • Only collect information that’s reasonably necessary for University business.
  • Ensure you have express or implied consent to collect the information, unless there are grounds for an exemption (see clause 1.6 below) to this requirement. If you receive unsolicited Personal Information, determine whether you could have collected it for a University purpose, otherwise destroy or de-identify.
  • Consider whether there are measures that could be adopted to facilitate anonymous dealings with the University.
Data Security
  • Ensure there are appropriate facilities for securely storing and handling Personal Information.
  • Ensure the personal information you hold is accurate and up to date and provide a mechanism to enable individuals, e.g. students and staff, to update their personal details.
  • Destroy or de-identify Personal Information if it is no longer needed, and is not required by law to be retained.
Purpose of Collection, Use and Disclosure
  • Be mindful of the primary purpose for collection of Personal Information. Don’t use or disclose Personal Information for a secondary purpose unless an exemption applies.
  • Direct marketing can only occur by consent or where there is an expectation that Personal Information would be used for direct marketing. Ensure all direct marketing material has an opt-out provision.
  • Do not use Government identifiers such as Tax File Numbers to identify staff, students or the public.
  • There are special requirements relating to the disclosure of personal information to overseas recipients. Advice should be sought from the Privacy Officer.
Access to and correction of Personal Information Individuals generally have a right to access the information we hold about them, but access can be withheld in certain circumstances. There are strict limitations on access by any other persons or agencies.
Unauthorised Disclosure or Loss of Personal information Immediately notify the relevant manager and the Privacy Officer of any breach of privacy. Ensure immediate action is taken to secure all Personal Information.
Complaints about breaches of privacy For procedures for handling complaints by students, refer to the policy on Student Information. Refer complaints from individuals other than students to the Privacy Officer.
Need Further Advice? Know where to go for advice; ensure you are familiar with the Privacy Policy.


Definitions

The following definitions are quoted from the Privacy Policy:

  • Personal Information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not;
  • Sensitive Information is any Personal Information that is about your:

(a) health, health treatment, or other medical needs;

(b) race, ethnicity or religion;

(c) professional or political affiliations and memberships;

(d) criminal record;

(e) sexuality.

Responsibilities

All University staff, volunteers, adjunct staff, contractors and any other persons acting on the University’s behalf who have reason to collect, access, use or deal with Personal Information are responsible for:

  • complying with University guidelines in regards to collection, storage, retention, access, security and disposal of Personal Information consistent with the privacy policy, best privacy management practices and other relevant university policies, including the Records Management Policy and Information Security Policy;
  • seeking approval from Central Records and Archives within the Integrity Governance and Risk Division for the secure destruction of records containing Personal Information; and
  • reporting breaches of privacy and security of Personal Information to their supervisor/manager and to the Privacy Officer, as appropriate (Information Security breaches of any kind should be reported to Information Technology Services – see the Information Security Incident Management Procedure)

Supervisors/Managers are responsible for:

  • promoting and implementing appropriate privacy management practices in their area;
  • monitoring compliance and reporting issues of non-compliance to the appropriate senior manager and the Privacy Officer;
  • ensuring data privacy requirements definition and delivery in projects;
  • reviewing new and existing arrangements/contracts for disclosure of Personal Information to third parties overseas and seeking advice from the Integrity, Governance and Risk Division as required; 
  • in association with other relevant areas of the University, ensuring the provision of appropriate storage facilities for Personal Information that meet security requirements;
  • ensuring that individuals are regularly reminded to update Personal Information the area holds about them;
  • ensuring that Personal Information access/update/correction requests and privacy complaints from individuals are responded to in a timely manner;
  • reporting actual or suspected breaches of privacy to the Privacy Officer.

Integrity Governance and Risk Division is responsible for:

  • maintaining and promulgating the Privacy Policy and related guidance;
  • providing advice on privacy management practices (including legal advice);
  • initiating provision of targeted training and awareness;
  • receiving and coordinating resolution of privacy information requests and complaints;
  • monitoring compliance with the Privacy Policy;
  • supporting the management of all records, including those containing Personal Information and for facilitating approval for the secure destruction of such records;
  • liaison and reporting to regulators and other external bodies on privacy matters; and
  • undertaking the duties of the Privacy Officer outlined in this document.

