(1) The University of Wollongong (“the University”) has an obligation to manage personal and/or health information in compliance with the NSW Privacy and Personal Information Protection Act 1998 and the NSW Health Records and Information Privacy Act 2002, which may include regulations, statutory guidelines, codes of practice and privacy directions made under those Acts. (2) This Plan has been produced in compliance with section 33 of the Privacy and Personal Information Protection Act 1998. A copy of this Plan must be provided to the Privacy Commissioner as soon as practicable after it is prepared and whenever it is amended, in compliance with section 33(5) of the Privacy and Personal Information Protection Act 1998. (3) This Plan operates as a University procedure document supporting the University’s Privacy Policy and is to be read in conjunction with the Privacy Policy. All staff and affiliates must comply with the University’s Privacy Policy and this Privacy Management Plan (“the Plan”). (4) The University’s dedicated Privacy homepage provides the Privacy Policy and this Plan. These policy documents are also available in hard copy on request by contacting icu-enquiry@uow.edu.au. (5) This Plan does not apply to the University’s controlled entities or any other agencies. The University’s controlled entities have their own policies and procedures for the management of Information provided to or collected by them. (6) The purpose of this Plan is to outline: (7) In certain circumstances, the University may be subject to obligations under other privacy laws. Some of the circumstances where other privacy laws may apply in the exercise of the University’s functions and activities are discussed in section 8 and include: (8) Enquiries regarding requirements under other relevant privacy laws may be directed to a Privacy Officer. Refer to Section 11 for contact details of the University’s Privacy Officers. (9) The Information Protection Principles that apply to public sector agencies such as the University are contained in sections 8-19 of the Privacy and Personal Information Protection Act 1998. (10) The Health Privacy Principles that apply to the University are contained in Schedule 1 of the Health Records and Information Privacy Act 2002. (11) The requirements of the Information Protection Principles and the Health Privacy Principles at the University are discussed in this Plan. In limited circumstances, exemptions in the Privacy and Personal Information Protection Act 1998 or Health Records and Information Privacy Act 2002 may allow the University to not comply with the Information Protection Principles or the Health Privacy Principles. Some of these circumstances are explained in this Plan where relevant to the University. (12) Privacy codes of practice and public interest directions can modify the application of the Information Protection Principles or Health Privacy Principles. There are currently no codes of practice or public interest directions that are relevant to the University’s management of Information. (13) The University is also not covered by any memorandums of understanding or referral arrangements with (14) The University’s Information Sheet – Privacy provides a summary of the Information Protection Principles and the Health Privacy Principles and has been produced to assist staff and affiliates understand the requirements of each of the principles. (15) When developing or reviewing projects, programs or policies that involve the collection and handling of personal or health information, staff and affiliates are to consider the requirements of the Information Protection Principles and Health Privacy Principles, as discussed in this Plan. UOW Privacy Impact Assessment (PIA) Tool is available to be used to assist staff and affiliates in the consideration and assessment of each of the privacy principles. (16) A UOW Privacy Impact Assessment (PIA) Tool provides a mechanism to assist staff and affiliates in the consideration and assessment of each of the privacy principles when embarking on a project, program or initiative. This assessment process fulfils Uthe Univesity’s legislative requirements to protect an individual’s privacy and manage personal and health information in accordance with its obligations. (17) When collecting and/or handling personal or health information, staff and affiliates are to consider the (18) A University Privacy Officer is to be consulted when considering exemptions to the Information Protection Principles or Health Privacy Principles, when working through the UOW Privacy Impact Assessment (PIA) Tool or whaen applying de-identification techniques. (19) The Information Protection Principles 1 and Health Privacy Principles 1 state that the University must not collect Information unless: (20) If Information received by the University is unsolicited (not actively collected by the University), the principles relating to collection do not apply. However, if the University decides to make use of or take any action in relation to the unsolicited Information, then the University is regarded to have ‘collected’ the Information and the collection principles will then apply. If the University decides to keep any unsolicited Information, the University must apply the provisions of the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 relating to the storage, use and disclosure of that Information. (21) In considering what lawful purposes might be ‘directly related to a University function or activity’, as required by the Information Protection Principles 1 and Health Privacy Principles 1, the University must have regard to the objects and functions of the University as set out in the University of Wollongong Act 1989. Examples of the purposes for which Information is collected and used by the University include: (22) The Information Protection Principles 2 and Health Privacy Principles 3 state that the University must, when collecting Information, collect the Information directly from the individual to whom the Information relates, unless: (23) Additionally, the University may collect Information from third parties in accordance with exemptions to the