View Current

Privacy Management Plan

This is not a current document. To view the current version, click the link in the document's navigation bar.

Section 1 - Purpose and Scope

Purpose

(1) The purpose of this Privacy Management Plan (Plan) is two-fold:

  1. it demonstrates to members of the public how Southern Cross University upholds and respects the privacy of the students, staff and others about whom we hold personal information; and
  2. it acts as a reference tool for University staff, to explain how we may best meet our privacy obligations under the Privacy and Personal Information Protection Act 1998 , the Health Records and Information Privacy Act 2002 and the Privacy Act 1988 (Cth).

Scope

(2) This Plan applies to all personal information and health information (including sensitive information) held by the University and its controlled entities.

(3) The Plan has the status of Policy for the purposes of the Governance Documents Rule.

(4) This Plan has been prepared in accordance with section 33 of the Privacy and Personal Information Protection Act 1998 .

Top of Page

Section 2 - Definitions

(5) "Collection" (of personal information) means the way the University acquires the information. Collection can be by any means. Examples include: a written form, a verbal conversation, an online form, or taking a picture with a camera.

(6) "Disclosure" means when we provide personal information to an individual or body outside the University - or, in some cases, to other discrete units within the University.

(7) "Health information" means personal information that is also information or an opinion about:

  1. a person's physical or mental health or disability;
  2. a health service provided, or to be provided, to a person;
  3. a person's express wishes about the future provision of health services to him or her;
  4. other personal information collected to provide a health service, or in providing a health service, or in connection with the donation of human tissue; or
  5. genetic information that is or could be predictive of the health of a person or their relatives or descendants.

(8) "Holding" personal information

  1. the University will be considered to be 'holding' personal information if it is in the University's possession or control, or if it is held by a contractor or service provider on our behalf. Most of the privacy principles apply to when the University is 'holding' personal information, which means we remain responsible for what our contractors or service providers do on our behalf.

(9) "HRIP Act" means the Health Records and Information Privacy Act 2001 (NSW).

(10) "Personal information" means information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

  1. Personal information can include information that is recorded (e.g. on paper or in a database), but also information that is not recorded (e.g. verbal conversations). It can even include physical things like a person's fingerprints, tissue samples or DNA.
  2. Some things are exempt from the definition of "personal information", including information about a person who has been dead for more than 30 years, and information about an individual that is contained in a document kept in a library, art gallery or museum for the purposes of reference, study or exhibition.
  3. Also note that "health information" is sometimes treated a little differently to other types of "personal information", and has its own definition - see above. There are also some special rules for "sensitive personal information" - see below.

(11) "PPIP Act" means the Privacy and Personal Information Protection Act 1998 .

(12) "Privacy obligations" means the privacy principles, specific obligations under Section 5 - of this Privacy Management Plan and any exemptions to those principles that apply to the University.

(13) "Sensitive personal information" means information about a person's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or union, or sexual preferences or practices.

(14) "University" means Southern Cross University and its controlled entities.

(15) "Use" means when the University uses personal information for some purpose.

Top of Page

Section 3 - Southern Cross University and its Privacy Context

(16) The University is an Australian public university established and operating under the Southern Cross University Act 1993. The University holds a vast amount of personal information not only pertaining to the students we serve, but also relating to our staff. The University will protect privacy with the use of this Plan as a reference tool.

(17) As a NSW public sector agency, the University is primarily regulated by the PPIP Act and the HRIP Act. Additionally, the Privacy Act 1988 applies to:

  1. personal information the University collects and holds regarding student assistance provided by the Commonwealth, special circumstances remissions applications, and tax file numbers; and
  2. to all personal information collected by the University's controlled entities.

(18) Each of PPIP Act, HRIP Act and Privacy Act 1998 (Cth) centres around what are termed 'privacy principles'. The PPIP Act covers personal information other than health information, and requires the University to comply with 12 information protection principles (IPPs). The IPPs cover the full 'life cycle' of information, from the point of collection through to the point of disposal. They include obligations with respect to data security, data quality (accuracy) and rights of access and amendment to one's own personal information, as well as how personal information may be collected, used and disclosed.