Information Technology Services is responsible for: 

  • supporting the secure management applications and systems that store Personal Information;
  • ensuring data privacy requirements definition and privacy impact assessment during the undertaking of implementation projects;
  • assisting with provision of targeted training and awareness, including the provision of guidelines;
  • reporting actual or suspected breaches of privacy to the Privacy Officer;
  • assisting with handling, investigation and resolution of privacy breaches;
  • assisting in facilitating the secure destruction of records containing Personal Information.

Procedures

1. Collection of Personal Information

1.1  Ensure that Personal information requested from individuals is the minimum needed for one or more of the University’s functions or activities.

1.2  Collect the information in a way that is transparent and not intrusive.

1.3  Collect Personal Information about an individual only from the individual unless it is unreasonable or impracticable to do so.

1.4  Where you are collecting information for the purposes of undertaking research, you must ensure that you gain appropriate research ethics approval.

Example:    If you manage an email list of people who ask to receive information by email, eg a newsletter, record only their name and email address. Do not ask for or record unnecessary information such as their home address or phone number. 

Consent

1.5  Obtain express consent (e.g. signed consent forms) wherever possible.

1.6  Sensitive information may only be collected with informed consent.

1.7  Staff should seek advice from the Privacy Officer when seeking to rely on implied consent or before relying on any of the following exemptions from collecting Personal Information without the person’s consent:

a)  the collection is required or authorised by Australian law or a court; or

b)  it is unreasonable or impracticable to obtain consent and there is evidence that the information is needed to lessen or prevent a serious threat to the life, health or safety of an individual or the public; or

c)  there is evidence that the information is needed in order to take action on suspected unlawful activity or misconduct of a serious nature (se also 4.7 below); or

d)  the information is reasonably necessary for a legal defence or claim by the University; or

e)  the information is health-related and is required for the provision of a health service to the person and the information is collected in accordance with professional confidentiality; or

f)  the information is health-related and:

  • is necessary for the University to undertake research or statistical analysis relevant to public health or public safety; and
  • it is impracticable for the University to obtain the individual’s consent; and
  • the information is collected in accordance with relevant NHMRC guidelines.

Examples:    The University wishes to use information about successful students in a course for promotional purposes. Information on their success is available from the Student Information System, but you should not identify any students in such promotions without their consent. Nor should photos of students in class or on field trips be used for promotional purposes without consent. Students would need to be invited to be identified in the promotional activity, must consent to it in writing and must be given a Privacy Statement. See also 3.2 below.

You are on an interview panel for a staff vacancy and you make a note that an applicant appears to have a physical disability. Making such a note would amount to the collection of sensitive information without the consent of the individual.

If you collect Personal Information that is to be sent on to another organisation, such as another university, be sure to inform students prior to collection that this is the intention.

If a student joins a University club, they must provide their personal details to the club themselves. You should not release information to the club without the student’s consent.

Anonymity and Pseudonymity

1.8  Unless required by law to verify identity or it is impracticable to deal with individuals if they have not identified themselves, consider whether individuals can be dealt with on an anonymous or pseudonymous basis.

Examples:  The name field on survey forms should not be mandatory unless it is intended to make follow-up contact with the individual.

The University must enrol a student and award their degree using the true name of the student.

NB, the fact that a student graduated, the name of their particular degree and year of graduation are public knowledge, but their results are not.

1.9  Where statistical information only is required, the information must be de-identified.

Example:  The University collects health information from a student through an application for supplementary assessment on medical/compassionate grounds. The information should only be used to assess the application and not for any other purpose. Any summary of the number or nature of such applications must not include information that might identify individuals.

Notification – Privacy Statement

1.10  At or before the time of Personal Information collection (or as soon as practicable after), ensure individuals are aware of the Privacy Statement relating to the collection of that Personal Information. The Privacy Statement should include:

  • The full name of the University and the contact details of the area that is collecting the Personal Information;
  • the purpose/s for which the information is collected;
  • the link to the University’s Privacy Policy for further information;
  • any law that requires the individual’s Personal Information to be collected;
  • any third parties to which the University may disclose the individual’s Personal information and whether any such party is located overseas;
  • any consequences for the individual if all or part of the Personal Information is not provided.

Example:

“This information is being collected by or on behalf of Flinders University’s [University School/Division..., contact:…].

The information you provide will be used for [state purpose here…], and in accordance with the purposes set out in the University’s Privacy Policy. Please refer to the University’s Privacy Policy for more information, including the types of external entities to which the University may need to disclose Personal Information; how you can seek access to your Personal Information held by the University and how you can make a complaint if you feel your privacy has been breached.”