Information Protection Principles 2 and Health Privacy Principles 3. An exemption that may apply to the University includes where indirect collection is otherwise lawfully authorised or required. (24) The University collects Information directly from individuals, including: (25) The University facilitates the collection of Information directly from the individual through the provision of: (26) When dealing with an individual, the University will require that individual to confirm their identity. This is to ensure that the University is collecting Information directly from that individual to whom the Information relates. For example, the identity confirmation process may include sighting a government issued identification record or staff/student ID card. In instances where enquiries are received over the phone, the University will use a defined checklist prior to disclosing any Information. (27) Health information is collected directly from individuals when providing support services such as counselling, disability services, medical services or advocacy services. (28) The University welcomes enquiries and actively seeks feedback (which may include via comments, compliments and complaints) from individuals. Information is collected and used to respond to any matters raised through the various communication systems, to improve University services and promote effective complaint handling processes. (29) At times, the University collects Information indirectly, but only does so when the University is lawfully authorised or required to do so, or where the individual has authorised collection from someone else. Circumstances where Information may be indirectly collected may include: (30) Where Information is captured indirectly, the University makes all reasonable efforts to notify affected individuals about the University’s intended handling of their Information, either by direct contact or via its policies, web pages, terms and conditions or other applicable methods. For example, the CCTV Surveillance Standard provides details relating to the University’s handling of personal information collected via surveillance cameras. The Lecture Recording Procedures provide details of personal information that may be collected during the recording of lectures. (31) Circumstances where health information may be collected from a third party include where an independent medical assessment is required by the University in order to support a student’s request for academic consideration or for additional wellbeing support services. (32) Where an individual authorises another person or organisation to collect Information on their behalf, the University requires evidence of that authority in writing. This authority will be captured as a University record and managed in accordance with the Records Management Policy. (33) The Information Protection Principles 3 and Health Privacy Principles 4 state that if the University collects Information from an individual, the University must take all steps as are reasonable in the circumstances to ensure that, before the Information is collected or as soon as practicable after collection, the individual to whom the Information relates is made aware of the following (“Collection Statement” or “Privacy Statement”): (34) Exemptions to the Information Protection Principles 3 and Health Privacy Principles 4 may apply to the University in the following circumstances: (35) Where collection of Information is reasonably necessary for the purpose of research, researchers are required to submit an application to the University’s Human Research Ethics Committee (HREC). HREC oversees and assesses whether that collection is reasonable in the circumstances and whether the University’s privacy obligations are addressed. The University’s dedicated Human Ethics webpage provides further information. (36) In limited circumstances, the University may apply the exemptions to the Information Protection Principles 3 and Health Privacy Principles 4 when responding to critical incidents. In these instances, it may be necessary to obtain relevant information from someone else other than the individual involved in the critical incident to establish the safety of that individual or of any other individual. (37) The University must consider the requirements of any other applicable legislation when collecting Information. Refer to section 8 for discussion of other applicable legislation. (38) The University, including its faculties and business units, collects Information at different times and in varying ways. As part of that Information collection process, the University provides a privacy statement to the individual. Examples of the methods used by the University to communicate privacy statements include: (39) The University’s Privacy homepage provides links to some of the University’s various privacy statements, as their context applies: (40) The University provides a privacy statement to students who engage with the University Support and Wellbeing staff at various contact points including the Student Support Coordinators landing page and by way of a tailored introductory email. (41) The University Privacy Officers provide guidance and assistance in the development of privacy statements and how any exemptions to the Information Protection Principles 3 and Health Privacy Principles 4, may apply. (42) The Information Protection Principles 4 and Health Privacy Principles 2 state that if the University collects Information from an individual, the University must take reasonable steps (having regard to the purposes for which the Information is collected) to ensure: (43) Staff and affiliates are to comply with the requirements of the Information Protection Principles 4 and Health Privacy Principles 2 when collecting Information from an individual. The UOW Privacy Impact Assessment (PIA) Tool facilitates consideration and assessment of each of the privacy principles. (44) Where human participants are required for the purpose of research, the University’s Human Research Ethics Committee (HREC) oversees and approves the intended research activity. HREC requires each researcher to outline the Information