• Section 1 - Introduction/Background
• Section 2 - Purpose
• Section 3 - The Information Protection Principles and Health Privacy Principles 
• Section 4 - Collection of Information
• UOW Must Collect Information for Lawful Purposes
• How UOW Determines the Lawful Purposes of Collection
• UOW Must Collect Information Directly from the Individual
• How UOW Collects Information Directly from the Individual
• Indirect Collection of Information
• UOW Must be Open and Transparent About the Handling of Information
• UOW’s Use of Privacy Statements
• UOW Must Ensure that Information Collected is Relevant to its Lawful Purpose
• Section 5 - Management of Information by UOW
• UOW Must Ensure Security of Information
• UOW’s Commitment to Protecting Information
• UOW’s Recordkeeping Obligations
• UOW Must Check Accuracy of Information Before Use
• How UOW Ensures Accuracy of Information Before Use
• Use and Disclosure of Personal Information
• How UOW Applies the Use and Disclosure Principles of Personal Information
• Use and Disclosure of Health Information
• How UOW Applies the Use and Disclosure Principles of Health Information
• Other Health Privacy Principles
• Third Party Engagement and Confidentiality
• Public Registers Held by UOW
• Section 6 - Rights to Access/Amend Information Held by UOW
• Access to Information Held by UOW
• How Information Can be Accessed from UOW
• Alteration of Information Held by UOW
• How UOW Handles Requests for Amendments to Information
• Section 7 - Rights to Raise Concerns and/or Make Complaints
• Complaints and/or Internal Reviews
• The Internal Review process
• How to Lodge an Appeal of UOW’s Internal Review Decision
• Section 8 - Application of other privacy laws
• Application of Commonwealth Privacy Act
• Application of General Data Protection Regulation (GDPR) and Other Relevant Privacy Laws
• Section 9 - UOW Accountability
• Compliance with its Privacy Obligations
• Responding to a Data Breach
• Training and Education
• Section 10 - Roles and Responsibilities
• Section 11 - Privacy Contacts
• Internal Contacts
• External Contacts
• Section 12 - Definitions

Section 1 - Introduction/Background

(1) The University of Wollongong (“UOW”) has an obligation to manage Personal and/or Health information in compliance with the NSW Privacy and Personal Information Protection Act 1998  and the NSW Health Records and Information Privacy Act 2002, which may include regulations, statutory guidelines, codes of practice and privacy directions made under those Acts.

(2) This Plan has been produced in compliance with section 33 of the Privacy and Personal Information Protection Act 1998. A copy of this Plan will be provided to the Privacy Commissioner as soon as practicable after it is prepared and whenever it is amended, in compliance with section 33(5) of the Privacy and Personal Information Protection Act 1998.

(3) This Plan operates as a UOW procedure document supporting UOW’s Privacy Policy and is to be read in conjunction with UOW’s Privacy Policy. All Staff and Affiliates must comply with UOW’s Privacy Policy and this Plan.

(4) UOW’s Privacy Policy and this Plan can be found on UOW’s Policy Directory and Privacy Homepage. Any requests for hard copies of these documents can be directed to the Information Compliance Unit. See Section 11 for contact details.

(5) This Plan does not apply to UOW’s related entities or any other agencies. UOW’s related entities have their own policies and procedures for the management of Information provided to or collected by them.

Section 2 - Purpose

(6) The purpose of this Plan is to outline:

1. how UOW complies with the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 when carrying out its functions and activities;
2. how UOW disseminates its policies and practices regarding privacy within UOW;
3. how an individual may request access or amendment to their Personal or Health information; and
4. how an individual may make a complaint or lodge a request for a formal review of UOW’s conduct if they consider their privacy may have been breached.

(7) In certain circumstances, UOW may be subject to obligations under other privacy laws. Some of the circumstances where other privacy laws may apply in the exercise of UOW’s functions and activities are discussed in section 8 and includes:

1. details of the application of the Privacy Act 1988; and
2. details of the application of the (EU) General Data Protection Regulation 2016/679 and other applicable foreign laws.

(8) Enquiries regarding the application of other relevant privacy laws may be directed to a Privacy Officer. Refer to Section 11 for contact details of UOW’s Privacy Officers.

Section 3 - The Information Protection Principles and Health Privacy Principles 

(9) The Information Protection Principles that apply to public sector agencies such as UOW are contained in sections 8-19 of the Privacy and Personal Information Protection Act 1998.

(10) The Health Privacy Principles that apply to UOW are contained in Schedule 1 of the Health Records and Information Privacy Act 2002.

(11) The application of the Information Protection Principles and the Health Privacy Principles at UOW are discussed in this Plan. In limited circumstances, exemptions in the Privacy and Personal Information Protection Act 1998 or Health Records and Information Privacy Act 2002 may allow UOW to not comply with the Information Protection Principles or the Health Privacy Principles. Some of these circumstances are explained in this Plan where relevant to UOW.

(12) Privacy codes of practice and public interest directions can modify the application of the Information Protection Principles or Health Privacy Principles. There are currently no codes of practice or public interest directions that are relevant to UOW’s management of Information.

(13) UOW’s Information Sheet – Privacy provides a summary of the Information Protection Principles and the Health Privacy Principles and has been produced to assist staff and affiliates understand the requirements of each of the principles.