(19) Health information is regulated by a slightly different set of principles under the HRIP Act. Health information includes information about a person's disability, and health / disability services provided to them. There are 15 health privacy principles (HPPs) in the HRIP Act, with which the University must comply. Like the IPPs, the HPPs cover the entire information 'life cycle', but also include some additional principles with respect to anonymity, the use of unique identifiers, and the sharing of electronic health records.

(20) The Privacy Act 1988 (Cth) contains 13 Australian Privacy Principles (APP) which cover both personal and health information. The APPs are broadly consistent with the IPPs and HPPs prescribed under the PPIP Act and HRIP Act. However, with respect to receipting unsolicited information, cross border disclosures of information, and direct marketing, the APPs prescribe more stringent safeguards which the University applies to the handling of the information described at clause (17).

(21) There are exemptions to many of the privacy principles. There are also criminal offence provisions applicable to employees of the University who use or disclose personal information or health information without authority.

Types of personal and health information held

(22) Examples of personal information held by the University are:

  1. Personnel and payroll records including:
    1. payroll and pay related records, including banking details;
    2. tax file number declaration forms;
    3. medical assessment records;
    4. attendance and leave records;
    5. recruitment, appeals, promotion and transfer records;
    6. personal employee files and service records;
    7. counselling and discipline records;
    8. performance management and evaluation records;
    9. training records;
    10. notices of separation and exit questionnaires;
    11. occupational health and safety and workers compensation records;
    12. records of gender, ethnicity and disability of employees for equal employment opportunity reporting purposes;
    13. recruitment applications, references and reports;
    14. records relating to character checks and criminal convictions; and
    15. fitness to work statements.
  2. Student records including:
    1. records of name, date of birth, home address and other personal information of students gathered as part of various application processes, collected for purposes such as to establish the student's identity (e.g. as an anti-fraud measure when issuing a replacement testamur), to enable communications with the student about their course and the University services available to them or to establish a student's eligibility for a University scholarship;
    2. health information relating to students such as:
      1. information about a student's disabilities and needs (where applicable), to assist with the provision of appropriate services to the student;
      2. records of counselling appointments made and attended by students as part of their interaction with the Health chapter of Student Services.
  3. Records of patients of the University's Health Clinic, to ensure that those patients receive appropriate treatment, and of individuals associated with the clinical/professional placements of students across the University (e.g. to ensure that the University can contact a student's placement provider, to discuss a student's progression or welfare during their placement):
    1. records of name, date of birth, home address and other personal information of patients gathered as part of health assessment processes;
    2. information about the health status and medical treatment of patients; and
    3. special circumstances remissions applications which may contain health information.

Inventory of the University's Significant Information Systems

System Purpose
Academic Integrity Database: Excel-based database for registration and monitoring of current and past academic integrity issues.
Aurion Human Resources information database (including some payroll capacity).
CONRAD: (Continuity Register And Database) - clinical placements database used specifically for storage of information relating to midwifery projects.
Corporate Records System: Corporate records keeping system.
CRM: Customer Records Management (system) - customer relations database for logging and monitoring interaction with student and non-student enquiries.
E-learning / Blackboard learning system: Student electronic interactive learning interface (host of podcasts, 'Illuminate' portal, etc.).
Email system: Staff and student email system.
Etrans: A purchasing and authorisation database utilised University-wide.
Filemaker Pro: logging and storage electronic database utilised by Student Services.
Finance One: The University's core finance system.
IRMA A database used within the Office of Research for recording research publications, contracts and grants, higher degree research students and animal and human ethics records.
LEX Records management system used with the University Legal Office.
MIS: Management Information System
SONIA: Clinical placements database.
Student One (Student Management System): Student information database with differing levels of access, and two separate portals - one for students, and another for University staff.
Top of Page

Section 4 - Privacy Management Principles

Introduction

(23) The privacy principles are the standards which the University implements when dealing with personal information (including health information).

(24) The University's 'privacy principles' are based on a combination of the 12 IPPs (in Sections 8 to 19 of the PPIP Act) and the 15 HPPs (in Schedule 1 of the HRIP Act). The principles are consistent with most requirements of the APPs (in the Privacy Act 1988 (Cth)). However, to the extent the IPPs and HPPs do not fully meet the APP requirements, Section 5 - of this Plan provides additional principles for specific and limited use.