to be collected for the research project, assesses whether that collection is reasonable in the circumstances and determines whether the University’s privacy obligations are addressed. The University’s dedicated Human Ethics webpage provides further information. (45) The Information Protection Principles 5 and Health Privacy Principles 5 state that if the University holds Information it must ensure that: (46) The University is committed to taking all reasonable steps so that all business activities performed with the use of information technology systems are protected and maintained, and that sustainable procedures are in place to reflect best practice information technology security. UOW’s information technology policies provide details of its commitment to the storage and protection of Information in compliance with its privacy obligations. (47) The Data Governance Procedure, Data Quality Management Procedure and Data Handling Guidelines provide the data governance framework relating to the availability, usability, integrity and security of all data held by the University. This data includes personal and health information. (48) Staff and affiliates are required to comply with the University’s IT Acceptable Use Policy and are expected to protect Information by ensuring that: (49) From time to time, staff and affiliates may be required to acknowledge their understanding of their compliance obligations in writing if handling certain high-risk categories of Information. (50) In certain circumstances, as a security safeguard, the University will remove identifiers before using Information in order to protect the privacy of that individual. For example, identifiers are removed from Information where the University wishes to gain valuable insight for planning and/or research purposes. (51) Where the University engages the services of a third party for the purpose of providing a particular service to the University, all reasonable steps must be taken to confirm that the third party has robust practices in place to protect the Information and prevent its unauthorised use or disclosure. Clauses 103 – 109 provide further information on Third Party Engagement and Confidentiality. (52) The University is subject to the State Records Act 1998, which requires the University to comply with specific minimum timeframes for the retention and disposal of documents. Once the minimum retention period has been satisfied, records may be assessed and reviewed for disposal. The Records Management Policy provides further information regarding the University’s obligations under the State Records Act 1998. (53) The Information Protection Principles 9 and Health Privacy Principles 9 state that if the University holds Information, it must not use that Information without taking such steps as are reasonable in the circumstances to ensure that , and having regard to the purpose for which the Information is proposed to be used, the Information is relevant, accurate, up to date, complete and not misleading. (54) The University must consider one or more of the following factors, as are reasonable on a case by case basis, to determine whether the Information it holds is relevant, accurate, up to date, complete and not misleading: (55) Examples where the University checks the accuracy of Information before use include: (56) In general terms, ‘use’ refers to the communication or handling of Information within the University, whereas ‘disclosure’ refers to the communication or transfer of Information outside the University, other than to the individual concerned. The principles relating to use and disclosure of personal information are discussed below. (57) The Information Protection Principles 10 states that the University must not use personal information it holds for a purpose other than that for which it was collected unless: (58) The Information Protection Principles 11 states that the University must not disclose an individual’s personal information unless: (59) Exemptions to the Information Protection Principles 11 which may apply to the University include where the disclosure of the personal information concerned is: (60) The Information Protection Principles 12 states that the University must not disclose sensitive information without the consent of that individual unless the disclosure is necessary to prevent a serious and imminent threat to the health or safety of any person. (61) Prior to collecting Information, the University must identify the primary and directly related uses of that information and communicate the intended use and disclosure instances to individuals via a Privacy Statement (as discussed in clauses 38 – 41). As an example, during the enrolment process, students are informed of the various use/disclosure instances relating to their Information. Where a new or unrelated use is identified, the University must seek the consent of the individual prior to proceeding unless an exemption applies. (62) Examples where the University uses personal Information for a purpose that is directly related to the primary purposes for which it was collected include: (63) The University’s policies provide a mechanism through which the University explains the various ways in which it uses and discloses Information. For example, personal information is managed by the University for the purposes as set out in the IT Acceptable Use Policy. (64) The University applies learning analytics initiatives to student data in order to maximise each student’s academic success and to support their student learning experience. This is achieved by giving each student, as well as authorised staff and affiliates, access to the student’s learning-related Information in order to build on that student’s areas of strength, identify areas for improvement and to utilise support services offered by the University. The use of analytics data involving students is governed by the Learning Analytics Data Use Policy. (65) The University may also use analytics software and other business intelligence systems for quality and planning purposes. In these instances, personal information may be used to develop the system intelligence. Where