(14) When developing or reviewing projects, programs or policies that involve the collection and handling of Personal or Health information, Staff and Affiliates are to consider the requirements of the Information Protection Principles and Health Privacy Principles, as discussed in this Plan. UOW Privacy Impact Assessment (PIA) Tool is available to assist staff and affiliates in the consideration and assessment of each of the privacy principles

(15) A UOW Privacy Officer should be consulted when considering the application of any exemptions to the Information Protection Principles or Health Privacy Principles or when working through the UOW Privacy Impact Assessment (PIA) Tool.

Section 4 - Collection of Information

UOW Must Collect Information for Lawful Purposes

(16) The Information Protection Principles 1 and Health Privacy Principles 1 state that UOW must not collect Information unless:

1. the Information is collected for a lawful purpose that is directly related to a UOW function or activity; and
2. the collection of the Information is reasonably necessary for that purpose.

(17) If Information received by UOW is unsolicited (not actively collected by UOW), the principles relating to collection do not apply. However, if UOW decides to make use of, or take any action in relation to the unsolicited Information, then UOW is regarded to have ‘collected’ the Information and the collection principles will then apply. If UOW decides to keep any unsolicited Information, UOW will apply the provisions of the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 relating to the storage, use and disclosure of that Information.

How UOW Determines the Lawful Purposes of Collection

(18) In considering what lawful purposes might be ‘directly related to a UOW function or activity’, as required by the Information Protection Principles 1 and Health Privacy Principles 1, UOW will have regard to the objects and functions of UOW as set out in the University of Wollongong Act 1989. Examples of the purposes for which Information is collected and used by UOW include:

1. services and activities related to education delivery;
2. administration and management of students (from recruitment through to conferring of degrees and other awards);
3. research;
4. marketing and fundraising activities;
5. community engagement and promotion of UOW events and programs (including potential staff and students, alumni, donors and community groups, other industries);
6. quality improvement and planning activities (which may include surveys and competitions);
7. news and updates (which may include marketing strategies);
8. management of staff and affiliates including selection, employment, appraisal and remuneration;
9. student accommodation;
10. support services such as counselling/disability services;
11. scholarship opportunities; and
12. managing grievances, complaints or disputes.

UOW Must Collect Information Directly from the Individual

(19) The Information Protection Principles 2 and Health Privacy Principles 3 state that UOW must, when collecting Information, collect the Information directly from the individual to whom the Information relates, unless:

1. the individual authorised collection of the Personal information from someone else; or
2. the Personal information is provided by a parent or guardian of a person who is under the age of 16 years; or
3. it is unreasonable or impracticable to collect Health information directly. An example of this may include where an individual lacks the capacity to provide their Health information due to health reasons, in which case that Health information may be collected from an authorised representative such as a carer or guardian.

(20) Additionally, UOW may collect Information from third parties in accordance with exceptions to the Information Protection Principles 2 and Health Privacy Principles 3. An exception that may apply to UOW includes where indirect collection is otherwise lawfully authorised or required.

How UOW Collects Information Directly from the Individual

(21) UOW collects Information directly from individuals, including:

1. prospective or current staff and affiliates;
2. prospective students or enrolled students;
3. alumni; and/or
4. members of the public interacting with UOW. An example of this may include a client of UOW’s Northfields Clinic.

(22) UOW facilitates the collection of Information directly from the individual through the provision of:

1. forms;
2. user-based electronic mail services for all ataff, Affiliates and students through a secure server;
3. secure web-based data collection systems via UOW’s website; and/or
4. telephone and face-to-face interaction.

(23) When dealing with an individual, UOW will require that individual to confirm their identity. This is to ensure that UOW is collecting Information directly from that individual to whom the Information relates. For example, the identity confirmation process may include sighting a government issued identification record or staff/student ID card. In instances where enquiries are received over the phone, UOW will use a three-point checklist prior to disclosing any Information.

(24) UOW welcomes enquiries and actively seeks feedback (which may include via comments, compliments and complaints) from individuals. Information is collected and used to respond to any matters raised through the various communication systems, to improve UOW services and promote effective complaint handling processes.

Indirect Collection of Information

(25) At times, UOW collects Information indirectly, but only does so when UOW is lawfully authorised or required to do so, or where the individual has authorised collection from someone else. Circumstances where Information may be indirectly collected may include:

1. via surveillance cameras, lecture recordings or access logs (when attending or accessing UOW whether in person or virtual);
2. from the Universities Admissions Centre, other tertiary institutions, UOW agents, student exchange partners and Related entities;
3. relevant government departments such as the Commonwealth government department with responsibility for immigration;
4. recruitment firms and employment agencies;
5. health care providers, in order to provide support services and adjustments to work or study;
6. individuals acting under the authority of the individual to whom the Information relates; or
7. where lawfully required by law enforcement agencies or investigative agencies.

(26) Where Information is captured indirectly, UOW will make all reasonable efforts to notify affected individuals about UOW’s intended handling of their Information, either by direct contact or via its policies, webpages, terms and conditions or other applicable methods. For example, the CCTV Surveillance Standard provides details relating to UOW’s handling of personal information collected via surveillance cameras. The Lecture Recording Procedures provide details of Personal information that may be collected during the recording of lectures.

(27) Where an individual authorises another person or organisation to collect Information on their behalf, UOW will require evidence of that authority in writing. This authority will be captured as a UOW record and managed in accordance with the Records Management Policy.