**Additional text depending on the circumstances:

If there is a law requiring the Personal information to be collected:

The information is being collected in accordance with [state relevant legislation here…]

If you know there is need for the Personal Information to be disclosed to a third party:

“The University will need to disclose your Personal Information to [insert purpose of collection, third party name and contact/ location]”.

If there will be significant consequences if Personal Information is not provided:

If you do not provide the information, [insert consequence:...].”

Example:  A researcher wants to survey persons in a specific area for a research project. The researcher obtains names and addresses from the electoral roll. The researcher should ensure that the survey sent to the individual explains where the researcher has obtained their details from and includes a Privacy Statement.

Example:  Where you are collecting Personal Information through personal contact (e.g. phone, over the counter), you must inform the individual of the information that is being collected and the purpose of collection, and direct them to the Privacy Policy.

Example:  Where you use a form on a web-page to collect information, ensure that the web-page provides a Privacy Statement and requires the user to tick a box agreeing to the terms and conditions of the Privacy Statement.

2.  Data Security

Unsolicited personal Information

2.1  If unsolicited Personal information is received, determine whether it could have been collected for one of more of the University’s functions or activities. If not, it must be destroyed or de-identified.

Examples:

  • emails sent in error
  • unsolicited correspondence
  • extra information provided in a job application

Security of Personal Information

2.2  Take reasonable steps to protect any Personal Information that is held from misuse, interference, loss, unauthorised access, modification or unauthorised disclosure, by:

a)  using locked filing cabinets and office security for hard copy Personal Information;

b)  using file access controls for Personal Information in digital form;

c)  using encryption (contact the ITS Helpdesk for assistance) for digital transfer of Personal Information outside the University;

d)  ensuring that appropriate data handling and security measures are in place, where Personal Information is disclosed to recipients overseas;

e)  reviewing existing agreements with third parties overseas that we engage to handle Personal Information, to ensure those third parties meet appropriate privacy and security management standards.

2.3  Consult the Manager, University Records, about destruction or de-identification of Personal information if it is no longer needed for any purpose for which it may be used or disclosed, and that is not required by law to be retained.

Related references:

Example:  Staff in Schools should not keep their own files of student information that is already stored on the Student System. Student information not retained on the Student System should be lodged with Enrolment Services for storage in the central student file.

Disclosure to third parties

2.4  Permitted disclosures of Personal Information to third parties include:

a)  Government departments and agencies to satisfy statutory reporting requirements;

b)  the University’s controlled entities or subsidiaries, to the extent such Personal Information is required by the controlled entity or subsidiary to provide services to or on behalf of the University;

c)  external advisers and service providers to the extent such Personal Information is required for that party to provide services to the University;

d)  collaborating parties (eg other education institutions) where Personal Information is required for the collaborative activity to be undertaken;

e)  IT service providers to enable the provider to establish user accounts for University staff, students and others connected with the University, or to enable information storage or processing.

Example:  Where students’ details are given to an outside organisation that provides work placements for students, the students must be informed. Only information essential for providing the placement should be provided to the organisation; refer to the Work Integrated Learning policy and procedures.

Centrelink can require the University to provide enrolment information about a student.

The University must provide the Australian Health Professional Regulation Authority with details of students in certain medical, nursing and health sciences courses to enable those students to be registered by AHPRA.

The University must report any student visa breaches to the Department of Immigration and Citizenship.

The Law Society of SA is authorised to inquire whether a person who has applied for admission to legal practice has been guilty of dishonest conduct or any other conduct relevant to whether the applicant is a fit and proper person to be admitted as a legal practitioner.

Overseas disclosure

2.5  Before Personal Information is disclosed to an overseas recipient, steps must be taken to ensure that the overseas recipient does not breach the Australian Privacy Principles.

Examples of overseas disclosure include:

  • The provision of courses of study or student support services by overseas educational institutions;
  • Sharing research data containing Personal Information with an overseas collaborating institution for a specific purpose;
  • Storing electronic files of Personal Information on a server located overseas (e.g using a cloud service).

2.5.1  At least one of the following conditions must be met before there is any disclosure of Personal Information to third parties overseas:

  • there is a contract between the University and the third party that binds the third party to privacy obligations that are consistent with the Australian Privacy Principles; or
  • the third party is subject to a law or binding scheme consistent with the Australian Privacy Principles and there are mechanisms to access and enforce the protection of that law or binding scheme; or
  • written consent is obtained from the persons concerned to the disclosure of their information to the third party and the persons concerned are made aware that the University’s Privacy Policy might not apply in this instance.