practicable, the University will consider the use of non-identifiable data to achieve the purpose. The UOW Privacy Impact Assessment (PIA) Tool also is to be utilised to consider all the relevant privacy principles and risk mitigation strategies. (66) Personal information may also be used and/or disclosed by the University to manage emergency or crisis situations. This may include contacting individuals to provide important notices/updates relating to the emergency and/or disclosure of details to the relevant emergency service if required. (67) Personal information may also be used for the formation of a professional opinion which is used to guide support service delivery. (68) In limited circumstances the University may use personal information to exercise its duty of care responsibilities under the Work Health and Safety Act 2011 to make certain that the University is a safe working and learning environment for staff/affiliates/students and visitors. (69) Where personal information is to be used for the purpose of undertaking research, the University must refer to the Statutory Guidelines on Research – 27B, Privacy and Personal Information Protection Act 1998. The University’s Human Research Ethics Committee (HREC) is responsible for approval of the research in accordance with the National Health and Medical Research Council National Statement on Ethical Conduct in Human Research. The University’s dedicated Human Ethics webpage provides further information. (70) The University welcomes enquiries and feedback (which includes comments, compliments and complaints) from the University community. In order to effectively manage and respond to enquiries and feedback the University may need to share personal information with specific units and staff who are subject matter experts. Examples include Staff with expertise in records management, information technology, teaching and learning or human resources. Where reasonably practicable, the individual must be consulted prior to sharing the personal information. (71) Where personal information is used for direct marketing purposes, the University provides a clear mechanism through which an individual may choose to unsubscribe from receiving any further messages from the University. (72) The University may be required by law to disclose certain information. For example: (73) Where the University receives a request or is authorised by law to disclose personal information, the University must: (74) The University has developed the following information sheets to provide best practice guidance when responding to certain requests for information: (75) Where personal information is to be disclosed to a Law enforcement agency, the University must: (76) The University has developed an Information Sheet – Requests for Information from Police to assist staff to respond to requests for information from police. (77) In some circumstances, taking into account the nature and context of a request received by a government agency (including a Law enforcement agency), the University may refuse to comply in the absence of a subpoena, warrant or similar legal order. Where personal information or sensitive information is to be disclosed under a subpoena, warrant or similar legal order, the University must: (78) The University has developed an Information Sheet - Dealing with Subpoena Requests to assist staff and affiliates to respond to requests for information under a subpoena. (79) In instances where sensitive information is to be disclosed, the University must always ensure that express consent is obtained from the individual. A record of the consent will be kept by the University in accordance with its recordkeeping obligations. The University must only depart from this practice in the circumstances permitted under the Privacy and Personal Information Protection Act 1998. (80) Where the University engages a third party for the purpose of providing a service on behalf of the University which involves use and/or disclosure of personal information, the University will manage that engagement in accordance with clauses 103 – 109. (81) The University does not have any Memorandums of Understanding or referral arrangements with other agencies relating to the sharing of personal information. (82) In general terms, ‘use’ refers to the communication or handling of Information within the University, whereas ‘disclosure’ refers to the communication or transfer of Information outside the University, other than to the individual concerned. The principles relating to use and disclosure of health information are discussed below. (83) Health Privacy Principles 10 and Health Privacy Principles 11 state that the University must not use or disclose health information for another purpose (secondary purpose) other than the primary purpose for which it was collected unless: (84) Exemptions to Health Privacy Principles 10 and Health Privacy Principles 11 which may apply to the University include where the use and/or disclosure is: (85) Prior to collecting health information, the University must identify the primary and directly related uses of that information and communicates the intended use and disclosure instances to individuals via a Privacy Statement (as discussed in clauses 38 – 41). For example, a student wishing to utilise support services such as counselling, or wishing to arrange reasonable adjustments, is required to register for the service and is provided with a Privacy Statement outlining how the University handle their health information. Where a new or unrelated use is identified, the University must seek the consent of the individual prior to proceeding. (86) The University may be required by law to disclose health information. This may include: (87) Where the University intends to use and/or disclose health information for the purposes of providing training it must take reasonable steps to comply with the Statutory Guidelines on Training – Health Records and Information Privacy Act 2002. (88) Where health information is to be used for the purpose of undertaking research, the University must refer to the Statutory Guidelines on Research – 27B – Health Records and Information