UOW Must be Open and Transparent About the Handling of Information

(28) The Information Protection Principles 3 and Health Privacy Principles 4 state that if UOW collects Information from an individual, UOW must take all steps as are reasonable in the circumstances to ensure that, before the Information is collected or as soon as practicable after collection, the individual to whom the Information relates is made aware of the following (“Collection Statement” or “Privacy Statement”):

1. the fact that Information is being collected;
2. the purposes for which the Information is being collected;
3. all intended recipients of the Information;
4. whether the supply of the Information by the individual is required by law or is voluntary;
5. consequences for the individual if the Information (or any part of it) is not provided. For example, the provision of a particular service may not be possible if certain Information is not provided by the individual;
6. the existence of any right of access to, or correction of, the Information; and
7. the name and address of the agency that is collecting the Information and the agency that is to hold the Information. (For complete transparency, UOW will make all reasonable efforts to provide details of where the Information is to be held, especially where it is to be transferred outside NSW). 

(29) Exceptions to the Information Protection Principles 3 and Health Privacy Principles 4 may apply to UOW in the following circumstances:

1. the collection is reasonably necessary for the purpose of research, or the compilation or analysis of statistics, in the public interest and it is unreasonable or impracticable for the Information to be collected directly from the individual to whom the Information relates; or
2. in the case of Health information (where the Health information was collected from someone else) making the individual aware of the collection of that Health information would pose a serious threat to the life or health of any individual. UOW will have regard to the guidelines issued under the Health Records and Information Privacy Act 2002 when considering the application of exceptions to the Health Privacy Principles 4.

(30) Where collection of Information is reasonably necessary for the purpose of research, researchers are required to submit an application to UOW’s Human Research Ethics Committee (HREC). HREC oversees and assesses whether that collection is reasonable in the circumstances and whether the University’s privacy obligations are addressed. UOW’s dedicated Human Ethics webpage provides further information.

(31) In limited circumstances, UOW may apply the exceptions to the Information Protection Principles 3 and Health Privacy Principles 4 when responding to critical incidents. In these instances, it may be necessary to obtain relevant information from someone else other than the individual involved in the critical incident to ensure the safety of that individual or of any other individual.

(32) UOW will consider the requirements of any other applicable legislation when collecting Information. Refer to section 8 for discussion of other applicable legislation.

UOW’s Use of Privacy Statements

(33) UOW, including its faculties and business units, collects Information at different times and in varying ways. As part of that Information collection process, UOW will provide a Privacy Statement to the individual. Examples of the methods used by UOW to communicate Privacy Statements include:

1. targeted notices at the point of student admission/enrolment processes and employment application and acceptance processes,
2. notices within a form, a policy, an agreement or as part of terms and conditions (including student registration and employment terms and conditions); 
3. notices when visiting the UOW website, via information delivery, instructions or FAQ’s;
4. verbal communication where Information is collected by phone; or
5. signage, where Information is collected broadly and it is impracticable to provide individual Privacy Statements. Examples include areas under CCTV surveillance or filming of special occasions.

(34) The UOW Privacy homepage provides links to some of UOW’s various Privacy Statements, as their context applies:

1. Student Privacy and Disclosure Statement;
2. Privacy Collection Statement for Recruitment and Employee Records;
3. Privacy Statement for UOW’s alumni, donors and members of the community;
4. MyUOW App privacy statement;
5. UOW Learner Privacy Statement (Open Learning);
6. UOW Website Privacy Collection Statement.

(35) UOW Privacy Officers provide guidance and assistance in the development of Privacy Statements and in the application of any exceptions to the Information Protection Principles 3 and Health Privacy Principles 4, where applicable.

UOW Must Ensure that Information Collected is Relevant to its Lawful Purpose

(36) The Information Protection Principles 4 and Health Privacy Principles 2 state that if UOW collects Information from an individual, UOW must take such steps as are reasonable in the circumstances (having regard to the purposes for which the Information is collected) to ensure that:

1. the Information collected is relevant to that purpose, is not excessive (having regard to the purpose) and is accurate, up-to-date and complete; and
2. the collection of the Information does not intrude to an unreasonable extent on the personal affairs of the individual to whom the Information relates.

(37) Staff and Affiliates are to consider the requirements of the Information Protection Principles 4 and Health Privacy Principles 2 when collecting Information from an individual. The UOW Privacy Impact Assessment (PIA) Tool facilitates consideration and assessment of each of the privacy principles.

(38) Where human participants are required for the purpose of research, UOW’s Human Research Ethics Committee (HREC) oversees and approves the intended research activity. HREC requires each researcher to outline the Information to be collected for the research project, assesses whether that collection is reasonable in the circumstances and determines whether the University’s privacy obligations are addressed. UOW’s dedicated Human Ethics webpage provides further information.

Section 5 - Management of Information by UOW

UOW Must Ensure Security of Information

(39) The Information Protection Principles 5 and Health Privacy Principles 5 state that if UOW holds Information it must ensure that:

1. the Information is kept for no longer than is necessary for the purposes for which the Information may lawfully be used;
2. the Information is disposed of securely and in accordance with any requirements for the retention and disposal of such Information;
3. the Information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorized access, use, modification or disclosure, and against all other misuse; and
4. if it is necessary for the Information to be given to a person in connection with the provision of a service to UOW (third party engagement), everything reasonably within the power of UOW is done to prevent unauthorized use or disclosure of the Information.

UOW’s Commitment to Protecting Information

(40) UOW is committed to ensuring all business activities performed with the use of information technology systems are protected and maintained, and that sustainable procedures are in place to reflect best practice information technology security. UOW’s information technology policies provide details of its commitment to the storage and protection of Information in compliance with its privacy obligations.

