Governance

Policies and procedures

Policy No.
UP14/10
Function
Information Management
Authoring Organisational Unit
Information Governance Services
Date Approved
24/07/2014 Revised 14/06/2018
Next Review Date
23/06/2021
Approving Body
Senior Deputy Vice-Chancellor And Registrar

The University of Western Australia

University Policy on: Privacy

1. Purpose:

a) The purpose of the Privacy Policy is to -

i. protect the University Community from the misuse of Personal Information;

ii. contribute to maintaining a University culture of respect, integrity and inclusivity; and

iii. contribute to upholding the rights of Employees and Students to fair treatment.

b) This Policy expresses Personal Information -

i. definitions section 2 and 3;

ii. collection and use section 5;

iii. disclosure section 6;

iv. management practice section 7;

v. access and correction practice section 8;

vi. General Data Protection Regulations (GDPR) section 9;

vii. privacy complaints practice section 10; and

viii. breach of policy section 11.

c) This Policy is to be read in conjunction with the following -

i. Privacy Policy Guidelines;

ii. Privacy Act 1988 (Cth); and

iii. General Data Protection Regulations

2. Personal Information:

a) Personal information is defined in the Privacy Act 1988(Cth) and means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.

b) The types of personal information that the University collects and holds will depend on the circumstance and relationship between the individual and the University.

c) Personal Information that is commonly collected by the University includes an individual's -

i. name;

ii. address (residential, postal and email);

iii. phone number;

iv. date of birth;

v. gender;

vi. ethnic origin;

vii. passport number;

viii. banking and credit card details;

ix. tax file number;

x. health or impairment information;

xi. emergency contact details;

xii. photographs or video recordings (including CCTV footage);

xiii. criminal history;

xiv. academic record;

xv. IT access logs;

xvi. records of donations or transactions; and

xvii. employment details.

3. Sensitive Information

a) Sensitive Information is defined in the Privacy Act 1988 (Cth) and means -

i. information that is personal information, that is also information or an opinion about an individual's -

A. racial or ethnic origin;

B. political opinions;

C. membership of a political association;

D. religious beliefs or affiliations;

E. philosophical beliefs;

F. membership of a professional or trade association;

G. membership of a trade union;

H. sexual orientation or practices; or

I. criminal record;

ii. health information about an individual; or

iii. genetic information about an individual that is not otherwise health information; or

iv. biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

v. biometric templates.

4. Scope

4.1. Institutional Scope

a) The scope of this Policy applies to the entire University Community in collecting, holding, accessing and correcting Personal Information and Sensitive Information, from and about, but not limited to, the following -

i. alumni;

ii. citizens of the European Union;

iii. clients of health or counselling services;

iv. current and prospective donors;

v. current and prospective staff;

vi. current and prospective students;

vii. current and prospective suppliers and contractors;

viii. research participants;

ix. users or attendees of University facilities, services, events or activities; and

x. volunteers.

4.2. Individual Scope

a) The scope of this Policy applies to all members of the University Community in collecting, holding, accessing and correcting Personal Information and Sensitive Information on behalf of the University.

b) Contractors, consultants and agents of the University may also be required under the terms of their agreement with the University to comply with this Policy; and/or the terms of the Australian Privacy Principles in collecting, holding, using or disclosing Personal Information on behalf of the University.

5. Collection and Use of Personal Information

a) The University will collect Personal Information where that information is reasonably necessary for the performance of one or more functions and/or activities of the University.

b) The University will collect and use personal information by lawful, fair and transparent means and, where possible, directly from the individual.

c) The University will collect data that is adequate, relevant and limited to what is required.

d) The University may collect Personal Information in a number of ways, including but not limited to -

i. as part of any enrolment, registration or subscription process;

ii. direct contact in the course of providing services or administration of University activities;

iii. forms that are submitted by individuals (including via on-line portals);

iv. from CCTV cameras on University premises;

v. from cookies set from web browsers visiting the University's websites;

vi. from Google applications including AdWords;

vii. from public health databases where the relevant consent processes described in the national research and ethics codes are reviewed and approved;

viii. from the University's monitoring of its IT facilities and services, including the web (subject to the University Policy on Privacy of Electronic Material UP07/45);

ix. from third parties with which the University collaborates; and

x. in the course of undertaking research.

e) The University will not collect Sensitive Information unless -

i. an exemption exists under the Privacy Act;

ii. it has obtained the individual's consent; or

iii. it is required or authorised by Australian law or court/tribunal order.

f) The University will only collect and use an individual's Personal Information or Sensitive Information -

i. for the purpose for which it was collected (the primary purpose);

ii. for a secondary purpose that is related to the primary purpose (if the information is sensitive information, it will only be used or disclosed for a secondary purpose which is directly related to the primary purpose) and that the individual would reasonably expect his or her information to be used or disclosed for this secondary purpose;

iii. with the individual's consent; or

iv. as otherwise allowed under the Privacy Act or as required or authorised by Law.