Privacy Act 2002. The University’s Human Research Ethics Committee (HREC) is responsible for approval of the research in accordance with the National Health and Medical Research Council National Statement on Ethical Conduct in Human Research. The University’s dedicated Human Ethics webpage provides further information. (89) Where the University intends to use health information that may have been collected from a third party, the University must comply with the Statutory Guidelines on the Collection of Health Information from a Third Party – Health Records and Information Privacy Act 2002. (90) The University may verify and exchange a student’s health information with an external placement body for the purpose of clinical or other placement or practicum experience. University students are notified of this activity via a Privacy Statement in a relevant policy or via the subject outlines, as a requirement of a course of study. Examples of health information that may be exchanged may include pre-existing medical conditions that could affect a student’s placement activities and/or the University’s student personal accident insurance cover. In limited circumstances, where prior notification may not have been provided to the student (e.g. via a Privacy Statement), disclosure of health information must only occur with the consent of the student unless a lawful exemption applies. (91) Where health information is to be disclosed to a Law enforcement agency, the University must: (92) The University has developed an Information Sheet – Requests for Information from Police to assist staff to respond to requests for information from police. (93) Where health information is to be disclosed under a subpoena, warrant or similar legal order, the University must: (94) The University has developed an Information Sheet - Dealing with Subpoena Requests to assist staff to respond to requests for information under a subpoena. (95) The University may need to use health information for the purpose of providing relevant student services. For example, a student may register with the Student Accessibility and Inclusion Team as someone suffering a disability and it may be important for other areas of the University to be aware of the student’s condition, such as the Student Administration Services Division, for arrangement of appropriate examination supervision. In these circumstances, this must be done with the consent of the student unless a lawful exception applies. (96) The University may need to use health information for the purpose of providing specialised support services to students. For example, a student may engage with the University Support and Wellbeing Team for academic or personal support to manage health or wellbeing needs that may be impacting a student’s capacity to study. (97) In limited circumstances the University may use health information to exercise its duty of care responsibilities under the Work Health and Safety Act 2011 so that the University is a safe working and learning environment for staff/affiliates/students and visitors. (98) The University welcomes enquiries and feedback (which includes comments, compliments and complaints) from staff, students and third parties. In order to effectively manage and respond to enquiries and feedback the University may need to share health information with specific units and staff who are subject matter experts. Where reasonably practicable, the individual must be consulted prior to sharing the health information. (99) The University does not have any memorandums of understanding or referral arrangements with other agencies relating to the sharing of health information. (100) The University does not assign unique identifiers for the management of health information. However, in the event that the University collects unique identifiers it will only do so if it is reasonably necessary to carry out its functions efficiently. (101) Wherever it is lawful and practicable, the University will give individuals the opportunity to not identify themselves when entering into transactions with or receiving health services from the University. (102) The University does not currently use a health records linkage system. In the event that a health linkage system is to be used by the University, it must only do so with the individual’s express consent or otherwise where approval has been granted by the University’s Human Research Ethics Committee (HREC) who is responsible for approval of the research in accordance with the National Health and Medical Research Council National Statement on Ethical Conduct in Human Research. (103) Where the University proposes to share particular Information with a contractor, agent or consultant engaged to undertake work for/with the University (third party), the University must take reasonable steps to ensure that the service provider has adequate measures in place to manage the Information in accordance with the Privacy Policy and this Plan. The UOW Privacy Impact Assessment (PIA) Tool is to be used by the relevant University business unit to assess the impact on any Information associated with the project or program that relates to the engagement. (104) If the University transfers Information to a third party who is in a jurisdiction outside NSW or to a Commonwealth agency, the University must do so on the following grounds: (105) Engagement of technology-based third party vendors is usually managed by the University’s Information Management and Technology Services (IMTS). IMTS is responsible for conducting due diligence for projects that involve the development and management of information and communication technology resources in response to research, teaching and business requirements. (106) To facilitate the University’s due diligence process, the University has created a questionnaire document, Data Privacy Questions for Third Party Suppliers. This document is given to third party suppliers to complete prior to engagement so that the University has a clear understanding of a potential supplier’s privacy practices. (107) In addition, cloud-based third party suppliers are also required to complete the Higher Education