Privacy Bites Newsletter
Privacy It's Everybody's Business
Welcome to the second edition of Privacy Bites, the newsletter of the Right to Information and Privacy Office. The first Privacy Bites edition focused on the general obligations imposed on the University under the Information Privacy Act 2009. This edition will look closely at the requirements for collection of personal information.
collection of personal information
As an educational institution, the University of Queensland obtains personal information from a wide range of people including:
- prospective and current students;
- prospective and current staff, both academic and general;
- Alumni; and
- members of the public who wish to use UQ facilities.
In obtaining this information, the University is subject to Information Privacy Principles 1-3 of the Information Privacy Act 2009 (Qld).
What does it mean to “collect” information?
In general, the University will be considered to have collected personal information when it has acquired it in some way. This includes:
- asking someone to fill in a form;
- monitoring email communications and internet usage;
- audio and video recording of sounds and images (including Closed Circuit Television);
- receipt of information from a third party (e.g. another educational institution).
Rule 1 – only collect what you need.
There are two aspects to this rule. Firstly, the collection of information must be for a lawful purpose directly related to the functions of the University. Secondly, only information which is necessary for the function at hand is to be collected. Information which is not needed for the immediate function cannot be collected simply on the basis that it could be useful at some later time.
Think about what you want to achieve. Is it a University-related function (section 5 of the University of Queensland Act 1998 lists the core functions of the University)? If so, think about how much, if any, personal information you actually need. In some cases, you can achieve the desired outcome without collecting any personal information. However, if you have to collect personal information, limit the collection to what you need. Just because we have always collected certain information, or that the information we want may be useful in the future does not mean that we entitled to collect it.
Rule 2 – Only collect information by lawful and fair means.
It goes without saying that University staff cannot collect information in a way which breaks the law. However, the collection process must also be “fair”. Collection will usually be considered to be unfair if it involves the University deceiving or pressuring the person into giving the information.
Rule 3 – Notify
If you ask someone to provide personal information, take reasonable steps to ensure that the person is aware:
- why the information is being collected;
- the legal authority to collect the information; and
- to whom the University usually gives that kind of information.
This rule is based on the principle that people should be given sufficient information to enable them to make an informed choice as to whether or not they wish to provide personal information. After all, it is their information.
Options for notification can include:
- a notice on a collection form
- a leaflet attached to or accompanying a collection form;
- a written notice at the time of interview; and
- orally informing the person.
Rule 4 – Make sure it is accurate
When collecting personal information, take reasonable steps to ensure that the information collected is relevant, up to date and complete. Make sure that there is a clear connection between the requested information and the University’s purpose for collecting it. Unless you can identify the connection, don’t ask for the information.
Review collection processes (e.g. forms, interviews etc) regularly to ensure that only relevant information is being asked for. Don’t assume that information is relevant just because we have always asked for it in the past.
- what university related outcome do I want to achieve; and
- how will this information allow me to achieve it?
If the answer to the second question is “it won’t” then don’t collect the information because it is not relevant.
If you collect personal information from other organisations (ie educational institutions) rather than the person directly, check how accurate and up to date the information is. This is particularly the case where the information has the potential to date (e.g. residential address) or portrays the person in an unfavourable light.
Rule 5: Do not collect personal information in a way which is unreasonably intrusive.
Collecting personal information is always intrusive. People are asked to provide information about themselves which may not be generally known in the community. The Information Privacy Act 2009 (Qld) does not prohibit intrusive collection. It merely provides that intrusion must not be unreasonable. The following considerations are relevant to determining the reasonableness of the intrusion:
- the relevance of the information;
- the sensitivity of the information;
- the importance of the information to the purpose of collection;
- the intrusiveness of the method of collection;
Privacy in Practice – Referee Reports
It is inevitable that, at some point in our working lives, we will come into contact with referee reports. We may be asked to supply a referee report for a job applicant. Alternatively, we may ask for a report as a member of a recruitment panel. This article examines some of the more common scenario’s which can arise in relation to referee reports.
Scenario #1 - A job applicant has not nominated their current employer as a referee, even though the selection documents requested them to do so. Can I go ahead and contact the employer anyway?
This is a very tricky situation. Although the applicant has been told of the need to provide a current employer as a referee, it may still be a breach of privacy to contact this employer without the applicant’s permission. If an applicant nominates a particular person as a referee then they are consenting for that person to be contacted. However, it would be wrong to assume consent just because the applicant did not object when told of the need to contact a current employer. There may be reasons why the applicant has not nominated an employer. For example, they may prefer that their current employer remain unaware of their job application as this could affect promotion prospects. On the other hand, they may genuinely not want the employer contacted because of the information which the employer is likely to provide.