2.5.2  In determining the acceptability of disclosure to offshore third parties, staff must also consider the types of information to be disclosed, the location of the provider’s facilities and the provider’s data security protocols. The provisions of the University’s Information Classification Framework should be adhered to.

2.5.3  A risk assessment must be completed and the business owner must accept any identified risks prior to any arrangement or contract is entered into with a provider. Where the arrangement with the overseas third party is for information management, ITS must complete the risk assessment and provide recommendations. Where the arrangement is with an overseas educational institution, or relates to a course of study (for example overseas student placement), the International Centre should be asked to provide the risk assessment.

Example:  Where a contract with an overseas university is being negotiated, ensure you obtain advice on the terms of the contract concerning information privacy from Legal Services and the International Centre.

Example:  If you want to use a third party cloud provider to store Personal Information, you should contact ITS and ensure you observe existing Cloud Storage Security Requirements. Any agreement or formal contract with a cloud service provider must be assessed to ensure the provider securely stores and transmits Personal Information. All such contracts must be approved by ITS.

Be careful also with storing Personal Information in Dropbox (or similar services such as OneDrive, Box, Google Drive etc). These services do not guarantee the privacy or security of your data. Sensitive University data must not be stored using these services unless approved by ITS.

Example:    The privacy of the Personal Information of international students enrolling at Flinders on campus, whether they are exchange students here for a semester or completing a whole course, must be treated in the same way as for domestic students. Contracts with offshore universities that provide for exchange agreements or articulated programs must require adherence to the University’s Privacy Policy.

3.  Purpose of Collection, Use and Disclosure

3.1  The use of Personal Information is restricted to purposes related to our functions and activities. The purpose for which you collect Personal Information is the primary purpose and you must not use or disclose the information for a secondary purpose.

Exceptions include where:

a)  consent is obtained;

b)  authorised or required by law;

c)  certain health situations or law enforcement situations arise;

d)  the individual would reasonably anticipate the secondary purpose and the purpose is related to the primary purpose.

Examples:

Students

  • Primary: provision and management of education services
  • Secondary: collating student statistics

Alumni

  • Primary: providing interactive Flinders community/networking services
  • Secondary: targeting alumni for research

Donors

  • Primary: facilitating donations/gifts to Flinders
  • Secondary: invitations to guest lectures/unrelated events

Staff

  • Primary: management of employment, recruitment processes
  • Secondary: statistics

Direct marketing

3.2  Direct marketing can only occur if a simple opt-out mechanism is provided and the individual has not asked to opt out. You must have each individual’s express or implied consent and the individual should reasonably expect the University to use or disclose the Personal Information for that purpose.

3.3  Carefully manage direct marketing processes and mail out lists, including opt-outs.

Government related identifiers

3.4  Government related identifiers such as Tax File Numbers and Medicare numbers must not be adopted by the University to identify individuals.

3.5  Do not use or disclose Government-related identifiers unless required or authorised by law, or where:

a)  reasonably necessary to verify the person’s identity for the purpose of the University’s business;

b)  required to fulfil obligations to a Government agency;

c)  reasonably necessary for law enforcement.

4.  Access to and Correction of Personal Information

4.1  Before Personal Information is used or disclosed, consider whether it is accurate, up-to-date, complete and relevant. At least annually, remind individuals whose Personal Information is held on an ongoing basis to confirm the accuracy of their Personal Information.

Example:  Include in newsletters a reminder to notify changes of address etc. and include a blank form, email address or link to a web-page for doing so.

Persons seeking access to their own Personal Information

4.2  In most cases and subject to verification of identity, individuals have a right to access, correct, or update their Personal Information. You should respond to requests for access or correction in a timely manner (within 30 days).

4.3  Current and former students can access their Personal Information in accordance with the relevant provisions of the policy on Student Information.

4.4  Employees and academic status holders can contact Human Resources to make an appointment to view their centrally-held appointment file in the presence of a Human Resources officer. Where personnel files are maintained by the local area to which the employee or academic status holder is appointed, the employee or academic status holder may submit a request to their Dean of School/portfolio manager to view their local personnel file in the presence of a School/portfolio officer.