6. Disclosure of Personal Information

a) The University may disclose Personal Information to the following types of recipients -

i. collaborating parties, to the extent that such personal information is required for the collaborative activity to be undertaken (e.g. collaborative research; jointly delivered courses or programs);

ii. external service providers, to the extent that the information is required to provide services to the University (e.g. Software-as-a-service);

iii. Government departments and agencies to satisfy reporting requirements; and

iv. a nominated emergency contact in the case of an emergency.

b) The University may disclose Personal Information to overseas recipients where -

i. an individual is involved in an exchange, mobility, study abroad program or joint program with an institution overseas, or where an individual is sponsored by or transfers to another institution overseas, in which case the University may disclose Personal Information to their home or host institution or sponsor overseas, or their international agent;

ii. in the case of an emergency where -

A. it is unreasonable or impracticable to obtain consent; and

B. the University reasonably believes that disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual, or to public health or safety.

In this case, the University may disclose Personal Information to police, medical or hospital personnel, civil emergency services, or other person assessed as necessary to respond to the emergency who is located overseas; or

iii. the University discloses Personal Information to third party service providers, including providers of cloud services and website hosts, which may be located overseas. In this case, the University will ensure it has a contract that requires that the third party complies with the Australian Privacy Principles and with the State Records Commission Standard 6: Outsourced Functions as articulated in the University's Record Keeping Plan.

7. Management of Personal Information

a) The University will take reasonable steps to -

i. destroy or de-identify Personal Information which is no longer needed for the University's business or required to be retained under any law, regulation or code applicable to the University;

ii. ensure that the Personal Information it collects, uses or discloses (having regard to the purpose of the use or disclosure) is accurate, up to date and complete;

iii. ensure that the systems, tools and methods of capturing, transmitting and holding information are protected from misuse, interference, loss and from unauthorised access, modification or disclosure. However, the University cannot be held responsible for the theft of data by a third party, or the loss of data through technical or technological malfunction, tampering by a third party, or any event that is beyond the reasonable control of the University or as identified in the University Policy on Privacy of Electronic Material; and

iv. ensure Personal Information is protected with integrity, confidentiality and with appropriate security.

8. Access and Correction of Personal Information

a) The University must, upon request by an individual, provide access to Personal Information about that individual unless the University has a legitimate reason for refusal, such as the release would conflict with existing legislative requirements or policy.

b) The University must take all reasonable measures to amend or remove personal information if it can be proved that having regard to the purpose for which the information is held, the information is inaccurate, out of date, incomplete or misleading.

c) Individuals seeking to access or correct their Personal Information may contact the University using the contact details set out in the Privacy Policy Guidelines.

9. General Data Protection Regulations (GDPR)

a) The University must, in addition all other sections of this Policy, ensure that in respect of citizens of the European Union -

i. a citizen's consent may be withdrawn at any time in accordance with the Privacy Policy Guideline; and

ii. a citizen has the right to erasure, data portability and the right to object.

10. Complaints

a) Failure to comply with this policy by a member of the University Community may be considered a breach of the Code of Ethics and Code of Conduct and may result in disciplinary action.

b) An individual may complain if they believe that the University has breached this Policy, and can contact the University to lodge a complaint using the contact details set out in the Privacy Policy Guidelines.

11. Breach of Policy

a) Failure to comply with this policy by a member of the University Community may be considered a breach of the Code of Conduct and Code of Ethics and may result in disciplinary action.

11.1. Mandatory Data Breach Notification

a) The University will notify -

i. the Office of the Australian Information Commissioner;

ii. an individual affected by a breach of this policy

when there is a breach of this policy, if that breach is categorised as an eligible data breach.

11.2. Eligible Data Breach

a) Under the Privacy Act 1988 (Cth) An eligible breach is either -

i. when there is an unauthorised access or disclosure of personal information and a reasonable person would conclude that the disclosure or access is likely to result in serious harm to those individuals affected; or

ii. when information is lost in circumstances where unauthorised access or disclosure is likely to occur and assuming that unauthorised access or disclosure were to occur, a reasonable person would conclude that the disclosure or access is likely to result in serious harm to the affected individuals.

12. Definitions:

Personal Information is defined in section 2 of this policy.

Privacy Act means the Privacy Act 1998 (Cth).

Sensitive Information is defined in section 3 of this policy.

University Community means all individuals who use University Property for study, work, recreation, other activities and in the performance of official duties for the University.

University Property means tangible and non-tangible things, belonging to, or contracted to the University or members of the University Community, including campuses, facilities and services.

13. Related Guidelines:

a) Guidelines will appear on the University Policy Library. While the design and build of the new University Policy Library is underway please contact the Policy Team for the -

i. Privacy Policy Guidelines.

Policy No:

UP14/10

Policy Approver:

Senior Deputy Vice Chancellor

Policy Owner:

Director | Strategy, Planning and Performance

Policy Administrator:

Associate Director | Risk and Legal

Created:

24 July 2014:

This Version:

14 June 2018

Review Date:

June 2021

Procedures approved:

n/a

TRIM File No:

F57176

Contact position:

Associate Director | Risk and Legal