(41) The Data Governance Procedure, Data Quality Management Procedure and Data Handling Guidelines provide the data governance framework relating to the availability, usability, integrity and security of all data held by UOW. This data includes Personal and Health information.

(42) Staff and affiliates are required to comply with UOW’s IT Acceptable Use Policy and are expected to protect Information by ensuring that:

1. where appropriate, the UOW Privacy Impact Assessment (PIA) Tool is used to identify and minimize privacy risks prior to collecting and processing Personal or Health information;
2. records are stored in University approved systems (which have undergone an assessment of the system’s security features);
3. access to systems or databases is restricted to those individuals with a legitimate business purpose;
4. systems that are password protected are appropriately utilised and managed; and
5. Information is destroyed securely e.g.hard copy records are placed in security destruction bins.

(43) From time to time, staff and affiliates may be required to acknowledge their understanding of their compliance obligations in writing if handling certain high-risk categories of Information

(44) In certain circumstances, as a security safeguard, UOW will remove identifiers before using Information in order to protect the privacy of that individual. For example, identifiers are removed from Information where UOW wishes to gain valuable insight for planning and/or research purposes.

(45) Where UOW engages the services of a third party for the purpose of providing a particular service to UOW, all reasonable steps will be taken to ensure that the third party has robust practices in place to protect the Information and prevent its unauthorized use or disclosure. Clauses 96-102 provide further information on Third Party Engagement and Confidentiality.

UOW’s Recordkeeping Obligations

(46) UOW is subject to the State Records Act 1998, which requires UOW to comply with specific timeframes for the retention and disposal of documents. Once Information has reached its required retention period it is destroyed securely and in a compliant manner. The Records Management Policy provides further information regarding the University’s obligations under the State Records Act 1998.

(47) In limited circumstances, UOW may decide to keep Information for a longer period than the period required for its original purpose. Where this is necessary, UOW will keep a record of its business decision regarding extended retention periods, where applicable.

UOW Must Check Accuracy of Information Before Use

(48) The Information Protection Principles 9 and Health Privacy Principles 9 state that if UOW holds Information, it must not use that Information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the Information is proposed to be used, the Information is relevant, accurate, up to date, complete and not misleading.

How UOW Ensures Accuracy of Information Before Use

(49) UOW will consider one or more of the following factors, as are reasonable on a case by case basis, to determine whether the Information it holds is relevant, accurate, up to date, complete and not misleading:

1. the purpose for which the Information was collected;
2. the sensitivity of the Information;
3. how many people have access to the Information;
4. the importance of accuracy to the proposed use;
5. the potential effects on the individual concerned if the Information is inaccurate, out-of-date or irrelevant;
6. the opportunities to subsequently correct the Information; and
7. the ease with which the Information can be checked.

(50) Examples where UOW checks the accuracy of Information before use include:

1. checking student enrolment information such as visa and immigration status, pre-requisites and academic results;
2. checking prospective employee references, work history, academic qualifications and identification, as well as the employee’s rights to work in Australia; and
3. checking Information provided in higher degree research (HDR) applications.

Use and Disclosure of Personal Information

(51) In general terms, ‘use’ refers to the communication or handling of Information within UOW, whereas ‘disclosure’ refers to the communication or transfer of Information outside UOW, other than to the individual concerned. The principles relating to use and disclosure of Personal information are discussed below.

(52) The Information Protection Principles 10 states that UOW must not use Personal information it holds for a purpose other than that for which it was collected unless:

1. the individual to whom the Personal information relates has consented to the use of the Personal information for that other purpose, or
2. the other purpose for which the Information is used is directly related to the purpose for which the Personal information was collected, or
3. the use of the Personal information for that other purpose is necessary to lessen or prevent a serious and imminent threat to any individual’s health or safety, or the use is to assist in a stage of an emergency, and it is impracticable or unreasonable to seek the consent of the individual to whom the Information relates.

(53) The Health Privacy Principles 11 states that UOW must not disclose an individual’s Personal information unless:

1. the individual concerned is reasonably likely to have been aware, or has been made aware at collection, that Personal information of that kind is usually disclosed to that other person or body; or
2. the disclosure is directly related to the purpose for which the Personal information was collected and UOW has no reason to believe that the individual concerned would object to the disclosure; or
3. the disclosure of the Personal information is necessary, on reasonable grounds, to prevent or lessen a serious and imminent threat to the life or health of any individual.

(54) Exceptions to the Information Protection Principles 11 which may apply to UOW include where the disclosure of the Personal information concerned is:

1. made in connection with proceedings for an offence or for law enforcement purposes; or
2. authorised or required by subpoena, search warrant or other legal order; or
3. made to a Law enforcement agency for the purpose of ascertaining the whereabouts of an individual who has been reported to a police officer as a missing person; or
4. made to an Investigative agency as a result of an investigation from a complaint or other matter that was either made or referred from an Investigative agency or that could have been referred or made by UOW to the Investigative agency; or
5. the disclosure is necessary to assist in a stage of an emergency and it is impracticable or unreasonable to seek the consent of the individual to whom the Information relates.

(55) The Information Protection Principles 12 states that UOW must not disclose Sensitive information without the consent of that individual unless the disclosure is necessary to prevent a serious and imminent threat to the health or safety of any person.