4.5  Identity verification requirements include:

4.5.1  In person, picture ID eg student or staff card or driver’s licence;

4.5.2  By telephone, questions to verify a range of details, e.g., FAN, Student or staff ID, Date of Birth, Course, address;

4.5.3  Via e-mail, other than a Flinders University e-mail address, ask the person to log in using their FAN and password to authenticate themselves and submit their request via their Flinders e-mail. If the person no longer has a Flinders e-mail address, verify their identity by asking a series of questions, as above.

4.6  Persons other than staff, affiliates or students seeking access to their own Personal Information held by the University about them should be directed to the Freedom of Information Officer.

Limitations on Access

4.7  Documents may be withheld or redacted if the University determines that it would not be appropriate for access to be granted. Access by an individual to their Personal Information may be denied for the following reasons:

a)  There would be an unreasonable impact on the privacy of other individuals (e.g. personally identifying information of referees on a staff appointment file);

b)  the request for access is frivolous or vexatious;

c)  the documents are subject to confidentiality obligations or legal professional privilege;

d)  granting access would compromise the University in anticipated legal proceedings or commercially sensitive decision-making processes;

e)  there is a potential threat to life, health or safety.

4.8  An individual who is denied access to a document or who has had their correction request refused must be given reasons for the refusal and should be advised of their entitlement to submit a Freedom of Information application.

Example:  A student seeks copies of correspondence between the University and its solicitors concerning a legal matter involving the student. Correspondence between the University and its solicitors is subject to legal professional privilege and should not be released.

A student seeks copies of correspondence between two lecturers concerning accusations about the student’s behaviour. The student should seek the information under the Freedom of Information Act and should be referred to the Freedom of Information Policy.

A lawyer claiming to act for a student seeks that student’s academic record.  The student must provide written consent for that information to be released.

If a lawyer is acting in a court case against a student or a staff member, Personal Information may only be released to the lawyer if the court issues a subpoena or similar order.

Third parties seeking access to Personal Information

4.9  Permitted disclosures to third parties are set out in paragraph 2.4 above. The examples listed below address some common requests for access from third parties.

4.9.1  Access to Student Personal information must be in accordance with relevant provisions of the policy on Student Information.

4.9.2  Any request from the police for access to any person’s Personal Information, or the presentation of any form of warrant by police, must be referred to Legal Services for advice. Legal Services will provide advice to the relevant senior manager on the release of any information or action to be taken.

4.9.3  Requests for access by Government agencies should cite the authority upon which the request is made. If uncertain about the bona fides of the request, seek advice from the Integrity Governance and Risk Division before releasing any information.

4.9.4  Personal Information must not be disclosed in response to a lawyer’s request except with the consent of the person to whom the information relates, or if required by law or a subpoena or court/tribunal order.

Examples:  A member of the public contacts your department and asks for the contact details of another staff member. You could refer them to the Staff Directory, as it is publicly available information that staff know is disclosed, but if the caller wants private information, take the caller’s contact details and refer the details to the staff member so that they can contact the caller.

A member of the public claiming to be the relative of a student contacts you to seek information about the student. You should not provide any information, or even acknowledge that they are a student, except where the student has given written permission for specified information to be released to specified individuals. Where permission has been given, ensure you verify the caller’s identity first and then make a record of the disclosure.

Police wish to know if a person is enrolled at the University and their study details. The police submit a warrant or police letter quoting the Act that entitles them to request the information or a letter from someone of suitable authority  stating that the information is reasonably necessary for the investigation of an offence. The matter should be referred to Legal Services for advice.

If a staff member is suspected of illegal activities, the University may disclose the staff member’s Personal Information to the Police or other authorised investigator.

5.  Unauthorised Use or Disclosure or Loss of Personal information

Personal Information Breach

5.1  The relevant area manager must be notified immediately of any breach of privacy, whether it affects electronic records or other forms of information. The manager must take immediate action to contain the loss or unauthorised disclosure or access where possible (e.g. by stopping the unauthorised practice; recovering the records; advising persons who have received the information by mistake to destroy that information).

The area manager must notify the Privacy Officer and, in the case of electronic records, the ITS Service Desk, about the privacy breach and the matter will be investigated to determine what further steps are necessary, having regard to the following factors:

  • the type of Personal Information involved;
  • the date/s that the breach occurred;
  • the context of the affected information (e.g. a data breach of student names on a counselling list would be of greater concern than student names on a general class list);
  • who has gained (or might gain) unauthorised access to the information and how the information could be used;
  • the cause and extent of the breach;
  • the risk of harm to the affected individuals;
  • the risk of other harm;
  • the interim containment actions that have been taken in response to the breach; and
  • any further steps required to remedy the breach.