(25) There are a number of ways that our conduct may be exempt from one or more of the IPPs, HPPs or APPs. Exemptions are found in the Acts themselves, in temporary Directions made by the Privacy Commissioner, and in Privacy Codes of Practice. In some cases, other legislation will override the privacy principles. If in doubt, you should always check the exact wording in the legislation.

(26) The following section uses plain language (not the wording of the law itself) to describe the privacy principles and how University staff must comply with them. It also mentions the exemptions that may be relevant for the University, depending on the context.

(27) If you need guidance on interpreting the requirements of the privacy principles or exemptions, please contact the University's Privacy Contact Officer (see clause (58) of this Plan).

The Principles

(28) Our privacy obligations for all personal information and health information have been condensed into one set of 13 plain language principles to be followed by the University:

  1. Limiting Our Collection of Personal Information;
  2. Anonymity;
  3. Unique Identifiers;
  4. How We Collect Personal Information - the Source;
  5. How We Collect Personal Information - the Method and Content;
  6. Notification When Collecting Personal Information;
  7. Security Safeguards;
  8. Transparency;
  9. Access;
  10. Correction;
  11. Accuracy;
  12. Use; and
  13. Disclosure.

(29) Specific and additional obligations which relate to the management of information subject to the Privacy Act 1988 (Cth) as listed at clause (17) are defined in Section 5 - of this Privacy Management Plan.

Part A - Limiting Our Collection of Personal Information

(30) We will only collect personal information if:

  1. it is for a lawful purpose that is directly related to one of our functions, and
  2. it is reasonably necessary for us to have the information.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

We won't ask for personal information unless we really need it. In particular, we will avoid collecting "sensitive information" if we don't need it.
By limiting our collection of personal information to only what we really need, it is much easier to comply with our other obligations.
Example: when designing a form, ask yourself: "do we really need each bit of this information?"
Example: If we need to know a person's age to provide age-appropriate services, we will ask for their age or year of birth, not their date of birth.

Common exemptions

Unsolicited information
Information collected before 1 July 2000
Before you rely on an exemption, check with the University's Privacy Contact Officer (see clause (58) of this Plan).

Part B - Anonymity

(31) We will allow people to receive services from us anonymously, where lawful and practicable.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

Example: Potential 'customers' of the University should be provided with information about the University's programs and services, without having to identify themselves.

Common exemptions

None.

Part C - Unique Identifiers

(32) We will only identify people by using unique identifiers if it is reasonably necessary for our functions.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

Identifiers can assist with efficient record management, but they also pose privacy risks if they are used to match or compile large quantities of data about a person from different sources. For that reason, sharing unique personal identifiers between different organisations is generally prohibited.
A unique personal identifier is not just a person's name or file number. It can be a key (such as a number) which aims to uniquely identify a person - for example so that you can separate all the different people with the name 'John Smith'.
A student number, tax file number, a unique patient number or a driver's licence number is a unique personal identifier.

Common exemptions

None.

Part D - How We Collect Personal Information - the Source

(33) We will only collect personal information directly from the person unless they have authorised otherwise.

Special rule for health information or sensitive information?

Yes. The rule for health information is a little easier. We must collect health information directly from the person, unless it is unreasonable or impractical to do so.

Key messages, examples and definitions

If we need information about Sue, we should ask Sue herself, rather than Jim.
By collecting information direct from the source, it will be easier for us to comply with other obligations too, like ensuring the accuracy of the information, and getting permission for any disclosures of the information.
Example: A student has fainted and a representative from Student Services has called the first aid officer. It is OK to ask the student's friend for some health information about the student ("is the student diabetic?") because it is unreasonable and impractical to ask the student directly.
Example: Potential students have already authorised UAC to provide their information to the University on their behalf, when applying for a course at the University.

Common exemptions

Unsolicited information.
Where the person is under 16, we can instead collect the information from their parent or guardian (but we don't have to).
If another law authorises or requires us to collect the information indirectly (i.e. from a different source).
For some law enforcement and investigation purposes.
When we are taking a family, social or medical history from a client of our health or counselling services.
Information collected before 1 July 2000.
If compliance would, in the circumstances, prejudice the interests of the individual to whom the information relates.
Before you rely on an exemption, check with the University's Privacy Contact Officer (see clause (58) of this Plan).