How UOW Applies the Use and Disclosure Principles of Personal Information

(56) Prior to collecting Information, UOW makes all efforts to identify the primary and directly related uses of that information and communicates the intended use and disclosure instances to individuals via a Privacy Statement (as discussed in clauses 33-35). As an example, during the enrolment process, students are informed of the various use/disclosure instances relating to their Information. Where a new or unrelated use is identified, UOW will seek the consent of the individual prior to proceeding unless an exemption applies.

(57) Examples where UOW uses Personal Information for a purpose that is directly related to the primary purposes for which it was collected include:

1. provision of services to Students such as career support, study support;
2. responding to security/wellbeing concerns;
3. responding to work health and safety reports;
4. promotion of events and programs (including postgraduate study programs);
5. surveys and competitions;
6. quality improvement and planning;
7. handling of complaints and conducting investigations.

(58) UOW’s policies provide a mechanism through which UOW explains the various ways in which it uses and discloses Personal and/or Health information. For example, Personal information is managed by UOW for the purposes as set out in the IT Acceptable Use Policy.

(59) UOW applies learning analytics initiatives to student data in order to maximise each student’s academic success and to support their student learning experience. This is achieved by giving each student, as well as authorised Staff and Affiliates, access to the student’s learning-related information in order to build on that student’s areas of strength, identify areas for improvement and to utilise support services offered by UOW. The use of analytics data involving students is governed by the Learning Analytics Data Use Policy.

(60) UOW may also use analytics software and other business intelligence systems for quality and planning purposes. In these instances, Personal information may be used to develop the system intelligence. Where practicable, UOW will consider the use of non-identifiable data to achieve the purpose. The UOW Privacy Impact Assessment (PIA) Tool will also be utilised to consider all the relevant privacy principles and risk mitigation strategies.

(61) Personal information may also be used and/or disclosed by UOW to manage emergency or crisis situations. This may include contacting individuals to provide important notices/updates relating to the emergency and/or disclosure of details to the relevant emergency service if required.

(62) In limited circumstances UOW may use Personal information to exercise its duty of care responsibilities under the Work Health and Safety Act 2011 to ensure that UOW is a safe working and learning environment for Staff/Affiliates/Students and visitors.

(63) Where Personal information is to be used for the purpose of undertaking research, UOW will refer to the Statutory Guidelines on Research – 27B, Privacy and Personal Information Protection Act 1998. UOW’s Human Research Ethics Committee (HREC) is responsible for approval of the research in accordance with the National Health and Medical Research Council National Statement on Ethical Conduct in Human Research. UOW’s dedicated Human Ethics webpage provides further information.

(64) UOW welcomes enquiries and feedback (which includes comments, compliments and complaints) from the UOW community. In order to effectively manage and respond to enquiries and feedback UOW may need to share Personal information with specific units and staff who are subject matter experts. Examples include staff with expertise in records management, information technology, teaching and learning or human resources. Where reasonably practicable, the individual will be consulted prior to sharing the Personal information.

(65) Where Personal information is used for direct marketing purposes, UOW will provide a clear mechanism through which an individual may choose to unsubscribe from receiving any further messages from UOW.

(66) UOW may be required by law to disclose certain information. For example:

1. as part of mandatory reporting processes, UOW must disclose Personal information to various Government agencies. Examples are the Commonwealth government department with responsibility for immigration, the Commonwealth government department with responsibility for tertiary education and the Australian Taxation Office;
2. under the Public Interest Disclosures Act 2022 or its equivalent, UOW may be obliged to make a disclosure regarding corruption, maladministration or other conduct governed by that Act;
3. as part of its mandatory notification obligations, UOW must disclose Personal information to certain Investigative agencies such as the Australian Health Practitioner Regulation Agency.

(67) Where UOW receives a request or is authorised by law to disclose Personal information, UOW will:

1. only disclose the Personal information that UOW is authorised to disclose under relevant legislation;
2. only provide the Personal information that falls within the scope of the request; and
3. keep a written record of the Personal information that has been disclosed.

(68) UOW has developed the following information sheets to provide best practice guidance when responding to certain requests for information:

1. Information Sheet – Centrelink (Human Services) Inquiries to assist staff to respond to requests for information from Human Services.
2. Requests for Student Conduct Reports by External Legal Admissions Boards.

(69) Where Personal information is to be disclosed to a Law enforcement agency, UOW will:

1. only provide the Personal information that is relevant and necessary for the intended purpose;
2. obtain and document proof that the individual seeking the Personal information is a representative of the appropriate Law enforcement agency; and
3. keep a written record of the Personal information that has been disclosed.

(70) UOW has developed an Information Sheet – Requests for Information from Police to assist Staff to respond to requests for information from police.

(71) In some circumstances, taking into account the nature and context of a request received by a government agency (including a Law enforcement agency), UOW may refuse to comply in the absence of a subpoena, warrant or similar legal order. Where Personal information or Sensitive information is to be disclosed under a subpoena, warrant or similar legal order, UOW will:

1. only provide the information that is within the scope of the order; and
2. keep a written record of the information that has been disclosed.

(72) UOW has developed an Information Sheet - Dealing with Subpoena Requests to assist staff and affiliates to respond to requests for information under a subpoena.

(73) In instances where Sensitive information is to be disclosed, UOW will always ensure that express consent is obtained from the individual. A record of the consent will be kept by UOW in accordance with its recordkeeping obligations. UOW will only depart from this practice in the circumstances permitted under the Privacy and Personal Information Protection Act 1998.

(74) Where UOW engages a third party for the purpose of providing a service on behalf of UOW which involves use and/or disclosure of Personal information, UOW will manage that engagement in accordance with clauses 96-102.