Cloud Vendor Assessment Tool. This tool establishes key questions to facilitate assessment of cloud services provisioning, information security and data protection. (108) The University must take all reasonable steps to include provisions in its contracts with third party suppliers that the third party: (109) The University has developed an Information Sheet - Data Security and Third Party Engagement which outlines key considerations when negotiating agreements with third party suppliers. (110) The Privacy and Personal Information Protection Act 1998 requires agencies with responsibilities for public registers to comply with certain requirements. (111) A public register is defined in the Privacy and Personal Information Protection Act 1998 as: (112) The University does not hold or manage any public registers as defined in the Privacy and Personal Information Protection Act 1998. However, the University makes the following registers available on its website: (113) The Information Protection Principles 6 and 7 and Health Privacy Principles 6 and 7 state that if the University holds Information: (114) The rights to access/amend Information relate to an individual’s own records. (115) The University is committed to responding to requests for access to an individual’s Information in a timely manner. The time taken by the University to provide access to the Information will depend on the volume and nature of the request but all reasonable efforts must be made to provide access within 30 days. (116) Enquiries and requests for access/amendment to Information should be directed as follows: (117) In most instances, the University will provide access to an individual’s Information without a fee. However, there are some instances where a fee may be charged, such as where the University provides an individual with their official University academic transcript. (118) An individual who is not satisfied with the University’s response to a request to access their Information may lodge a complaint or request a formal internal review (see clauses 128 – 133, Complaints and/or Internal Reviews). (119) An individual also has a right to access Information under the Government Information (Public Access) Act 2009. Lodgement and processing fees are payable using this method of access. Further details can be found on the University’s dedicated Access to Information webpage. (120) Where an individual seeks access to Information about another individual, this type of request must be managed in accordance with the disclosure principles (and any related exemptions) discussed at clauses 56 – 60 and clauses 82 – 84. Alternatively the individual will be referred to the University’s Access to Information webpage. (121) Information Protection Principles 8 and Health Privacy Principles 8 state that: (122) The University holds information in a variety of systems for University lawful purposes. (123) Individuals may lodge a request to amend their information as per the process outlined in clause 113. (124) Any requests for amendments must be accompanied by supporting evidence which demonstrates that the information is inaccurate or misleading, and the individual must be able to verify their identity when submitting the request. For example, the verification process may include sighting a government issued identification record or staff/student ID card. (125) Where information held by the University is amended, the University will notify the recipients of that Information of the amendment, so far as it is reasonably practicable. The following factors will be taken into account on a case by case basis when determining whether it is reasonably practicable to notify others of the amendment: (126) The University may refuse to amend Information it holds in certain circumstances, such as: (127) Where the University decides to refuse to amend the Information it holds, the University will, where practicable (depending on the capabilities of the system used), attach a note to that Information of the amendment or addendum sought and the University’s reasons for its decision to refuse to amend the Information. (128) The University encourages individuals who have privacy concerns or complaints to contact one of the University’s Privacy Officers in the first instance so that, where possible, issues may be resolved quickly and simply through informal means and/or general complaint handling procedures. Individuals are also entitled to seek a formal review of the University’s conduct (“Internal Review”). (129) In the event a complaint or concern cannot be resolved informally, the individual’s right to lodge an Internal Review must not be affected. (130) Information on how to contact a University Privacy Officer can be found in the Roles and Responsibilities section of this Plan or on the University’s Privacy homepage. (131) A request for Internal Review can only be made where it is alleged that the University’s conduct has: (132) An individual also has the right to contact the Information and Privacy Commission NSW to discuss any concerns relating to privacy or to make a complaint about the University’s conduct. Where a concern relates to the University’s alleged conduct referred to in clause 131, the Privacy Commissioner may recommend that it would be more appropriate for an Internal Review application to be made. (133) The Public Interest Disclosures Act 2022 (PID Act) sets in place a system to encourage the reporting of privacy contraventions relating to the University’s responsibilities under the Privacy and Personal Information Protection Act 1998 (PPIP Act) and the Health Records and Information Privacy Act 2002 (HRIP Act). The University’s Serious Wrongdoing Reporting Policy outlines the University’s processes and procedures relating to the reporting of public interest disclosures. (134) Individuals are entitled to seek a formal review of the University’s conduct by submitting an application for an Internal Review. An application for Internal Review should: (135) Individuals can use the Privacy Complaint Internal Review Application Form, available on the University’s Privacy homepage, to make an application for an Internal