So what should be done? The safest course of action is to contact the applicant, advise them of the need to obtain a referee report from the current employer and seek their consent to do so. If the applicant does not consent, this doesn’t mean that they have something to hide. It simply means that you are unable to obtain a report from the current employer.
Scenario #2 – The applicant worked with a friend or colleague of mine. This friend or colleague has not been nominated as a referee. Can I contact them for an “off the record” reference?
No. If the person has not been nominated as a referee, then contacting them to obtain a reference would likely be a breach of the Information Privacy Act 2009 (Qld).
Scenario #3 – I have been asked by an applicant to be a referee. What can I tell the prospective employer?
An invitation to provide a referee’s report is not a licence to provide any and all information the referee knows about on the applicant. Only that information which is relevant to the applicant’s ability to do the job is to be disclosed.
Ascertain the factors that are relevant to the position. Only disclose information about the job applicant that is within the applicant’s reasonable expectations eg. skills, work experience and personal attributes relevant to the position. If the applicant has requested that certain personal information not be disclosed, then that information should not be disclosed.
Do not disclose information that the job applicant would not reasonably expect you would disclose in the course of providing a reference.
As a general rule, providing information about an applicant’s health or personal circumstances without the applicant’s consent would likely breach the Information Privacy Act 2009 (Qld). However, it may be acceptable to provide health information where it is directly relevant to the position. For example, if the position is a high stress position and the applicant suffers from a stress related condition, it may be appropriate to disclose this information.
Scenario #4 - I have been requested by a staff member to provide a referee report. The staff member has asked me not to disclose information about their performance as it could prevent them from getting the job. This information is certainly relevant to the job description. What do I do?
This is a difficult situation. As a referee, you are required to provide an honest and impartial account of the applicant’s performance so that the prospective employer can make an informed assessment of whether he or she is suitable. However, disclosing information against the wishes of the applicant could result in a privacy complaint, even if the information is relevant. If an applicant has prohibited you from discussing certain matters, explain to the applicant that, as a referee, you are required to give a proper report on the applicant’s conduct and performance. If the applicant is not happy with this, it may be appropriate for another person to be their referee. If you are required to give a report, explain to the applicant beforehand that, if you are asked about the applicant’s performance, you will respond, “I’m sorry, but I am unable to provide any information about this matter.”
Scenario #5 – I have received an oral report from the applicant’s referee. Do I need to document this?
Yes. The Public Records Act 2002 (Qld) requires public authorities (including the University) to make and keep full and accurate records of its activities. The accuracy of your records can be significant if a dispute arises – e.g. the applicant is unsuccessful and the oral report is the determining factor.
Scenario #6 – I have provided a referee report on a staff member. Can the staff member access that report?
In general, the answer is yes. Subject to any restrictions under the Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld), persons have a right to obtain access to their personal information. If you provide an oral report, the record which you or the recipient makes of the conversation is accessible by the applicant. Make sure that the information is only recorded about the applicant’s suitability for the particular role. If a prospective employee would like to access their referee reports please refer them to the Right to Information and Privacy Coordinator for further information.
Collection of proof of identity documents
Is it necessary for the University to collect personal indentify documents in the course of its business? The answer depends on the situation, but generally, the following privacy principles apply to the collection of personal information:
- information should be directly related to the functions of the University and only information which is necessary for the function at hand is to be collected;
- information must only be collected by lawful and fair means;
- information must be complete and up to date
The collection of proof of identity documents will arise in the course of the University processing particular applications. It may be appropriate to collect to proof of identity documents in circumstances where a student must establish identity to lodge and proceed with an application. Also, there may be a legislative requirement to collect a copy of the identification.
However, if there is not distinct business need to collect a copy of the identity, then don’t collect it. It is appropriate for staff to ask students for identification before discussing matters relating to their study and in these circumstances, it may be appropriate to sight the identification card and make a notation that it was sighted. This notation will eliminate the need to take a copy of the identification for the file.
Focus on …..
Storage and security of personal information
Risk of privacy breach – photocopier hard drive
The information contained in this newsletter is of a general nature only and is not legal advice. Specific legal advice should be sought rather than relying on this newsletter.
Right to Information and Privacy Coordinator
Ph: (07) 3365 2571 Fax: (07) 3365 1058