(75) UOW does not have any Memorandums of Understanding or referral arrangements with other agencies relating to the sharing of Personal information.

Use and Disclosure of Health Information

(76) In general terms, ‘use’ refers to the communication or handling of Information within UOW, whereas ‘disclosure’ refers to the communication or transfer of Information outside UOW, other than to the individual concerned. The principles relating to use and disclosure of Health information are discussed below.

(77) Health Privacy Principles 10 and Health Privacy Principles 11 state that UOW must not use or disclose Health information for another purpose (secondary purpose) other than the primary purpose for which it was collected unless:

1. the individual has provided consent;
2. the secondary purpose is directly related to the primary purpose and within the expectations of the individual;
3. it is reasonably believed to be necessary to lessen or prevent;
   1. a serious and imminent threat to the life, health or safety of any person; or
   2. a serious threat to public health or public safety.

(78) Exceptions to Health Privacy Principles 10 and Health Privacy Principles 11 which may apply to UOW include where the use and/or disclosure is:

1. made to a Law enforcement agency for law enforcement and related matters such as:
   1. for the purposes of ascertaining the whereabouts of an individual who has been reported to police as a missing person; or
   2. where there are reasonable grounds to believe that an offence may have been, or may be, committed; or
2. lawfully authorised or required, or permitted under another law to do so, such as subpoena or search warrant; or
3. reasonably necessary to enable UOW to investigate or handle a complaint or other matter that may be referred or made to an Investigative agency, or that has been referred or made from an Investigative agency; or
4. necessary to be used by UOW as a part of its investigation, or in the reporting of its concerns to relevant persons or authorities, where UOW has reasonable grounds to suspect that:
   1. unlawful activity has been or may be engaged in; or
   2. an individual has or may have engaged in conduct that may be unsatisfactory professional conduct or professional misconduct under the Health Practitioner Regulation National Law (NSW) No 86a of 2009; or
   3. an individual has or may have engaged in conduct that may be grounds for disciplinary action such as a breach of the University Code of Conduct by staff or affiliates; or
5. reasonably necessary for the funding, management, planning or evaluation of health services, or for the training of UOW employees or persons working with UOW, or for research, or the compilation or analysis of statistics, in the public interest and;
   1. either the purpose cannot be served by de-identified Health information and it is impracticable to seek the consent of the individual for the use/disclosure, or reasonable steps are taken to de-identify the Health information; and
   2. if it could reasonably be expected to identify individuals, the Health information is not published in a generally available publication; and
   3. the use of the Health information is in accordance with the statutory guidelines issued under the Health Records and Information Privacy Act 2002 by the Privacy Commissioner.

How UOW Applies the Use and Disclosure Principles of Health Information

(79) Prior to collecting Health information, UOW makes all efforts to identify the primary and directly related uses of that information and communicates the intended use and disclosure instances to individuals via a Privacy Statement (as discussed in clauses 32-35). For example, a student wishing to utilise support services such as counselling, or wishing to arrange reasonable adjustments, is required to register for the service and is provided with a Privacy Statement outlining how UOW will handle their Health information. Where a new or unrelated use is identified, UOW will seek the consent of the individual prior to proceeding.

(80) UOW may be required by law to disclose Health information. This may include:

1. under search warrants, subpoenas, other legal orders or statutory instruments;
2. reporting of notifiable diseases pursuant to, for example, the Public Health Act 2010. Examples of notifiable diseases include, but are not limited to, Hepatitis A, B, C, D, E, Diphtheria, Tetanus, Pertussis and Tuberculosis.

(81) Where UOW intends to use and/or disclose Health information for the purposes of providing training it will ensure that it complies with the Statutory Guidelines on Training – Health Records and Information Privacy Act 2002.

(82) Where Health information is to be used for the purpose of undertaking research, UOW will refer to the Statutory Guidelines on Research – 27B – Health Records and Information Privacy Act 2002. UOW’s Human Research Ethics Committee (HREC) is responsible for approval of the research in accordance with the National Health and Medical Research Council National Statement on Ethical Conduct in Human Research. UOW’s dedicated Human Ethics webpage provides further information.

(83) Where UOW intends to use Health information that may have been collected from a third party, UOW will ensure that it complies with the Statutory Guidelines on the Collection of Health Information from a Third Party– Health Records and Information Privacy Act 2002.

(84) UOW may verify and exchange a student’s Health information with an external placement body for the purpose of clinical or other placement or practicum experience. UOW students are notified of this activity via a Privacy Statement in a relevant policy or via the subject outlines, as a requirement of a course of study. Examples of Health information that may be exchanged may include pre-existing medical conditions that could affect a student’s placement activities and/or UOW’s student personal accident insurance cover. In limited circumstances, where prior notification may not have been provided to the student (e.g via a Privacy Statement), disclosure of Health information will only occur with the consent of the student unless a lawful exception applies.

(85) Where Health information is to be disclosed to a Law enforcement agency, UOW will:

1. only provide the Health information that is relevant and necessary for the intended purpose;
2. obtain and document proof that the person seeking the Health information is a representative of the appropriate Law enforcement agency;
3. keep a written record of the Health information that has been disclosed.

(86) UOW has developed an Information Sheet – Requests for Information from Police to assist staff to respond to requests for information from police.

(87) Where Health information is to be disclosed under a subpoena, warrant or similar legal order, UOW will:

1. only provide the Health information that is within the scope of the legal order; and
2. keep a written record of the Health information that has been disclosed.

