(1) This is a guide to the obligations and requirements of the Privacy Act 1988 (Cth) (Privacy Act) and the application of the Privacy Policy which sets out the manner in which ACU complies with and implements the requirements of the Privacy Act. (2) This Guide is based on the Australian Privacy Principles Guidelines (APPs) issued by the Office of the Australian Information Commissioner. (3) The Guide is intended only to provide an overview of aspects of Privacy Law requirements, the specific requirements of the Privacy Policy, and to indicate where potential risk to the University may arise. It is not advice or an instruction manual. Advice should be sought on specific matters from the Privacy Coordinator or, if legal advice is required, the Office of General Counsel (OGC). (4) The Privacy Act 1988 (Cth) protects personal information. (5) Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable that: (6) The Privacy Act covers the following: (7) Records of acts done or practices engaged in by ACU which are directly related to a current or former employment relationship between ACU and the individual are exempted from the Privacy Act. Such records however will generally be considered to be confidential and must be treated accordingly. (8) Employment records are exempt only insofar as they relate directly to the employment relationship. Payroll or contact details for example are exempt only in relation to their use in the employment relationship. They cannot be used or disclosed for other purposes unless under the terms of the Privacy Act. (9) The personal information of individuals who are not or do not become employees is not covered by this exemption. This includes personal information of unsuccessful job applicants (including references) or information about persons in ACU employment records who are not employees (e.g. information about an individual’s family). (10) ACU can collect personal information only if it is reasonably necessary for, or directly related to, its functions and activities. This includes support functions, including administration, security, public relations and recruitment activities. It will not include information which is more than required, may be useful as opposed to necessary, or for other entities where the purpose is not necessary for, or directly related to an ACU function or activity. Photographs of students in a class, for example, may not be considered reasonably necessary or directly related to teaching if they are taken only for the convenience of the lecturer as opposed to confirming identity to prevent cheating or for security purposes. (11) When ACU collects information about an individual it must take reasonable steps to tell the individual (where applicable): (12) This can be done by reference to the Privacy Policy (e.g. by a link to the Policy on the ACU webpage or a reference to it). (13) Other entities or types of entities to which that kind of personal information is usually disclosed (e.g. immigration authorities; placement providers; other educational institutions). (14) Whether ACU is likely to disclose personal information to overseas recipients and if practicable, where those recipients are located. This does not include routing information overseas or use by ACU of the information overseas (e.g. for operation of the Rome Centre). (15) This information should be provided before, or at the time of collection or, if this is not practicable, as soon as practicable after collection of the information. It may be considered impracticable to provide information before collection if, for example, there is an urgent situation or collection of the information is by telephone. (16) It may not be reasonable to notify the individual of all or some of the required information. In which case, ACU may not have to give the information. ACU must be able to justify this clearly. (17) Reasons for not notifying of some or all of the required information may include: (18) Options for providing notice of the information required to be given on collection of personal information include: (19) Collection of personal information must be done: (20) Relevant considerations in determining whether it is unreasonable or impracticable may be: (21) Unsolicited information includes additional information to unrequested information (e.g. examples of work not requested for a job application). (22) ACU must, within a reasonable period after receipt of the information, decide whether it can collect the information. If it could not collect the information and it is lawful and reasonable to do so, ACU must destroy or de-identify it as soon as practicable. The information may also be returned to the person who provided it. (23) It will generally be lawful to destroy the information unless there is e.g. a court order in place or there is an audit requirement. (24) If ACU keeps the information it must be treated in the same way as other personal information. (25) ACU may use or disclose information only for the purpose for which it was collected e.g. enrolment information may only be used for the purposes of enrolment and administration of a student’s studies unless: (26) Using personal information includes reading it; searching for it in records; making a decision on the basis of it; access to it by an employee or one part of ACU passing it to another. (27) Disclosing means making it accessible outside ACU and releasing control of it. It includes accidental disclosure and unauthorised release by a member of ACU staff if they are acting in the course of their employment. It does not include an external “hack” of ACU systems or theft unless ACU has failed to take reasonable steps to protect the information. (28) In relation to consent: (29) The individual must have the capacity to understand and communicate the consent. (30) An opt out provision can be used for the purposes of consent but it must be used appropriately and constructed carefully in order to be effective. Usually, express consent and an opt in mechanism is preferred. (31) Use of an opt out consent is more likely to be effective if: (32) If ACU is served with a valid warrant, a subpoena or a notice to produce information under an Act, then personal information required to be produced must be produced. (33) The warrant, subpoena or notice and the information to be produced must however be referred to the Office of General Counsel to ensure that it is valid and that the information produced falls within the strict terms of what is required to be produced otherwise ACU may breach the Privacy Act. (34) In some circumstances an order to provide counselling or health records may be contestable. (35) ACU may respond to a proper request for information that it reasonably believes is reasonably necessary for the purposes of the law enforcement agency. ACU requires a request in writing from the agency with sufficient information to enable it to decide whether it can release information and what information is reasonably necessary. (36) ACU does not have to release the information and any request must be referred to the Office of General Counsel. (37) A written note of the use or disclosure of the information must be kept with details of the disclosure or use, and the basis for the reasonable belief which was the basis of the disclosure. The Office of General Counsel will generally do this on its file. (38) If ACU has reason to suspect unlawful activity that relates to ACU functions or activities and reasonably believes that it needs to collect, use or disclose personal information to deal with this then it can do so. This allows reports to police or other appropriate authorities with information relating to the report or required for investigation of the report – for example in the case of a suspected fraud on ACU, ACU may provide details of relevant payments to a person and bank details. It also allows ACU to collect, use or disclose personal information to investigate suspected unlawful behaviour itself. There must be grounds on which to base the suspicion of unlawful activity by the individual concerned such as a credible complaint or a record of suspect transactions or activity on a credit card. (39) The unlawful activity must relate to ACU and includes discrimination or harassment. Any information collected, used or disclosed must be only what is reasonably believed is necessary. (40) If ACU has reason to suspect serious misconduct by a student or employee or associate of ACU that relates to ACU functions or activities and reasonably believes that it needs to collect, use or disclose personal information to deal with this, then it can do so. This enables ACU to e.g. investigate a suspected serious breach of the Code of Conduct for Staff such as significantly wrongful use of its internet resources. (41) The suspected conduct must be serious and the use or disclosure of the personal information must only be what is reasonably believed is necessary to deal with it. There must be grounds on which to base the suspicion of misconduct against the individual concerned such as a credible complaint or a record of suspect transactions or activity on an internet account. (42) If an individual makes a complaint about ACU then that individual may reasonably expect that ACU will use their personal information to deal with that complaint, including investigation of the complaint and informing persons complained of about the complaint. (43) Only information required for dealing with the complaint should be used or disclosed. Best practice is to obtain the consent of the complainant for the use or disclosure of their personal information or, at least inform them of the intention to disclose information before doing so. (44) Where a complaint is made under the Protected Disclosures Policy particular processes and obligations apply and no disclosure should be made without complying with the Policy. (45) If an individual makes a complaint or attack on ACU in the media then that individual may reasonably expect that ACU may respond publicly to those comments revealing personal information of the individual but only if that information is specifically relevant to the particular issues raised. For example, if a student complains to the media that international students are treated more favourably than domestic students, it would not be acceptable to make a public statement including information about that particular student’s academic record. If a student complains to the media that they have been discriminated against in the way in which they were assessed, it may be acceptable to make a statement which includes information about that student’s academic record where it is relevant. (46) If ACU reasonably believes that collecting, using or disclosing personal information is necessary to lessen or prevent a serious threat to the life, health or safety of any person or to public health or safety and it is unreasonable or impracticable to obtain the individual’s consent then ACU may collect, use and disclose personal information. (47) Relevant considerations include: (48) If use of personal information is part of normal business processes then the individual will be considered to have given implied consent to its use e.g. by enrolling the student gives implied consent to use of personal information for enrolment and administration of the student’s study and student experience, including the opportunity to participate as an alumnus after graduation, but not for the purposes of fund-raising. (49) If a photograph can identify a particular person it is personal information. (50) Taking photographs where persons can be identified can be done without consent but the general requirements around collecting personal information apply and the taking of the photograph must be reasonably necessary for ACU’s functions or activities. If, for example, photographs are expected to be taken at an event of an audience so that persons in that audience may be identifiable, if practicable, invitations or material distributed at the event should state that photographs of the event will be taken and provide the usual information such as the purpose of taking the photographs and how they will be used. (51) If a person’s racial, ethnic origin or religious belief may be identified by the photograph, then this is considered to be sensitive information. (52) If there is explicit consent, then personal information may be used within the terms of that consent. Consent must be freely given, the individual must be adequately informed and if possible, there should be provision to opt in or out. (53) Health Information includes: (54) A health service includes any activity that is intended or claimed by the individual or person providing it to assess, record, maintain or improve the individual’s health; diagnosis; treatment or prescription. It includes a fitness centre or gym. (55) ACU may collect personal health information about an individual if the research (including the compilation or analysis of statistics): (56) Reasonable steps must be taken to ensure that the information is de-identified before it is disclosed or published. (57) Researchers may use and disclose personal health information for research if: (58) Disclosure of health information should be in de-identified form if reasonably possible. (59) Normally, if personal health information is being provided to a person or entity outside of ACU because it is necessary for the research, a confidentiality deed will be required before this can occur. If the person or entity is an investigator on the grant, then a deed of confidentiality will not usually be required. (60) Without specific consent of the individual and approval of the Human Research Ethics Committee (HREC), no personal health information may be published. (61) All research involving collection of personal health information will normally require the approval of the HREC and, in that case, the HREC will consider and apply the privacy obligations so that the HREC application and approval processes will cover the Privacy Act requirements to enable collection of the information. (62) Researchers will be responsible for ensuring that the information is collected, used, stored and disclosed in accordance with the HREC approval and the Privacy Act. (63) Where ACU is providing a health service it may collect, use and disclose personal health information if: (64) Providing the health service: (65) Management and administration of the health service: (66) Any disclosure of health information should be de-identified. (67) Disclosure without consent is permissible if ACU is providing a health service and is satisfied that either: (68) There is provision in the Privacy Act for disclosure of genetic information obtained in the course of providing a health service where there is a risk to a genetic relative of the individual. (69) Information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, professional or trade association / trade union membership, sexual orientation or practices or criminal record, health information, genetic or biometric information is considered sensitive information and there are additional restrictions which apply to how this information is collected, used and disclosed. (70) The Privacy Act allows the collection, use and disclosure of personal information in various circumstances and under specific situations including: (71) Matters relating to these matters should be referred to the Privacy Coordinator. (72) Direct marketing is the use or disclosure of personal information to communicate directly with an individual to promote goods and services. It would not include invitations to public lectures, but would include invitations to post-graduate courses. (73) ACU can use personal information for direct marketing when: (74) The opt out must be: (75) An individual may ask ACU to identify the source of the personal information it uses for direct marketing. This must be given within a reasonable period – generally 30 days unless it is impracticable or unreasonable to provide the information. (76) The Spam Act 2003 (Cth), Do Not Call Register Act 2006 (Cth), and the Privacy Act, all apply to direct marketing. (77) Disclosing personal information overseas includes: (78) Advice should be sought from the OGC before personal information is disclosed to an overseas recipient. (79) In general terms, there are provisions allowing disclosure to overseas recipients in circumstances which should be assessed carefully. ACU can: (80) If the overseas recipient is subject to a privacy law or some form of regulation which is equivalent to the Australian law and which has mechanisms which enable a complainant to use that law, then the burden on ACU is much less. (81) Arrangements which involve personal information being sent overseas to be used by a third party must be reviewed by OGC. (82) ACU may disclose personal information where: (83) These provisions are similar to those which apply to disclosure of personal information within Australia and more information on how they are applied is set out above. Where practicable the advice of OGC should be sought before disclosing personal information to an overseas recipient. (84) ACU may be liable for the actions or practices of an overseas entity in relation to personal information disclosed by it to that entity. This may be the case even where the entity has taken reasonable steps to comply with Australian requirements, the fault lies with the overseas entity’s sub-contractor or the breach of the Australian requirements is inadvertent. (85) It is important to ensure that the circumstances around the disclosure minimise the risk that ACU will be exposed to penalties for the failures of an overseas entity to whom it has disclosed personal information. OGC should be consulted on all potential arrangements involving disclosure of personal information to overseas recipients to prevent or minimise this risk. (86) If ACU discloses personal information to an overseas recipient and that recipient is required by a law of that jurisdiction to disclose the personal information then this will not be a breach of the Privacy Law. A contract with the overseas recipient should deal with this possibility and provide for notification to ACU in the event of disclosure under compulsion of law and consideration should be given as to whether individuals should be notified that disclosure of this type may be required. The USA Patriot Act, for example, gives the US Government extensive powers to obtain personal information. (87) ACU must take reasonable steps to ensure that the personal information it holds and discloses is accurate, up-to-date and complete. This is an on-gong and positive obligation. (88) Practices which assist in demonstrating that ACU has met its obligations with respect to data quality include: (89) ACU must take reasonable steps to protect personal information from misuse, interference and loss, unauthorised access, modification or disclosure. (90) Where the information is no longer needed it must be destroyed or de-identified. (91) Practices and procedures which can help to show that ACU is meeting its obligations to keep data secure are: (92) While data security may be managed principally by IT systems, breaches of data security can occur by inadequate local policies, procedures and practices such as: (93) ACU must give an individual access to their personal information unless specific exceptions apply (see below). (94) There are time periods for responding to requests and other procedural requirements which are set out in the Privacy Inquiry and Complaints Procedure. The information required to be provided includes not only information but also may include opinions. (95) The request for access must be made by the individual concerned or a person properly authorised by that individual and ACU must satisfy itself that the request is from the appropriate person. (96) ACU can refuse access by an individual to their personal information if: (97) Consideration must be given to whether material can be produced in an alternative form if applying one of these exceptions. It may be possible for example, to redact the information of other persons, or provide a summary of the information, or deleting the information or facilitating access by providing the material for inspection but not providing it in hard copy or electronic form or using an intermediary to provide the information (e.g. providing it through a suitably qualified medical professional where the material may be sufficiently distressing to the individual to lead to a concern about self-harm by that individual). (98) ACU must provide the individual with reasons for a refusal to respond to a request for access to information and the individual must be provided with certain information such as the way in which the individual can complain about the refusal. (99) ACU can charge for costs in finding and producing requested information, including costs of deciding which information to provide and copying costs and the like. The costs must not be excessive and do not include costs of legal advice or of consulting with the individual about how access is provided. If it is proposed to make a charge (which would be only in exceptional circumstances), a record must be kept of all expenditure and time and the costs charged must be on a reasonable basis. Costs must be communicated and explained before access is given. (100) Unlike many other Universities, ACU is not bound by Freedom of Information legislation. This applies only to government entities. (101) Information however may be subject to production in Court proceedings. (102) ACU must take reasonable steps to correct personal information if requested by the individual. (103) ACU must respond to a request for correction of personal information within 30 calendar days and deal with it within a reasonable period (generally 30 days). (104) If ACU receives a request for correction of information it must assure itself that the information is incorrect. (105) The Privacy Inquiry and Complaints Procedure sets out how requests for correction of information are made and dealt with however requests for correction of information can be made informally and it is not necessary to state the request is made under the Privacy Act. (106) ACU must, if requested take reasonable steps to notify any third party which comes under the Privacy Act or the correction to the personal information if requested and it is not impracticable or unlawful to do so. If a third party has been informed of incorrect information and it is not impracticable or unlawful, ACU should take steps to correct the information held by the third party whether or not there is a request and / or prompt a request. (107) If ACU refuses a request to correct personal information it must give the individual reasons for that refusal (unless this is unreasonable or unlawful) and advise the individual of matters such as available complaint mechanisms. (108) If a request for correction of personal information is refused, the individual may request ACU to have an associated statement of the individual’s belief that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. If it is reasonable and practicable ACU must comply with the request. This can be done by attaching the statement to a physical record or by an electronic link to a digital record or, if this is not practicable, a note on the record which references where the statement can be found. ACU is not obliged to accept overly long, irrelevant, defamatory, offensive, abusive or unlawful statements (e.g. a statement which breaches another individual’s privacy) but if such objections are made, then ACU should attempt to negotiate with the individual on the form and substance of the statement. (109) ACU cannot charge for a request for correcting personal information, correcting information or for associating a statement with the personal information. (110) Unless otherwise indicated, this Guideline will still apply beyond the review date.Privacy Obligations and Requirements Guideline
Section 1 - Introduction
Section 2 - What is Privacy?