The Office of the Australian Information Commissioner (OAIC) and affected individuals should be notified following a serious data breach in which personal information held by the University about one or more individuals is subject to unauthorised access or unauthorised disclosure or loss that puts any of those individuals at real risk of serious harm.

Examples:  A staff member accidentally sends a list of personal details of students to an incorrect personal email address.

Do not send Personal Information outside the University unless it is appropriately secured or encrypted. Always check email addresses before sending.

A staff member loses a USB storage device, containing Personal Information about some staff, in a public place.

Do not put Personal Information on your private USB. Any Personal Information placed on a University USB must be encrypted or password protected and the USB must be securely stored.

See also the IT Security Quick Reference Guide.

It appears that the security of a data base containing Personal Information has been breached.

Report the incident immediately to ITS. Be sure to distinguish privacy breaches from other data breaches. Do not take any further action without consulting ITS.

Students have been sent marketing material, having previously indicated that they wished to opt out of receiving such material.

Issue an apology to the students and ensure that opt-out information for those students is correctly recorded.

Notifying affected individuals

5.2  If there is a risk of serious harm to the affected individuals, a report must be submitted to the Office of the Vice-Chancellor advising the nature of the breach and the possible consequences of it (in the terms outlined in 6.1 above), with a recommendation as to whether the affected individuals should be notified. Any such notification might include the following:

a)  a brief description of the incident and timing;

b)  a description of the Personal Information involved in the breach;

c)  an apology and an indication of the  steps that have been or will be taken to control or reduce any adverse impact;

d)  suggestions on what other steps the individual can take to minimise any adverse impact;

e)  any assistance the University can provide; and

f)  University contact details for further information.

In cases of breaches of privacy involving electronic data, the report to the Office of the Vice-Chancellor will be submitted by ITS and in all other cases it must be submitted through the Privacy Officer.

Other actions

5.3  The Privacy Officer will work with the area manager and other relevant areas (e.g. Information Security) to determine and implement any possible actions to prevent future breaches. The University will, if required by law, notify the relevant government agency of the privacy breach. If the breach was a result of theft or other crime, the University will report the matter to the police.

6.  Complaints about Breaches of Privacy

6.1  For procedures for handling complaints from students, refer to the policy on Student Information, clause 10.

6.2  The procedures set out below must be followed in the case of complaints received from individuals other than students.

1.  Submitting a complaint about the university's handling of an individuals's personal information

1.1  All complaints must be submitted to the Privacy Officer in the first instance.

1.2  The Privacy Officer will check that the individual making the complaint is the individual whose personal information has been affected. If not, the Privacy Officer will clarify the complainant’s authority to act for the individual whose privacy is the subject of the complaint.


1.3  The Privacy Officer will determine whether the complaint involves any of the following:

  • Inappropriate collection of personal (including sensitive) information
  • Inappropriate use and/or disclosure of personal information
  • Inaccuracy of personal information
  • A breach of security of personal information
  • Refusal to give access to personal information
  • Refusal to correct personal information
  • Any other privacy issues.

1.4  If there has been a breach of electronic information security, the Privacy Officer will notify Information Technology Services immediately.

1.5  If the Privacy Act does not apply to the complaint, the Privacy Officer will consider whether the complaint can be dealt with under the University's other complaint handling procedures.

2.  Acknowledging receipt of the complaint

2.1  The Privacy Officer will acknowledge all complaints in writing within 5 working days and clarify their understanding of the complaint.

2.2  If the complaint cannot be resolved through this initial contact with the Privacy Officer, the matter will be referred to the appropriate area for investigation.

3.  Referring the complaint to the appropriate area for investigation

3.1  Where investigation of the complaint is required, the Privacy Officer will refer the complaint promptly to the appropriate senior officer for investigation:

  •  Head of Division with respect to information and records managed within the Division;
  • Dean of School with respect to information and records managed by the School;
  • Faculty General Manager with respect to information and records managed by the Faculty;
  • Chief Executive Officer of a controlled entity or subsidiary with respect to information and records managed by the controlled entity or subsidiary.