(88) UOW has developed an Information Sheet - Dealing with Subpoena Requests to assist staff to respond to requests for information under a subpoena.

(89) UOW may need to use Health information for the purpose of providing relevant student services. For example, a student may register with the Student Accessibility and Inclusion Team as someone suffering a disability and it may be important for other areas of UOW to be aware of the student’s condition, such as the Student Administration Services Division, for arrangement of appropriate examination supervision. In these circumstances, this will be done with the consent of the student unless a lawful exception applies.

(90) In limited circumstances UOW may use Health information to exercise its duty of care responsibilities under the Work Health and Safety Act 2011 to ensure that UOW is a safe working and learning environment for staff/affiliates/students and visitors.

(91) UOW welcomes enquiries and feedback (which includes comments, compliments and complaints) from staff, students and third parties. In order to effectively manage and respond to enquiries and feedback UOW may need to share Health information with specific units and staff who are subject matter experts. Where reasonably practicable, the individual will be consulted prior to sharing the Health information.

(92) UOW does not have any memorandums of understanding or referral arrangements with other agencies relating to the sharing of Health information.

Other Health Privacy Principles

Health Privacy Principles 12 – Identifiers

(93) UOW does not assign unique identifiers for the management of Health information. However, UOW students are issued with a student number, which is a unique personal identifier, to facilitate efficient and effective student management.

Health Privacy Principles 13 – Anonymity

(94) Wherever it is lawful and practicable, UOW will give individuals the opportunity to not identify themselves when entering into transactions with or receiving health services from UOW.

Health Privacy Principles 15 – Linkage to Health Records

(95) UOW does not use a health records linkage system. In the event that a health linkage system is to be used by UOW, it will only do so with the individual’s express consent.

Third Party Engagement and Confidentiality

(96) Where UOW proposes to share particular Information with a contractor, agent or consultant engaged to undertake work for/with UOW (third party), UOW will take reasonable steps to ensure that the service provider has adequate measures in place to manage the Information in accordance with the Privacy Policy and this Plan. The UOW Privacy Impact Assessment (PIA) Tool is to be used by the relevant UOW business unit to assess the impact on any Information associated with the project or program that relates to the engagement.

(97) If UOW transfers Information to a third party who is in a jurisdiction outside NSW or to a Commonwealth agency, UOW will do so on the following grounds:

1. the recipient must be subject to principles that are substantially similar to the NSW Information Protection Principles and Health Privacy Principles; or
2. with the consent of the individual; or
3. the transfer is necessary for the performance of a contract in the interest of the individual between UOW and a third party; or
4. the transfer is necessary to lessen or prevent a serious and imminent threat to the life or health of the individual or another person (or to lessen or prevent a serious threat to public health or public safety); or
5. the transfer is otherwise permitted or required by an Act (including an Act of the Commonwealth) or any other law.

(98) Engagement of technology-based third party vendors is usually managed by UOW’s Information Management and Technology Services (IMTS). IMTS is responsible for conducting due diligence for projects that involve the development and management of information and communication technology resources in response to research, teaching and business requirements.

(99) To facilitate UOW’s due diligence process, UOW has created a questionnaire document, Data Privacy Questions for Third Party Suppliers. This document is given to third party suppliers to complete prior to engagement so that UOW has a clear understanding of a potential supplier’s privacy practices.

(100) In addition, cloud-based third party suppliers are also required to complete the Higher Education Cloud Vendor Assessment Tool. This tool poses key questions to facilitate assessment of cloud services provisioning, information security and data protection.

(101) UOW will take all reasonable steps to include provisions in its contracts with third party suppliers that the third party:

1. is to comply with the Privacy and Personal Information Protection Act 1998 and/or the Health Records and Information Privacy Act 2002 or principles that are substantially similar to the Privacy and Personal Information Protection Act 1998 and/or the Health Records and Information Privacy Act 2002;
2. must treat all data (whether provided by UOW, uploaded by users or generated by any applicable software) in a confidential manner and only use Information for the sole purpose for which it was provided to the third party;
3. must minimise opportunities for misuse of the Information, such as restricting access to the Information by its employees and/or contractors; and
4. is to comply with UOW’s recordkeeping requirements. For example, this may include retention requirements, disposal and/or return of the Information to UOW once the service is completed.

(102) UOW has developed an Information Sheet - Data Security and Third Party Engagement which outlines key considerations when negotiating agreements with third party suppliers.

Public Registers Held by UOW

(103) The Privacy and Personal Information Protection Act 1998 requires agencies with responsibilities for public registers to comply with certain requirements.

(104) A public register is defined in the Privacy and Personal Information Protection Act 1998 as:

1. “A register of personal or health information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee)”.

(105) UOW does not hold or manage any public registers as defined in the Privacy and Personal Information Protection Act 1998. However, UOW makes the following registers available on its website:

1. A contracts register as part of its Government Information (Public Access) Act 2009 mandatory disclosure obligations, is available at GIPA Contracts; and
2. A register known as the Graduate Roll comprising the names of graduates and the courses conferred by UOW each year. Students provide consent for their details to be made publicly available on the Graduate Roll when applying to graduate. An individual who no longer wishes to have their Personal information accessible on UOW’s public register may contact Student Central on 1300 275 869 or email askuow@uow.edu.au.