Other relevant points

Where a person lacks some capacity (e.g. because of a brain injury), we can ask their authorised representative for the information instead. But we must also still try to communicate with them directly. Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to collect personal information from or about a person who has limited or no capacity.
Privacy NSW's Handbook to Health Privacy provides some other examples of when it might be "unreasonable or impractical" to collect health information directly from the person.

Part E - How We Collect Personal Information - the Method and Content

(34) We will not collect personal information by unlawful means.

(35) We will not collect personal information that is intrusive or excessive.

(36) We will ensure that the personal information we collect is relevant, accurate, up-to-date, complete, and not misleading.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

We won't ask for information that is not relevant, very personal, or might become out of date. But we only need to take 'reasonable steps' to ensure we meet this standard.
To determine what might be 'reasonable steps', we will consider:
the sensitivity of the information;
the possible uses of the information; and
the practicality and cost of aiming for 'best practice'.
Example: PQR wants to do a student satisfaction survey or conduct teacher or unit feedback studies. It is not relevant for the University to know each student's or teacher's home address, date of birth or marital status.

Common exemptions

Unsolicited information
Information collected before 1 July 2000
Before you rely on an exemption, check with the University's Privacy Contact Officer (see clause (58) of this Plan).

Part F - Notification When Collecting Personal Information

(37) When collecting personal information, we will take reasonable steps to tell the person:

  1. our contact details;
  2. who will hold and/or have access to their personal information;
  3. what it will be used for;
  4. what other organisations (if any) routinely receive this type of personal information from us;
  5. whether the collection is required by law;
  6. whether we are likely to disclose the information to overseas recipients and, if so, the countries in which these recipients are likely to be located;
  7. what the consequences will be for the person if they do not provide the information to us;
  8. how the person can access their personal information held by us; and
  9. if we have obtained the information from someone else, or the individual may not be aware that we have collected the information, that we collect, or have collected, the information, and the circumstances of collection.

Special rule for health information or sensitive information?

As a general rule, we have to try harder to notify people when we're collecting health information or any information that might be considered sensitive.

Key messages, examples and definitions

Individuals providing their personal information to us have a right to know the full extent of how the information they provide will be used and disclosed, and to choose whether or not they wish to go ahead with providing information on that basis.
Notification therefore allows a person to make an informed decision about whether or not to give us their personal information. Notification is done through a 'privacy notice'.
Privacy notices can be given in writing or verbally, but writing is better. But we only need to take reasonable steps to ensure each person receives the notice.
Where the person lacks some capacity (e.g. because of a brain injury), we must notify their authorised representative, but also still try to communicate with the person direct.
To determine what might be "reasonable steps", we will consider:
the sensitivity of the information;
the possible uses of the information.

Common exemptions

Unsolicited information.
Information collected before 1 July 2000.
If another law authorises or requires us to not notify people.
Some law enforcement and investigation purposes.
The person has already been notified by the organisation that gave us the information.
Before you rely on an exemption, check with the University's Privacy Contact Officer (see clause (58) of this Plan).

Other relevant points

When drafting a privacy notice, use the University's Template Privacy Notice attached in Appendix A to this document. Any new projects which might collect personal information should be reviewed by the University's Privacy Contact Officer (see clause (58) of this Plan) to ensure an adequate privacy notice is included.
For non-English speaking background clients, the Community Language Privacy Notice should be used.
Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to notify a person who has limited capacity to understand.

Part G - Security Safeguards

(38) We will take reasonable security measures to protect personal information from loss, unauthorised access, use, modification or disclosure.

(39) We will ensure personal information is stored securely, not kept longer than necessary, and disposed of appropriately.

Special rule for health information or sensitive information?

As a general rule, we will have to work harder to protect health information or any information that might be considered sensitive.

Key messages, examples and definitions

Security measures could include technical, physical or administrative actions.
Example: We must only provide personal information to a contractor or service provider if they really need it to do their job. We must also take reasonable steps to prevent any unauthorised use or disclosure of the information by a contractor or service provider, and remember to bind our contractors to the same privacy obligations as us.
Example: We must follow good practice records management.
To determine what might be "reasonable steps", we will consider:
the sensitivity of the information;
the context in which the information was obtained;
the purpose for which we collected the information;
the possible uses of the information; and
the practicality and cost of aiming for 'best practice'.

Common exemptions

None.