Review. (136) The Internal Review must be conducted by a University Privacy Officer without any conflict of interest and/or involvement in the conduct which is the subject of the application. (137) Internal Reviews must be conducted in accordance with the requirements of Part 5 of the Privacy and Personal Information Protection Act 1998 and with regard to any guidance produced by the NSW Privacy Commissioner. This includes the ‘Internal Review Checklist for the Respondent Agency’ published by the Information and Privacy Commission NSW. (138) On receiving an application for an Internal Review the University must, as soon as practicable, inform the Information and Privacy Commission NSW of the complaint and provide that office with a copy of the Internal Review application. The Privacy Commissioner must be kept informed of the outcome of the Internal Review and any action the University proposes to take as a result of the Internal Review. (139) The Privacy Officer authorised to deal with the Internal Review (the reviewing officer) must assess the application and inform the applicant in writing of the following: (140) The University must consider any relevant material submitted by the applicant or by the Information and Privacy Commission NSW during the Internal Review. (141) Once the Internal Review has been completed, the reviewing officer, on behalf of the University, may do one or more of the following: (142) Within 14 days of the completion of the Internal Review, the reviewing officer on behalf of the University, must notify the applicant in writing of: (143) An applicant who has lodged an Internal Review application is entitled to seek a review by the NSW Civil and Administrative Tribunal of the conduct complained about if: (144) The University is a statutory corporation established under the University of Wollongong Act 1989, and as such, is not an agency that falls within the scope of the Privacy Act 1988. (145) However, in some circumstances, Information handled by the University may be expressly governed by the Privacy Act 1988. These circumstances may include: (146) The Privacy (Australian Government Agencies – Governance) APP Code 2017, requires all Australian Government agencies (as defined by section 5 of the Privacy (Australian Government Agencies – Governance) APP Code 2017) to have a designated Privacy Officer and a designated Privacy Champion. (147) The (EU) General Data Protection Regulation 2016/679 and other foreign laws may apply in certain circumstances, in relation to the University’s functions and activities. For example: (148) The University has developed an Information Sheet – UOW and the EU General Data Protection Regulation (GDPR) to assist its staff and affiliates to comply with the key principles of the (EU) General Data Protection Regulation 2016/679; (149) Where the (EU) General Data Protection Regulation 2016/679 applies to any third party engagement, the University must comply with the Standard Contractual Clauses as set forth by the provisions of the (EU) General Data Protection Regulation 2016/679. The Information Sheet - Data Security and Third Party Engagement provides guidance specific to obligations under the (EU) General Data Protection Regulation 2016/679. (150) The University is committed to transparency and accountability in respect of its obligations under the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002. It aims to educate members of the public on how it complies with the Privacy and Personal Information Protection Act 1998; and the Health Records and Information Privacy Act 2002 and sets out the rights of individuals as outlined in those Acts. the University demonstrates its commitment to privacy compliance through: (151) The University’s Principal Privacy Officer (or delegate) may audit the University’s compliance with this Plan. (152) A breach of the University’s Privacy Policy or this Plan by staff or affiliates may constitute misconduct pursuant to the University codes, policies and guidelines and may be subject to disciplinary action. (153) It is also an offence under the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 for current or former staff or affiliates, as part of their employment, to: (154) Refer to the Roles and Responsibilities Section for further details. (155) Data breaches involving Personal and Health information are managed in accordance with the University’s Data Breach Policy and its supporting documents. (156) The Data Breach Policy and associated procedures set out the University’s practices for compliance with the obligations and responsibilities set out in Part 6A of the Mandatory Notification of Data Breach Scheme for the management of Eligible data breaches and other privacy laws as they apply. (157) The University is committed to providing a robust privacy training and education program for its staff and affiliates, which includes providing: (158) The University Privacy Officers are committed to keeping abreast of best practice approaches to privacy compliance via regular attendance at the NSW privacy practitioners’ group meetings held quarterly and other relevant meetings /conferences held from time to time. (159) The University’s designated Privacy Champion is the Chief Operating Officer and Vice-President Operations who is responsible for the following functions: (160) The General Counsel as Principal Privacy Officer is responsible for: (161) The Privacy Officers in the Information Compliance Unit are responsible for: (162) All staff and affiliates are responsible for: (163) Privacy enquiries may be directed to the Information Compliance Unit: (164) Information and Privacy Commission NSW: (165) NSW Civil and Administrative Tribunal: (166) A tool that facilitates the identification and examination of privacy impacts associated with a UOW program, activity, or technology including consideration of the steps required to minimise privacy risks.Privacy Management Plan
Section 1 - Introduction/Background
Section 2 - Purpose
Section 3 - The Information Protection Principles and Health Privacy Principles
other agencies that relate to personal information other than for research, where applicable.
