The University of Queensland Homepage
Go to the HUPP Homepage You are at the HUPP website
      

Image: On this site


 1.60.2 Privacy Management Policy

This policy is under review following the commencement of the Information Privacy Act 2009, on 1 July 2009. Please contact the Right to Information and Privacy Coordinator for any information required.

 1.60.2 Privacy Management Policy
Policy Number: 1.60.2
Contact Officer: Freedom of Information Officer
Date Approved by Senate: 24/07/2008
Date last Amended: 25/05/2006
Date for Next Review: 24/07/2011
Related Policies: 1.60.1

 


Overview


1. Introduction


1.1 The University holds a large amount of personal information concerning staff, students and other persons, as a natural consequence of our teaching, research and administrative functions. Some personal information is collected from the persons concerned, while other information is generated by the University in the course of our activities (for example, examination results). The privacy of persons about whom the University holds personal information must be respected, and the University's policy addresses the circumstances in which privacy issues may arise.


1.2 Personal information is information not in the public domain which identifies an individual and which is capable of being associated with a specified individual. In the University context, examples of personal information include home address, home telephone number, date of birth, marital status, next of kin; salaries and wages of University staff; all information concerning students, their enrolment, academic performance and their personal welfare (such as medical matters) and records of an individual student's library borrowings; information concerning persons who apply to the University for appointment or admission; information collected from or concerning human research subjects. It may include visual information, such as photographs of people. For the purposes of this policy, personal information is given a broader meaning than in the Freedom of Information Act 1992 (the FOI Act refers to "personal affairs information", meaning matters of private concern to individuals).


Description


2. Collection of personal information


2.1 Information should be collected only where it is necessary to carry out a particular function or administrative activity. For instance, it is rare that information concerning a student's marital status is required for normal administrative functions associated with enrolment or study. Where the information is not required for any specific purpose, it should not be collected.


2.2 Where information is collected for a particular purpose, it should not normally be used for any other purpose. For instance, it is not acceptable to supply the names and addresses of students to commercial providers of goods or services, even where particular benefits may be offered to those students, since such information has been collected by the University only for enrolment and study-related purposes. If personal information is likely to be used for some other purpose, this should be disclosed at least by the time that information is collected and preferably before it is requested. In certain circumstances, information collected for one University purpose may be used for another but the unexpected use should be approved by the Secretary and Registrar.


3. Access to and use of personal information stored in records


3.1 There are several important principles which staff should consider when dealing with personal information held by the University.


3.2 Personal information should be accessed and used only for University purposes.


3.2.1 Access to either paper-based or computerised records should be sought and granted only where there is a demonstrated need for this because of a staff member's functions or responsibilities. Even where access is granted, it would be inappropriate, for instance, if an address, home telephone number or other information was accessed and used by a staff member for private reasons, e.g. to forward personal correspondence to a former flatmate, or to ascertain the results of friends and associates. This is so even if the person to whom the information relates gives permission.


3.3 Personal information should be secured.


3.3.1 Paper-based records should not be left where members of the public, or others to whom the information they contain is not generally made available, may access them. Records containing personal information should be filed securely.


3.3.2 Appropriate arrangements should be put in place at the departmental level to ensure that access to computerised records is granted only to staff requiring such access in the course of their duties. Computer access passwords are intended as security devices and hence staff should not disclose their password to others (for further details see the Information Technology Security Management Policy HUPP 6.10.4).


3.3.3 Sometimes personal information will be obtained orally, for instance, in an interview with a student concerning course progress. The information may or may not be recorded in documentary form. Nonetheless, privacy should be respected, and the information should not be discussed with others, except where this is necessary to undertake functions concerning the student or staff member who has provided the information.


3.4 Personal information should not be disclosed to third parties


Personal information should not be disclosed to third parties except in the circumstances outlined below.