3.2  In referring the complaint to the appropriate senior officer, the Privacy Officer will indicate their understanding of the privacy obligations at issue with reference to the relevant clauses of the Privacy Policy and/or the Australian Privacy Principles.

3.3  The senior officer may undertake the investigation of the complaint and prepare a response or nominate an officer to do so. The investigating officer must be independent of the person/s responsible for the alleged conduct.

3.4  Where the complaint is referred for investigation, the Privacy Officer will notify the complainant of the name, title, and contact details of the investigating officer handling the complaint.

3.5  The investigating officer will contact the complainant within 30 days of the complaint being lodged.

3.6  Where the complaint involves a breach of electronic information security, the investigation of the complaint will be coordinated by Information Technology Services (ITS), Information Security, Quality and Risk.

4.  Investigating the complaint by staff in the Division, School or Entity to which the complaint has been referred by the Privacy Officer

4.1  Matters for the investigating officer to consider:

  • Does it appear that the alleged conduct occurred?
  • Which privacy obligation/s may be relevant and why?
  • Does it appear that the conduct complied with the University’s privacy obligation/s (taking into account any exceptions or exemptions under the Privacy Act or other legislation)?
  • If it appears the University has not complied with its obligations, consider whether the complainant's requests regarding outcomes (if any) can be met.

4.2  Where a complaint is found to have been substantiated, the staff member handling the matter will take steps to redress the concerns raised by the complainant and notify the complainant of the actions taken. Examples of outcomes may be: an apology, together with a review and revision of policy, forms, procedures and/or staff training and/or improvement of security safeguards and/or initiation of disciplinary procedures.

4.3  Where it appears that a staff member has deliberately or maliciously disclosed or given unauthorised access to information or breached confidentiality or may be guilty of serious misconduct as a result of the misuse of information, a recommendation may be referred to the Director, Human Resources, to initiate disciplinary procedures under the relevant industrial award.

4.4  The senior officer and/or the investigating officer should consider any systemic issues raised by the complaint and possible responses, such as:

  • Privacy training in the area;
  •  Amendment of policies, forms and/or collection notices;
  • Providing additional accessible information;
  • Improvement of security and storage measures;
  • Steps to improve data accuracy.  
5.  Communication with the complainant

5.1  The investigating officer must reply to the complainant in writing within 30 calendar days of the complaint being lodged, informing the complainant of:

  • the outcome of the complaint, or stating what progress has been made and when the next report to the complainant will be made; and
  • how the investigating officer is independent of the person/s responsible for the alleged conduct.

5.2  The investigating officer should write to the complainant:

  • providing the response to the complaint. Include details about the information relied on in developing the response.
  • Include an invitation for the complainant to reply to the response and, if appropriate, offer to meet or discuss. 

5.3  Arrange for the issuing of an apology if the area did not comply with the relevant privacy obligation/s and consider whether any additional outcomes may be appropriate.

The apology should be issued by the appropriate senior officer:

  • Head of Division with respect to information and records managed within the Division;
  • Dean of School with respect to information and records managed by the School;
  • Faculty General Manager with respect to information and records managed by the Faculty;
  • Chief Executive Officer of a controlled entity or subsidiary with respect to information and records managed by the controlled entity or subsidiary.
6.  Complainant's response

6.1  If the complainant seeks further action or is not satisfied with the outcome:

  • Assess any reply or further information from the complainant;
  • If it appears that the University did comply with its privacy obligation/s, consider whether the complainant's response alters this view. 

6.2  If the complainant is not satisfied with the outcome, the investigating officer should first attempt to resolve the matter informally, through discussion and mediation and in accordance with the principles of natural justice and procedural fairness. The investigating officer and/or the complainant can seek mediation from the Privacy Committee of South Australia. The Privacy Committee has no formal responsibility with respect to universities, but is willing to assist in the resolution of privacy complaints involving South Australian universities.

7.  If the complainant is still not satisfied with the outcome
7.1  If still not satisfied, a complainant who has made a complaint which has been substantiated may seek, where applicable, to have the matter resolved through a process consistent with clause 17 of the University’s Grievances procedures.
8.  Record the Outcome of the Investigation of the Complaint
8.1  The senior officer or investigating officer should ensure that all records of the complaint and the investigation and outcome are confidentially secured and, following completion of the investigation, submitted to the Privacy Officer. All complaint records should be stored securely and in accordance with the Records Management Policy.


Need further advice?