application of de-identification techniques as a further measure to protect the privacy of an individual. However,
even where de-identification techniques have been applied, the risk of re-identification must be assessed, as data
may still meet the definition of personal or health information ie. the individual may still be reasonably
identifiable even with certain identifiers removed or where it may be combined with other information.Section 4 - Collection of Information
The University Must Collect Information for Lawful Purposes
How the University Determines the Lawful Purposes of Collection
The University Must Collect Information Directly from the Individual
How the University Collects Information Directly from the Individual
Indirect Collection of Information
The University Must be Open and Transparent About the Handling of Information
The University’s Use of Privacy Statements
The University Must Take Reasonable Steps to Ensure the Information it Collects is Relevant to its Lawful Purpose
Section 5 - Management of Information by the University
The University Must Ensure the Security of the Information it Holds
The University’s Commitment to Protecting Information
The University’s Recordkeeping Obligations
The University Must Check the Accuracy of Information Before Use
The University Must Take Reasonable Steps to Ensure the Accuracy of Information Before Use
Use and Disclosure of Personal Information
How the University Complies with the Use and Disclosure Principles of Personal Information
Use and Disclosure of Health Information
How the University Complies with the Use and Disclosure Principles of Health Information
Other Health Privacy Principles
Health Privacy Principles 12 – Identifiers
Health Privacy Principles 13 – Anonymity
Health Privacy Principles 15 – Linkage to Health Records
Third Party Engagement and Confidentiality
Public Registers Held by the University
Top of PageSection 6 - Rights to Access/Amend Information Held by the University
Access to Information Held by the University
How Information Can be Accessed from the University
Alteration of Information Held by the University
How the University Handles Requests for Amendments to Information
Section 7 - Rights to Raise Concerns and/or Make Complaints
Complaints and/or Internal Reviews
The Internal Review process
How to Lodge an Appeal of the University’s Internal Review Decision
Top of PageSection 8 - Application of other privacy laws
The Commonwealth Privacy Act
The General Data Protection Regulation (GDPR) and Other Relevant Privacy Laws
Section 9 - The University Accountability
Compliance with its Privacy Obligations
Responding to a Data Breach
Training and Education
Section 10 - Roles and Responsibilities
Top of PageSection 11 - Privacy Contacts
Internal Contacts
Email: icu-enquiry@uow.edu.au
Website: Privacy
Post: Level 1, Building 22, Northfields Avenue, University of Wollongong NSW 2522External Contacts
Email: ipcinfo@ipc.nsw.gov.au
Website: Information and Privacy Commission NSW
Post: GPO Box 7011, Sydney NSW 2000
Website: NSW Civil and Administrative Tribunal
Post: Level 9, John Maddison Tower, 85-90 Goulburn Street, Sydney NSW 2000Section 12 - Definitions
Controlled Entity
Controlled Entities are those entities over which the University has control, as defined in section 15A of the University of Wollongong Act 1989 (as amended) and section 1.2(1) of the Government Sector Finance Act 2018.
Data breach
Data (whether held in digital or hard copy) is subject to unauthorised access, unauthorised disclosure or is lost in circumstances where the loss is likely to result in unauthorised access or unauthorised disclosure. A data breach may occur as the result of malicious action, systems failure, or human error.
Eligible data breach
(ii) an individual’s express wishes about the future provision of health services to him or her, or
(iii) a health service provided, or to be provided, to an individual; or
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
Phone: (02) 4221 4368
Phone: 1800 472 679
Phone: 1300 006 228 or (02) 9377 5711
Top of PageWord/Term
Definition (with examples if required)
Affiliate
Includes people holding University of Wollongong Honorary Awards as conferred by the University Council, including the awards of Emeritus Professor, Honorary Doctor and University Fellow; people appointed in accordance with the University’s Appointment of Visiting and Honorary Academics Policy; and people engaged by the University as agency staff, contractors, volunteers and work experience students.
An ‘eligible data breach’ under the MNDB Scheme, requires two tests to be satisfied:
Health information
Health information, for the purpose of this Plan, refers to health information defined in the Health Records and Information Privacy Act 2002 (or as amended in the Health Records and Information Privacy Act 2002 from time to time) as:
1. personal information that is information or an opinion about:
(i) the physical or mental health or a disability (at any time) of an individual, or
2. other personal information collected to provide, or in providing, a health service; or
3. other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances; or
4. other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual; or
5. healthcare identifiers.
Information
Health information and/or personal information as the context permits.
Investigative agency
Investigative agencies are as defined in the Privacy and Personal Information Protection Act 1998 and/or the Health Records and Information Privacy Act 2002 as the context applies. These may include (but are not limited to) the NSW Ombudsman, the Independent Commission Against Corruption (ICAC), the Law Enforcement Conduct Commission, the Health Care Complaints Commission, the Australian Health Practitioner Regulation Agency, the Anti-Discrimination Board and the Children’s Guardian.
Law enforcement agency
As defined in the Privacy and Personal Information Protection Act 1998 and/or the Health Records and Information Privacy Act 2002 as the context applies.
Law enforcement agencies include the Police Force of NSW or of another State or Territory, the NSW Crime Commission, the Australian Federal Police, the Australian Crime Commission, the Director of Public Prosecutions of NSW, another State or Territory or the Commonwealth, the Department of Justice and/or the Office of the Sheriff of NSW.
Personal information
Personal information, for the purpose of this policy, refers to personal information defined in the Privacy and Personal Information Protection Act 1998 (or as amended in the Privacy and Personal Information Protection Act 1998 from time to time) as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
Under the Privacy and Personal Information Protection Act 1998, personal information does not include:
information regarding an individual who has been deceased for more than 30 years;
information about an individual that is readily available in a publicly available publication; and
information or an opinion about an individual’s suitability for appointment or employment as a public sector official.
Sensitive information
A subclass of personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.
Staff
All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis.