(1) This Protocol should be read in conjunction with the Privacy Policy and supports the application of Section 5, clauses 18 to 21 of that Policy. (2) This Protocol also supports the application of clause 3 of the Employee Records Privacy Policy regarding use and access. (3) This Protocol outlines the internal processes relating to third party requests for personal information of staff or students. (4) The term third party is used in this Protocol to refer to external bodies (organisations or persons) as well as ACU staff members who would not ordinarily be authorised to access the personal information of students or other staff members in the performance of duties associated with their employment. (5) All other terms used in this Protocol have the same meaning as defined in Section 9 of the Privacy Policy. (6) Under Australian Privacy Principle 12, an individual (or another authorised person acting on behalf of the individual) has the right to request access to their own personal information held by the University. This Protocol does not apply to these requests; they are managed in accordance with clause 28 of the Privacy Policy and the Access to and Correction of Personal Information Procedure. (7) Australian Privacy Principle 6 requires organisations holding personal information not to use or disclose it other than for the purpose for which it was collected. (8) ACU staff must have a demonstrated need for access to student or staff personal information to undertake their functions or responsibilities. (9) A data breach occurs where there has been unauthorised use or access to personal information (within ACU) or unauthorised disclosure of personal information (outside of ACU). (10) The personal information of staff or students must not be released to third parties (which may include ACU staff members or external bodies) unless: (11) The scenarios described in clause 10(c). generally require ACU to have a reasonable basis for the belief that the use or disclosure is necessary in the circumstances. (12) The third party must provide sufficient information to enable the Privacy Officer to form a view as to whether there are reasonable grounds to believe disclosing the information is necessary. This includes: (13) It is the responsibility of ACU to obtain and document evidence to justify this belief. (14) The Office of the Australian Information Commissioner advises that this must not be a subjective belief and it would not be considered necessary where it is merely helpful, desirable or convenient. Case law [1] requires organisations to seriously consider whether any effective alternatives are available to disclosure, seeking further information from law enforcement bodies and ascertaining the legislative grounds authorising the disclosure. (15) The Privacy Coordinator will assess the merits of each request, the grounds for ‘reasonable belief’ and the permissibility of disclosure. A recommendation will be provided to the Privacy Officer on a case by case basis. Factors to be considered include: (16) The Privacy Coordinator may recommend further enquiries are made with the requestor and / or more information is sought in order to assess the third party request. (17) The Privacy Officer may refuse to disclose information in the absence of a warrant, subpoena or similar legal order. (18) Where ACU is not satisfied that the grounds for accessing or disclosing the information are met, then no legal basis under the Privacy Act 1988 (Cth) is met and the request will be denied. (19) Where ACU is satisfied it has a reasonable basis for the belief, it must only disclose the minimum amount of personal information that is necessary. (20) A written record of the authorised use of disclosure must be registered by the Privacy Coordinator. (21) The Student Enrolment Privacy Collection Statement sets out the various ways in which ACU may use and disclose students’ personal information. (22) Where a third party requests access to a student record and the use or disclosure is not already provided for in the Collection Statement, a determination will need to be made as to whether any of the circumstances in clause 10 of this Protocol apply. Refer to clauses 31-33 for requests specifically from law enforcement agencies. (23) A staff member who receives a request under clauses 21-25 should seek direction from the Academic Registrar in the first instance. (24) The Academic Registrar may refer it to the Privacy Coordinator for advice or to seek authorisation from the Privacy Officer to use or disclose the information under clause 10(c). (25) The Privacy Coordinator will assess the request in accordance with clauses 11 to 20 of this Protocol and brief the Privacy Officer. (26) The Employee Records Privacy Policy and Privacy Collection Notice Requirements for Applicants and Referees set out the various ways in which ACU may use and disclose personal information for staff (or prospective staff). (27) Where a third party requests access to a staff record and the use or disclosure is not already provided for in the Collection Notice a determination is needed as to whether any of the circumstances in clause 10 of this Protocol apply. Refer to clauses 31 to 33 for requests specifically from law enforcement agencies. (28) A staff member who receives a request under clauses 26 to 30 should seek direction from the Chief People Officer in the first instance. (29) The Chief People Officer may refer it to the Privacy Coordinator for advice or to seek authorisation from the Privacy Officer to use or disclose the information under clause 10(c). (30) The Privacy Coordinator will assess the request in accordance with clauses 11 to 20 of this Protocol and brief the Privacy Officer. (31) ACU may receive requests from law enforcement agencies for the disclosure of personal information. Where the request relates to CCTV refer to clauses 35 to 38. (32) A list of relevant law enforcement bodies and law enforcement activities are set out in Section 6 of the Privacy Act 1988 (Cth). (33) A staff member who receives a request under clauses 31 to 33 should refer it to the Privacy Coordinator who will assess the request in accordance with clauses 11 to 20 of this Protocol and brief the Privacy Officer. (34) In cases of emergency or where a Critical Incident is declared under the Critical Incident Management Policy, the Critical Incident Convenor may: (35) Where an internal or external request for CCTV footage or door access report is received by Properties and Facilities, the Associate Director, Facilities Management may direct the National Security Centre to retrieve and copy (but not release) the footage or report [2]. (36) The Associate Director, Facilities Management will forward the request to the Privacy Coordinator who will assess the request in accordance with clauses 11-20 of this Protocol [3] and brief the Privacy Officer. (37) Only when the Associate Director, Facilities Management receives confirmation of this authorisation via the Privacy Coordinator, shall Properties and Facilities coordinate with the National Security Centre to obtain the footage and release it. (38) For the avoidance of doubt, and with reference to clause 4 of this Protocol, requests by Campus Facilities Managers for CCTV footage or door access reports would be considered requests within the normal performance of their duties and can be managed by the Director or Associate Director of Properties and Facilities. This access would be limited to the staff member and no disclosure is permitted. If the request includes disclosure to a third party (which may include unauthorised ACU staff members or external bodies) then clauses 36 and 37 of this Protocol apply. (39) A pre-recorded privacy statement is available for AskACU and Service Central and sets out the purpose of the recordings and how they may be used. This relates to quality, coaching and training purposes. (40) Where a third party is requesting access to a recording and the use or disclosure does not relate to one of these purposes then a determination will need to be made as to whether any of the circumstances in clause 10 of this Protocol apply. (41) A staff member who receives a request under clauses 21 to 25 should seek direction from the Academic Registrar (if the recording involves student personal information) or the Chief People Officer (if the recording involves staff personal information) in the first instance. (42) The Academic Registrar or Chief People Officer may refer it to the Privacy Coordinator for advice or to seek authorisation from the Privacy Officer to use or disclose the information under clause 10(c). (43) The Privacy Coordinator will assess the request in accordance with clauses 11 to 20 of this Protocol and brief the Privacy Officer. (44) Unless otherwise indicated, this Protocol will still apply beyond the review date.Third Party Access to Personal Information Protocol
Section 1 - Purpose and Scope
Section 2 - Use or Disclosure of Personal Information
Section 3 - Release of Personal Information
Top of Page
Section 4 - Assessment of Requests and ‘Reasonable Belief’ Requirement
Section 5 - Types of Requests
Student Records
Staff Employment Records or Recruitment Records
Law Enforcement Agencies
Emergencies and Critical Incidents
Closed Circuit Television Vision (CCTV) Footage and Door Reader Access Reports
Ask ACU and Service Central Telephone Recordings
View Document
This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.
[1] Refer ‘EZ’ and ‘EY’ [2015]
[2] Be aware that footage is not retained for more than 30 days so will be unavailable if this period has elapsed.
[3] This may also require an assessment against workplace surveillance legislation, where applicable.