Part H - Transparency

(40) We will enable anyone to know:

  1. whether we are likely to hold their personal information;
  2. the purposes for which we use personal information; and
  3. how they can access their own personal information.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

We have a broad obligation to the community, to be open about how we handle personal information. This is different to collection notification, which is much more specific, and given at the time of collecting new personal information.
Example: This Plan will be available on our website. This Plan briefly explains our privacy obligations, and sets out the major categories of personal and health information that we hold and how best a person can go about seeking access to or amendment of their information with the University.
Interested people can also contact the Privacy Contact Officer by telephone or email (see clause (58) of this Plan) to discuss topics such as how best to find out whether the University holds their personal or health information, the University's purpose in collecting specific types of information and how the University collects, stores, uses and discloses particular types of information.

Common exemptions

None.

Part I - Access

(41) We will allow people to access their personal information without unreasonable delay or unreasonable expense. We do not charge an individual to access their own personal information or health information held by us. We will only refuse access where authorised by law, and we will provide written reasons.

(42) Requests by a person to access their personal information or health information held by or disclosed to the University in any other way should be made using the "Application for Personal Information" form.

(43) If a person asks for access to information which is not their own personal information, the University will request that that person makes an application under the Government Information (Public Access) Act 2009 using the Government Information Access Application Form located on our website by searching "Right to Information" or "GIPA". The exception to this is if the person seeking access either has appropriate authorisation from the person whose personal information they are seeking to access or is requesting access because that person has diminished or lost capacity to provide that authority. The University charges fees in line with those set out in the Government Information (Public Access) Act for those types of applications (as set out in Section 7 - of this Plan) although the University may choose to reduce or waive those fees in certain, limited circumstances.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

People should be able to see what information we hold about them, with a minimum of fuss.
Our policy is that as much as possible, we will let both students and staff see their own personal information informally at no cost.
The most common types of personal information that we hold, and the ways for a person (or, if they have a disability or impairment or otherwise authorise a representative, their representative) to access that information include:
- Student enrolment information and final results - a student can view certain enrolment and personal information online through "My Enrolment", accessible from our website. A student or former student can also access this information at a Student Centre or Student Hub (details for each campus available at https://www.scu.edu.au/current-students/contact-us/ ) or by email (enquiry@scu.edu.au);
- Information regarding individual student results or grades - a student must address any requests for information about examinations or assessment outcomes or querying final grades to their Unit Assessor at the relevant SCU School or College;
- Information relating to employees or former employees - these types of requests should be addressed to HR Services at hr@scu.edu.au or HR Services, PO Box 157 Lismore NSW 2480 Australia; and
- Personal information and health information disclosed by the individual to the SCU Gym or Health Clinic - a client or former client of the Health Clinic should contact the relevant Health Clinic directly (by email to clinic@scu.edu.au or as per the contact details for each Clinic available at https://www.scu.edu.au/engage/southern-cross-university-health-clinic/contact-us/ ) or the Gym at gym@scu.edu.au

Common exemptions

If another law (such as the Government Information (Public Access) Act 2009 (NSW)) authorises or requires us to not to give the person access.
Before you rely on an exemption, check with the University's Privacy Contact Officer (see clause (58) of this Plan).

Other relevant points

Any unusual request to access personal information should be put in writing, and then referred to the University's Privacy Contact Officer for review (see clause (58) of this Plan).
Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to provide access to personal information held about a person who has limited or no capacity.

Part J - Correction

(44) We will allow people to update or amend their personal information to ensure it is accurate, relevant, up-to-date, complete or not misleading.

(45) We will suppress a person's address on request.

(46) Where possible, we will notify any other recipients of any changes.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

If we disagree with the person about whether the information needs changing, we must instead allow the person to add a statement to our records.
We can't charge people to lodge their request for amendment, for making an amendment to a person's personal information or for adding a statement to our records reflecting the amendment that the person requested. The fact that we do not charge for amendments does not mean that, for example, a student can just ask us to alter their student grades without going through the proper processes.
Example: When a student calls or visits Student Services to obtain information about their course of study, or to change their personal details, or accesses Student One to update their contact details, the amendment process should be processed quickly and for no cost. A person who wants the University to amend their personal information or health information should make that request to the part of the University that they believe collected or recorded that information. Using the examples from Part I - of this Plan:
- Requests to amend student enrolment and contact information should be made online through "My Enrolment" (for those details which can be amended using that system) or directly with our Student Services team at a Student Centre or Student Hub (details for each campus available at https://www.scu.edu.au/current-students/contact-us/ ) or by email to (enquiries@scu.edu.au);
- Requests to query or amend student results (final grades or for outcomes on individual examinations) must be made in accordance with the Rules Relating to Awards, available online in the SCU Policy Library;
- Requests by employees or former employees to amend personal or health information held about them in the capacity of their employment, should address their requests to HR Services; and
- Individuals wanting to amend health or personal information provided to the University's Gym or Health Clinic, should contact the Gym or the Clinic (as applicable).
Requests to amend any other type of personal or health information held by the University should be made, in writing, to the Privacy Contact Officer (see clause (58) of this Plan).

Common exemptions

If another law authorises or requires us to not amend the information.
Before you rely on an exemption, check with the University's Privacy Contact Officer (see clause (58) of this Plan).

Other relevant points

Any unusual request to amend personal information should be put in writing, and then referred to the University's Privacy Contact Officer to review (see clause (58) of this Plan).

Part K - Accuracy

(47) Before using or disclosing personal information, we will take appropriate steps to ensure that the information is relevant, accurate, up-to-date, complete, and not misleading.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

We must ensure that personal information is still relevant and accurate before we use or disclose it.
We only need to take reasonable steps to check the information - but more steps will be needed if we're likely to use the information in a way that will disadvantage the person.
What might be considered "reasonable steps" will depend upon the circumstances, but some points to consider are:
the context in which the information was obtained;
the purpose for which we collected the information;
the purpose for which we now want to use the information;
the sensitivity of the information;
the number of people who will have access to the information;
the potential effects for the person if the information is inaccurate or irrelevant;
any opportunities we've already given the person to correct inaccuracies; and
the effort and cost involved in checking the information.
Example: When Enrolment services are determining a potential student's eligibility to study with us, we will give the person an opportunity to correct the information we are relying on before we make our final decision. The same process applies to any information about students or staff published by the University's Community and Corporate Relations department.

Common exemptions

None.

Part L - Use

(48) We may use personal information:

  1. for the primary purpose for which it was collected;
  2. for a directly related secondary purpose within the reasonable expectations of the person; or
  3. for another purpose if the person has consented.

Special rule for health information or sensitive information?

No.

Key messages, examples and definitions

We should only use personal information for the purpose for which it was collected. We shouldn't go finding new and interesting uses for people's personal information.
Example: If the primary purpose of collecting student information was to process an enrolment and course selection, directly related secondary purposes within the reasonable expectations of the person for which their personal information could be used by the University would include billing for the course, auditing or course evaluation.

Common exemptions

To deal with a serious and imminent threat to any person.
If another law authorises or requires us to use the information.
Some law enforcement and investigative purposes.
Some research purposes, subject to approval by the University's Human Research Ethics Committee (conducted in accordance with the Information and Privacy Commissioner's "Public Interest Direction on Disclosures of Information by Public Sector Agencies for Research Purposes")
Before you rely on an exemption, check with the University's Privacy Contact Officer (see clause (58) of this Plan).

 

Other relevant points

The primary purpose for which we have collected the information should have been set out in a privacy notice. To use personal information for a purpose set out in the privacy notice is usually OK, but for any other purpose, check with the University's Privacy Contact Officer first (see clause (58) of this Plan).
Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to seek consent for a secondary use of personal information from a person who has limited or no capacity.
Privacy NSW's Statutory Guidelines on Research explain how health information can be used for research purposes. It also provides a good rule of thumb for the use of other types of personal information for research purposes.

Part M - Disclosure

(49) We will only disclose personal information if:

  1. at the time we collected their information, the person was given a privacy notice to inform them their personal information would or might be disclosed to the proposed recipient;
  2. the disclosure is directly related to the purpose for which the information was collected, and the University has no reason to believe that the individual concerned would object to the disclosure; or
  3. the person concerned has consented to the proposed disclosure.

Special rule for health information or sensitive information?

Yes. If the personal information is 'sensitive personal information', we may only disclose it if the person has consented.
Tougher rules also apply when transferring health information outside of NSW (including to the Commonwealth Government). We can only transfer health information outside NSW if one of the following applies:
  1. the person concerned has consented;
  2. if it is necessary for a contract with (or in the interests of) the person concerned;
  3. if it will benefit the person concerned, we cannot obtain their consent, but we believe the person would be likely to give their consent;
  4. we reasonably believe that the recipient of the information is subject to a law or binding scheme equivalent to the HPPs; or
  5. we have bound the recipient by contract to privacy obligations equivalent to the HPPs.

Key messages, examples and definitions

So long as the personal information in question is not 'sensitive personal information', we can disclose information in ways we clearly notified the person about at the time we collected their personal information.
However if we didn't tell the person about the proposed disclosure in a privacy notice, or if the personal information in question is 'sensitive personal information', or if it is health information and we want to send it outside NSW, we will usually have to get the person's consent for the disclosure.

Common exemptions

To deal with a serious and imminent threat to any person
To deal with a serious threat to public health or safety (health information only)
If another law authorises or requires us to disclose the information
Some law enforcement and investigative purposes
Some research purposes, subject to approval by the University's Human Research Ethics Committee.
Before you rely on an exemption, check with the University's Privacy Contact Officer (see clause (58) of this Plan).

Other relevant points

The primary purpose for which we have collected the information should have been set out in a privacy notice. To disclose personal information that is not 'sensitive' for a purpose set out in the privacy notice is usually OK, but for any other purpose, check with the University's Privacy Contact Officer first (see clause (58) of this Plan).
Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to seek consent for a disclosure of personal information from a person who has limited or no capacity.
Privacy NSW's Statutory Guidelines on Research explain how health information can be disclosed for research purposes. It also provides a good rule of thumb for the disclosure of other types of personal information for research purposes.
Top of Page

Section 5 - Information Subject to the Privacy Act 1988 (Cth)

(50) Information defined at clause (17) which is subject to the provision of the Privacy Act 1988 (Cth) will be managed in accordance with the principles contained in this Plan and:

  1. where the University receives unsolicited personal information:
    1. the University will, within a reasonable period, determine whether it could have collected the information under APP 3;
    2. if the information could have been collected, then APPs 5 to 13 apply to the information;
    3. if the University could not have collected the information, it will destroy or de-identify the information as soon as practicable, but only if lawful and reasonable to do so;
  2. the University will not disclose personal information to an overseas recipient, unless:
    1. the University is reasonably satisfied the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that is at least substantially similar to the way in which the APPs protect the information, and there are mechanisms that the individual can access to take action to enforce that protection; or
    2. the individual has provided their consent to the cross-border disclosure; or
    3. it is required under law;
  3. the University will only use or disclose personal information for direct marketing purposes where the individual has either consented to their personal information being used for direct marketing, or has a reasonable expectation that their personal information will be used for this purpose, and conditions relating to opt-out mechanisms are met.
Top of Page

Section 6 - Privacy Complaints

(51) Students and staff of the University may lodge an informal complaint by contacting the unit concerned. If a privacy complaint cannot be resolved informally by the unit concerned, a person may apply for an 'internal review' of conduct they believe breaches an IPP, HPP and/or an APP.

(52) Internal review is the process by which the University manages formal, written privacy complaints about how we have dealt with personal information or health information. All written complaints about privacy are considered to be an application for internal review, even if the applicant doesn't use the words 'internal review'.

(53) By law, an application for internal review must:

  1. be in writing;
  2. be addressed to the University;
  3. specify an address in Australia to which the applicant is to be notified after the completion of the review; and
  4. be lodged at the University within six months from the time the applicant first became aware of the conduct that they want reviewed.

(54) The University encourages the use of the Internal Review Application Form, found at Appendix B to this Plan.

(55) An application for internal review can be on behalf of someone else.

(56) Where the applicant is not literate in either English or their first language and where there is no other organisation making the application on their behalf, staff should help the person to write their application. Staff should use a professional interpreter, if necessary. Applications in other languages will be accepted and translated, and all acknowledgments and correspondence to the applicant will be translated.

(57) Students and staff of the University may make a request for internal review and investigation through contact with the University's Privacy Contact Officer. Applications for internal review, or any written complaint about privacy, received at any the University office, should be forwarded immediately to the University's Privacy Contact Officer.

(58) The Privacy Contact Officer's details are as follows:

The SCU Privacy Contact Officer
SCU Legal Office
Southern Cross University
PO Box 157
LISMORE
PH: (02) 6620 3465
Fax: (02) 6626 9125
Email: privacy@scu.edu.au

(59) If the Privacy Contact Officer decides that the complaint is about an alleged breach of the IPPs, HPPs and/or APPs, the internal review will be conducted by the Privacy Contact Officer or another staff member who:

  1. was not involved in the conduct which is the subject of the complaint;
  2. is an employee or an officer of the agency, and
  3. is qualified to deal with the subject matter of the complaint.

Extensions of time for lodgement

(60) While the legislation allows applicants six months to apply for an internal review from the time the applicant first becomes aware of the conduct, the University may accept late applications.

(61) Possible acceptable reasons for delay may be:

  1. ill-health or other reasons relating to capacity;
  2. the complainant only recently becoming aware of his or her right to seek an internal review; or
  3. the complainant reasonably believing that he or she would suffer ill-effects as a result of making an application at an earlier time.

(62) However late applications that, because of their age, cannot be investigated in a meaningful way will be declined. In these cases, witnesses may no longer be available, documents may have been destroyed and memories may have faded.

(63) Final decisions on the acceptance of late applicants will only be made by the University's Privacy Contact Officer. Where the University declines to accept an application because it is too old, the reason will be explained in a letter to the applicant.

The Internal Review process

(64) When the University receives an internal review application, the Privacy Contact Officer will:

  1. send an acknowledgment letter to the applicant and advise that if the internal review is not completed within 60 days they have a right to seek a review of the conduct by the NSW Civil and Administrative Tribunal; and
  2. send a letter to the NSW Privacy Commissioner with details of the application. A photocopy of the written complaint will also be provided to the NSW Privacy Commissioner.

(65) Internal reviews follow the process set out in the Information and Privacy Commission New South Wales ("IPC") Internal Review Checklist.

(66) The University is required to check whether the Privacy Commissioner wishes to make a submission in relation to an internal review. The University will do this by sending a draft copy of our preliminary determination to the IPC,

(67) When the internal review is completed, and the University has received a response from the Privacy Commissioner about our draft preliminary determination, the University's Privacy Contact Officer will notify the applicant in writing of:

  1. the findings of the review;
  2. the reasons for the finding, described in terms of the IPPs, HPPs and/or APPs;
  3. any action we propose to take;
  4. the reasons for the proposed action (or no action); and
  5. the applicant's entitlement to have the findings and the reasons for the findings reviewed by the NSW Civil and Administrative Tribunal.

(68) We will also send a copy of this letter to the Privacy Commissioner.

(69) Statistical information about the number of internal reviews conducted must be maintained for the University's Annual Report.

External review by the NSW Civil and Administrative Tribunal

(70) People may apply to the NSW Civil and Administrative Tribunal for an external review of the conduct which was the subject of their earlier internal review application. The NSW Civil and Administrative Tribunal may make orders requiring the University to:

  1. refrain from conduct or action which breaches an IPP, HPP or Code;
  2. perform in compliance with an IPP, HPP or Code;
  3. correct information disclosed by the University; or
  4. take steps to remedy loss or damage.

(71) The NSW Civil and Administrative Tribunal may also make an order requiring the University to pay damages of up to $40,000 if the applicant has suffered financial loss or psychological or physical harm as a result of the conduct.

(72) The NSW Civil and Administrative Tribunal's contact details are as follows:

NSW Civil and Administrative Tribunal - Administrative and Equal Opportunity Division
Level 10. 86 Goulburn Street
SYDNEY NSW 2000
1300 006 228
TTY: (02) 9377 5859
Top of Page

Section 7 - Fees and Charges

(73) The University will impose fees for formal information access applications made under the Government Information (Public Access) Act 2009. When determining the fee amount, we will use applicable provisions of the Government Information (Public Access) Act 2009 which are currently as follows:

Activity Cost
Information Access Application Fee $30
Processing Fee $30 per hour - (applicant gets 20 hours free when seeking their own personal information - other discounts may apply).

(74) See the University's Right to Information page, available on our website by searching for "Right to Information" or "GIPA", for further details on these types of applications and the associated fees and charges.