3.4.1 As a general rule, information not publicly known concerning staff and students should be treated as confidential, and should not be disclosed to anyone but University staff who have a demonstrated need for this information to carry out their duties. There are several exceptions to this general rule.


a. Disclosure to the staff member or student to whom the personal information relates:

  • Information privacy principles in general entitle those about whom information is held to access that information. This enables them to ensure that information about them is accurate, relevant, up-to-date, complete and not misleading. Thus, a staff member or a student would be entitled to request access to their personal file or to view information held in computerised formats about them. This general entitlement is given effect by the Queensland Freedom of Information Act, and is subject to its detailed provisions.
  • In most cases where access is requested, it will be possible for access to be obtained without the need to make a formal application under the FOI Act. For further advice on dealing with requests, refer to the Freedom of Information Management Policy or the Freedom of Information Officer.
  •  Sometimes, persons supply original documents to the University, such as birth certificates, or certified academic records of study undertaken elsewhere. Where it is practicable to do so, original documents supplied by a person may be returned to them, and should be returned upon request. If this occurs, University records relevant to the transaction should include an annotation indicating that original documents have been sighted and returned.


b. Disclosure to third parties only with the consent of the student or staff member concerned:

  • Personal information may be disclosed to third parties with the consent of the student or staff member concerned. Such consent cannot be assumed, and should be given expressly and in writing. It cannot be assumed, for instance, that the University has implied consent to routinely supply student details to professional associations, potential employers or parents.
  • Except in the special cases mentioned below (see items d and e below), the fact that the enquirer may hold an official position, for example, as an officer of a government department, or in some other way may claim a special or even official right to get information makes no difference to this position. Nor does it matter whether the enquiry is made informally or by means of a formal written document.
  • Details of a student's academic record should not be given to third parties even though the results may have been published at the time of release in the normal way. If an enquiry concerning a student's record is made by a person or body clearly having a valid reason for seeking the information, e.g. another university or a prospective employer forwarding details of the record as furnished to the enquirer by the student, the enquiry should be referred to the Academic Registrar, who will, if appropriate, verify the record so furnished.
  • Heads of Schools and sections may from time to time receive enquiries, often by telephone, from credit providers, in connection with applications by staff for credit facilities, and from real estate agents, in connection with rental of premises by staff. The enquirer usually asks for confirmation of employment and salary. The University is willing to assist the staff member in these cases and will provide confirmation of employment and salary level. This should only be done however where the staff member in question has advised the head of school in advance that an enquiry may be made by a credit provider or real estate agent and the staff member consents to the release of the information sought.
  • Where no prior advice has been received from the staff member concerning the possibility of an inquiry by the credit provider or other enquirer, the enquirer should be advised to make a request in writing. Such a request should include written evidence that release of this information has the staff member's consent or be checked with the staff member before any information is given.
  • Occasionally, persons undertaking research or those seeking genealogical information may make enquiries for access to personal information concerning former staff or students. Such enquiries may also be made by persons needing details for honours, obituaries and the like. These enquiries must be referred to the University Archivist for assistance (telephone 3365 6205).


c. Disclosure of matters of public record:

  • Additionally, there is a limited amount of apparently personal information held by the University which in fact amounts to a matter of public record. A notable example is the status of a person as a graduate of the University of Queensland. Where members of the public enquire about the status of persons as graduates of the University, they may be encouraged to use the publicly available source in the University Library (bound volumes entitled "Programs for Conferral of Degrees", Library Call No LG711.5.C4 Fryer Per) or alternatively may write to the Academic Registrar. Where the association with the University is more than 20 years ago, enquiries should be directed to the University Archivist. The University's official graduation records are held in Central Administration.
  • The fact that a student is enrolled at the University is not treated as a matter of public record. Consequently, such information should be disclosed only in the circumstances outlined in this policy.
  • It should not automatically be assumed that divulging apparently innocuous information, such as staff lists, is acceptable. This is because of the opportunities which exist for using sophisticated software technologies to consolidate that information with other publicly available information and produce selected mailing list, for example, for the direct marketing industry. Such requests should be referred to the Secretary and Registrar.


d. Disclosure of personal information under statutory or other legal authority:

  • In some cases, legislation has conferred upon certain public officers the right to demand and receive information, even though it would otherwise be regarded as confidential. A typical example is the Income Tax Assessment Act under which the Commissioner can authorise officers of that department to require any person to answer any question or to produce any document for inspection. The Commonwealth Departments of Education, Training and Youth Affairs, Social Security, or Immigration may also have powers to obtain access to personal information in specific circumstances.
  • Furthermore, the University must observe the Information Privacy Principles (IPP’s) set out in Information Standard 42 – Information Privacy, which mirror those of the Commonwealth Privacy Act.  Under IPP No.11, although generally personal information should not be disclosed, it may be if disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.
  • In cases where enquiries are received from public officials, the relevant statutory authority to obtain access to such information should be requested. Statutory authority should be detailed in writing, as should written verification of appointment as a person entitled to require the information. When this authority is produced, the enquiry should be referred to the University Legal Officer for confirmation, or where the Legal Officer is unavailable, to the Secretary and Registrar.
  • Until such confirmation is obtained, inspection of University documents is not permitted, no personal information should be released verbally and copies of documents should not be provided.
  • Similarly, where disclosure is sought in the course of legal proceedings, e.g. by service of a subpoena or notice of third party disclosure, this must at all times be referred promptly to the University Legal Officer for action.


e. Disclosure in instances of wrongdoing associated with University activities:

  • Staff in Faculty offices and in various sections of Central Administration often obtain transcripts of the academic record of persons seeking admission to a particular course of study, or who apply for a position on the University staff or for various forms of financial assistance. Occasionally, such staff may become aware that such records appear to have been falsified in order to obtain admission or appointment. These are examples of a wider class of instances where wrongdoing in connection with University affairs is suspected.
  • Where staff suspect that some form of record falsification or other wrongdoing has occurred, any reporting of the issue should be to their supervisor in the first instance and then to the Secretary and Registrar. At no time should staff disclose such information directly to entities outside the University.
  • Occasionally, police officers involved in investigations of offences associated with University activities or the misuse of University property, will make enquiries for personal information about staff or students to assist with their enquiries. In exceptional circumstances, the University may consider release of such information. All such enquiries must be referred to the University Legal Office.


f. Requests associated with bona fide research activities

  • The University is willing to assist bona fide researchers undertaking studies, for example, by the distribution of questionnaires within the University community. Any assistance must be approved by the Secretary and Registrar.
  • Material to which such requests relate and which will be forwarded to staff/students must contain a clear statement of purpose, and responses must be entirely voluntary and made directly to the researcher.
  • Usually, the University will either distribute the material within the University internal mail system or provide name/address labels under stringent conditions associated with the preservation of individual privacy. Costs will normally be recovered from the researcher. The University will provide no other follow-up or forwarding services.

3.5 Reporting breaches of privacy

3.5.1 The Head of the relevant organisational unit must report any breaches of this policy to the Freedom of Information Officer as soon as practicable after the breach has been identified. Following notification, the Freedom of Information Officer will:
  • For minor breaches of the policy – liaise with the relevant head on the necessary actions required to prevent a similar breach from occurring; or
  • For major breaches of the policy – instigate an investigation into the breach.

3.5.2 the Freedom of Information Officer must inform the Secretary and Registrar of breaches of this policy and any actions arising out of any investigations.


4. Grievance procedure


4.1 Privacy issues can be discussed with the Freedom of Information Officer, if necessary, on a confidential basis. If an individual believes that their privacy has been breached, a complaint may be made in writing to the Freedom of Information Officer. In order to enable such a complaint to be properly investigated, it should identify the person whose privacy appears to have been breached. Anonymous complaints will not be dealt with.


4.2 An investigation will be conducted in consultation with the relevant Head of School or section. The Secretary and Registrar will have final responsibility for resolving the complaint.


5. Further Information


5.1 General enquiries concerning the application of this policy may be directed to the Freedom of Information Officer, in the first instance.

 

 

 

 

© 2009 The University of Queensland, Brisbane, Australia
ABN 63 942 912 684
CRICOS Provider No: 00025B
Authorised by: University Secretary and General Counsel
Maintained by: webservices@uq.edu.au
Last Updated - Jul 2, 2009