Macquarie University is committed to protecting the privacy of its students, employees and others who interact with it while undertaking its learning and teaching, research, engagement, and associated administrative activities and support services. All staff and functional units of the University have an obligation to be aware of and implement the privacy principles and practices established by legislation and articulated in this and other related policies.
This Policy provides guidance on the University’s approach to its information handling practices and that of its controlled entities in relation to the information collected from its students, employees and others who interact with it.
As a NSW public sector agency, the University is required to comply with the NSW Privacy and Personal Information Protection Act 1998 (PPIPA) and the NSW Health Records and Information Privacy Act 2002 (HRIPA), in respect of personal and health information which it collects and uses. The University aligns its practices and activities with the Information Protection Principles (IPPs), and the Health Privacy Principles (HPPs) contained in those Acts as outlined in the University’s Privacy Management Plan.
The University also follows any public interest directions and statutory guidelines issued by the Information and Privacy Commission NSW (or its equivalent) in relation to personal and health information. The University’s Privacy Management Plan provides more information on how the University implements its obligations under the PPIPA and HRIPA, and how these Acts apply to the University’s operations.
The University’s controlled entities considered an “organisation” under the Privacy Act 1988 (Cth) (Commonwealth Privacy Act) must also comply with the Commonwealth Privacy Act and the Australian Privacy Principles (APPs) in addition to the PPIPA and the HRIPA when dealing with personal and health information.
Whilst the University is not bound to comply with the Commonwealth Privacy Act (other than as a tax file number recipient), it strives to apply the APPs to its own practices to achieve consistency in protecting the privacy of individuals across University entities.
The University has established the following information privacy framework to communicate the applicable privacy laws to staff, students and others who interact with the University:
- Privacy Management Plan
- privacy policies for controlled entities
- privacy collection notices/statements and consents
- related policies, procedures, and guidelines on the management of information.
This Policy applies to:
- all employees of the University and its controlled entities,
- all students of the University including former students,
- all University researchers and HDR candidates, and
- any person who handles personal or health information for or on behalf of the University or its controlled entities, including contractors, agents, visitors, honorary, clinical or adjunct appointees and consultants of the University.
Commonly defined terms are located in the University Glossary. The following definitions apply for the purpose of this Policy:
Controlled entity/entities: a person, group of persons or body of which the University or the University Council has control within the meaning of Section 39 (IA) or 45A (IA) of the Public Finance and Audit Act 1983 (NSW).
Information: personal, sensitive or health information (as defined by applicable legislation depending on context).
Health information: as defined in HRIPA is:
“(a) personal information that is information or an opinion about:
the physical or mental health or a disability (at any time) of an individual; or
an individual’s express wishes about the future provision of health services to him or her, or
a health service provided or to be provided to an individual; or
(b) other personal information collected to provide, or in providing a health service, or
(c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or
(d) other personal information that is genetic information about an individual arising from a health service provided to the individual that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or
(e) healthcare identifiers.”
Health information (for controlled entities): as defined in the Commonwealth Privacy Act is.
“(a) information or an opinion about:
(i) the health, including an illness, disability or injury, (at any time) of an individual; or
(ii) an individual's expressed wishes about the future provision of health services to the individual; or
(iii) a health service provided, or to be provided, to an individual;
that is also personal information;
(b) other personal information collected to provide, or in providing, a health service to an individual;
(c) other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances;
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. “
Personal information: as defined in PPIPA is:
“information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics”.
It does not include (this list is not exhaustive):
- information about an individual who has been dead for more than 30 years,
- information about an individual that is contained in a publicly available publication;
- information or an opinion about an individual’s suitability for appointment or employment as a public sector official,
- information about an individual that is contained in a public interest disclosure,
- health information within the meaning of HRIPA.
Personal information (for controlled entities): as defined in the Commonwealth Privacy Act is.
“information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.”
Personal sensitive information (as defined in PPIPA) : an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities .
Privacy Framework: the suite of documents that inform individuals of the relevant privacy laws and how the University and its controlled entities collect, use, disclose and retain personal and health information and how access and correction requests are handled.
Privacy Management Plan: the Plan developed and implemented by the University in accordance with its obligation under section 33 of PPIPA.
Sensitive information (for controlled entities): as defined in the Commonwealth Privacy Act is.
“(a) information or an opinion about an individual's:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual orientation or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.”
University: Macquarie University including its employees, students, University researchers, HDR candidates, and any person who handles personal or health information for or on behalf of the University.
5 POLICY STATEMENT
The University ensures those covered by the scope of this policy are made aware of their responsibilities under the PPIPA, HRIPA, and the Commonwealth Privacy Act and provides appropriate information and training opportunities.
Privacy Management Plan
The University has implemented a Privacy Management Plan setting out how its obligations under PPIPA and HRIPA apply to the University’s operations.
Dealings between the University and Controlled Entities
The University must ensure that any information provided by the University to a controlled entity is protected in accordance with the same standards that the University applies to the information it holds.
Therefore in any dealings between the University and its controlled entities regarding personal and health information, the standards applicable to the University (ie. under PPIPA and HRIPA) must be applied in addition to the requirements under the Commonwealth Privacy Act.
Concurrent operation of Acts for Controlled Entities
The Commonwealth Privacy Act contemplates that an entity, such as a controlled entity of the University, may have duties under both Commonwealth and State privacy legislation.
To the extent that there are inconsistencies between the Commonwealth Privacy Act and the NSW privacy acts which apply to a controlled entity, the Commonwealth Privacy Act will prevail.
In handling personal and health information, the University and its controlled entities align their practices with the IPPs, HPPs and APPs as follows. Where there are additional requirements due to differences between the PPIPA and Commonwealth Privacy Act, specifically the classification of health information as sensitive information by the Commonwealth Privacy Act these have also been articulated below.
Collection and use
The University and its controlled entities may collect and use personal and health information only for lawful purposes that are directly related to a function or activity of the University or controlled entity, and where the information is reasonably necessary for that purpose; for a directly related purpose that the individual would expect; or for a purpose for which the individual has given consent, unless an exemption applies. For controlled entities, consent is also required to be obtained for the collection of health information.
The University may disclose information held about an individual under various circumstances including the following:
a) if the disclosure is directly related to the purpose for which the information was collected and the University has no reason to believe that the individual concerned would object to the disclosure, or
b) the individual concerned is reasonably likely to have been aware or is aware that information of that kind is usually disclosed to that party, or
c) the University believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious or imminent threat to an individual’s life or health, or
d) consent has been given by the individual, or
e) disclosure is otherwise authorised, permitted, or required by law.
The University cannot disclose an individual’s sensitive information without consent unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of an individual. For controlled entities, this also includes health information.
Transborder Disclosure by University
In addition to the normal disclosure rules, the University will not disclose (or transfer) personal or health information of individuals to any person or body outside NSW or overseas unless an exemption applies.
More specific information about the University’s disclosure obligations are available in the Privacy Management Plan.
Cross Border Disclosure by controlled entities
Controlled entities can only use and disclose personal information for a purpose for which it was collected (“primary purpose”) or for a secondary purpose if an exemption applies.
Generally, the University’s controlled entities do not disclose personal information (including sensitive information) outside Australia.
However, some service providers do operate overseas or use third party hosting arrangements that store information outside Australia. If this occurs, the controlled entity is required to take reasonable steps to ensure the overseas recipients treat the personal information in accordance with the Australian Privacy Principles and make that overseas recipient accountable if the information is mishandled.
Collection, Use and Disclosure for Research Purposes
The University may collect, use and disclose personal or health information for research purposes without obtaining an individual’s consent provided it complies with:
- all the criteria set out in section 27B of the PPIPA for personal information (or HPP10(1)(f) and HPP11(1)(f) of HRIPA for health information),
- any Statutory Guidelines issued by the NSW Privacy Commissioner, and
- obtains prior approval from the University’s Human Research Ethics Committee.
The University’s controlled entities must also comply with any guidelines issued under sections 95 and 95A of the Commonwealth Privacy Act in respect of collecting, using and disclosing health information for research purposes, or for compilation or analysis of statistics relevant to public health or public safety where individual consent is not obtained, and obtain prior approval of the University’s Human Research Ethics Committee.
Retention, Security and Disposal
The University and its controlled entities will retain information for as long as necessary for the purpose for which it may lawfully be used, subject to the requirements of any other law.
The University and its controlled entities will take reasonable measures to protect information held against loss, misuse, interference and unauthorised access, modification or disclosure.
The University and its controlled entities may need to retain records for a significant period of time to comply with their legal obligations. Information that is no longer required will be archived in accordance with the University’s retention obligations or securely destroyed in accordance with the University’s disposal procedures.
Access and Correction
An individual may apply to the University or its controlled entities to access, correct or amend personal information held about them without excessive delay or expense, subject to any exceptions in relevant legislation.
All requests for access should follow the Request for Information process as outlined in the Privacy Management Plan. Note that access to information about a third party is not accessible under the PPIPA and Commonwealth Privacy Act.
Requests to correct personal information can be made informally or through a formal process as outlined in the Privacy Management Plan.
GIPA access requests for information
Any individual may also request access to University records and information held by the University (but not a controlled entity) under the Government Information (Public Access) Act 2009 (NSW) (GIPA request).
Under PPIPA and HRIPA access to information is provided only to the person to whom the information relates.
A GIPA request can be made to the University about any information it holds by contacting the Right to Information Officer by email at email@example.com
Complaints about privacy breaches by the University are handled in accordance with the University’s Privacy Management Plan.
If an individual has a complaint about how their personal or health information is collected, held, used, secured or disclosed they should contact the University’s Privacy Officer in the first instance as follows:
Mail : University Privacy Officer, Macquarie University NSW 2109
Phone: 9850 7111
6 RELEVANT LEGISLATION
- Privacy and Personal Information Protection Act 1998 (NSW)
- Health Records and Information Privacy Act 2002 (NSW)
- Privacy Act 1988 (Commonwealth)
- Government Information (Public Access) Act 2009 (NSW)
7 KEY RELATED DOCUMENTS
- Privacy Management Plan
- Information Security Policy / Procedure
- Closed Circuit Television Policy and Workplace Surveillance Policy (under development)
- Data Classification Procedure and Standards
- Records and Information Management Policy
- Records and Information Access and Security Procedure
- Records and Information Retention and Disposal Procedure
- Right to Information at Macquarie
Privacy Officer/Compliance Manager
Privacy Officer/Compliance Manager
Chief Operating Officer and Deputy Vice-Chancellor
2 November 2017
Date of Commencement
2 November 2017
Date for Review
Documents Superseded by this Policy