Top of PageSection 3 - What Activities Does the Privacy Act Cover?
Top of PageSection 4 - Employee Records
Section 5 - Collecting Information
What Information can ACU Collect?
What Does ACU Have to Tell the Individual?
When Should Notification Occur?
Does the Individual Have to be Notified of Everything, Every Time?
How can the Individual be Notified of Collection of Information?
How Must Collecting be Done?
What if ACU is Provided with Information from Other Sources Which it has not Requested (Unsolicited Information)?
Section 6 - Using and Disclosing Personal Information
What can ACU do with Personal Information?
What is Using Personal Information?
What is Disclosing Personal Information?
What is Consent?
Opt Out Provisions
Top of PageSection 7 - The Police and the Law
Warrant, Subpoena, Notice to Produce
Requests from Police and Other Law Enforcement Agencies
Suspected Criminal Offences and Unlawful Behaviour
Section 8 - Misbehaviour
Suspected Serious Misconduct
Section 9 - Complaints or Allegations
Dealing with Complaints or Allegations made to ACU
Dealing with Complaints or Allegations about ACU
Section 10 - Emergency and Threat Situations
Threat Situations
Top of PageSection 11 - Collection, Use and Disclosure of Personal Information for Purposes of ACU
Normal business requirements
Photographs
Consent
Section 12 - Health Information
Section 13 - Research
Collecting Health Information for Research
Using and Disclosing Health Information for Research
HREC and Obligations of Researchers
Section 14 - Providing a Health Service
Collecting, Using and Disclosing Personal Health Information in the Course of Providing a Health Service
Disclosure Without Consent
Genetic Information
Sensitive Information about Race, Ethnicity, Religion, Political Opinions, Sexual Orientation or Practices, Criminal Record and Health
Other Times when Collection, Use and Disclosure of Personal Information is Permitted
Section 15 - Direct Marketing
What is Direct Marketing?
When can Personal Information be used for Direct Marketing?
Opting Out
Requests to Identify Source of Personal Information
Spam Act and Do Not Call Register Act
Section 16 - Disclosing Personal Information Overseas
What is Disclosing Personal Information Overseas?
Can ACU Disclose Personal Information Overseas for Operational Purposes?
Can ACU disclose personal information overseas in emergencies, cases of wrong doing or for law enforcement purposes?
How responsible is ACU for what an overseas recipient does with personal information received from ACU?
What if foreign law requires disclosure by an overseas recipient of personal information provided by ACU?
Section 17 - Keeping and Maintaining Personal Information
Data Quality
Data security obligations
How can ACU meet its obligations for data security?
Top of PageSection 18 - What Rights Has the Individual Whose Personal Information ACU Holds?
Access to information
Can ACU refuse to give an individual access to their personal information?
Can ACU charge for responding to a request for personal information?
Other means of accessing information
Right to correction of information
Section 19 - Review
View Document
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.