Section 6 - Rights to Access/Amend Information Held by UOW

Access to Information Held by UOW

(106) The Information Protection Principles 6 and 7 and Health Privacy Principles 6 and 7 state that if UOW holds Information:

1. it must take such steps as are, in the circumstances, reasonable to enable an individual to ascertain:
   1. whether UOW holds Information relating to that individual;
   2. if UOW holds Information relating to that individual:
      1. the nature of that Information;
      2. the main purpose for which the Information is used; and
      3. the individual’s entitlement to gain access to the Information;
2. it must provide the individual with access to the Information without excessive delay or excessive expense.

How Information Can be Accessed from UOW

(107) The rights to access/amend Information relate to an individual’s own records.

(108) UOW is committed to responding to requests for access to an individual’s Information in a timely manner. The time taken by UOW to provide access to the Information will depend on the volume and nature of the request but all reasonable efforts will be made to provide access within 30 days.

(109) Enquiries and requests for access to Information should be directed as follows:

1. Staff and affiliates who wish to obtain access to their employment records should contact UOW’s People and Culture Division Helpdesk via Unified or by phoning 4221 5902;
2. Students who wish to obtain access to their student records should contact Student Central on 1300 275 869 or email askuow@uow.edu.au;
3. Higher degree research (HDR) students who wish to obtain access to their HDR student records should contact the Graduate Research School at Research and Innovation;
4. All other enquiries can be made to icu-enquiry@uow.edu.au.

(110) In most instances, UOW will provide access to an individual’s Information without a fee. However, there are some instances where a fee may be charged, such as where UOW provides an individual with their official UOW academic transcript.

(111) An individual who is not satisfied with UOW’s response to a request to access their Information may lodge a complaint or request a formal internal review (see clauses 121-125 Complaints and/or Internal Reviews).

(112) An individual also has a right to access Information under the Government Information (Public Access) Act 2009. Lodgement and processing fees are payable using this method of access. Further details can be found on UOW’s dedicated Access to Information webpage.

(113) Where an individual seeks access to Information about another individual, this type of request will be managed in accordance with the disclosure principles (and any related exceptions) discussed clauses 51-55 and clauses 76-78. Alternatively the individual will be referred to UOW’s Access to Information webpage.

Alteration of Information Held by UOW

(114) Information Protection Principles 8 and Health Privacy Principles 8 state that:

1. where UOW holds Information, it must, at the request of the individual to whom the Information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the Information:
   1. is accurate; and
   2. having regard to the purpose for which the Information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up to date, complete and not misleading;
2. if UOW is not prepared to amend Information in accordance with a request by the individual to whom the Information relates, UOW must, if requested by the individual concerned, take such steps as are reasonable to attach to the Information any statement provided by that individual of the amendment sought, in such a manner that it is capable of being read with the Information;
3. if Information is amended in accordance with this principle, the individual to whom the Information relates is entitled, if it is reasonably practicable, to have recipients of that Information notified of the amendments made by UOW.

How UOW Handles Requests for Amendments to Information

(115) UOW holds Information in a variety of systems for UOW lawful purposes.

(116) Individuals may lodge a request to amend their Information as per the process outlined in clause 109.

(117) Any requests for amendments must be accompanied by supporting evidence, which demonstrates that the Information is inaccurate or misleading, and the individual must be able to verify their identity when submitting the request. For example, the verification process may include sighting a government issued identification record or staff/student ID card.

(118) Where Information held by UOW is amended, UOW will notify the recipients of that Information of the amendment, so far as it is reasonably practicable. The following factors will be taken into account on a case by case basis when determining whether it is reasonably practicable to notify others of the amendment:

1. who the recipients of the Information are;
2. the purpose for which the Information was collected;
3. the sensitivity of the Information;
4. the importance of the accuracy of the Information;
5. the potential effects on the individual concerned if the Information is inaccurate, out of date or irrelevant;
6. any future opportunities to correct inaccuracies before the Information is used; and
7. the ease and associated costs of notifying recipients.

(119) UOW may refuse to amend Information it holds in certain circumstances, such as:

1. the change conflicts with UOW legislative obligations, or with university governance or business requirements. For example, UOW will not retrospectively change records of decisions where the Information was considered up to date at the time the decision was made;
2. the Information is a university business decision and is not deemed inaccurate by UOW; or
3. insufficient evidence has been provided to support the change.

(120) Where UOW decides to refuse to amend the Information it holds, UOW will, where practicable (depending on the capabilities of the system used), attach a note to that Information of the amendment or addendum sought and UOW’s reasons for its decision to refuse to amend the Information.

Section 7 - Rights to Raise Concerns and/or Make Complaints

Complaints and/or Internal Reviews

(121) UOW encourages individuals who have privacy concerns or complaints to contact one of UOW’s Privacy Officers in the first instance so that, where possible, issues may be resolved quickly and simply through informal means and/or general complaint handling procedures. Individuals are also entitled to seek a formal review of UOW’s conduct (“Internal Review”).

(122) In the event a complaint or concern cannot be resolved informally, the individual’s right to lodge an Internal Review will not be affected.

(123) Information on how to contact a UOW Privacy Officer can be found in the Roles and Responsibilities section of this Plan or on UOW’s Privacy homepage.

(124) A request for Internal Review can only be made where it is alleged that UOW’s conduct has:

1. breached any of the Information Protection Principles in the Privacy and Personal Information Protection Act 1998 or any of the Health Privacy Principles in the Health Records and Information Privacy Act 2002; or
2. breached a privacy code of practice that applies to UOW; or
3. disclosed Personal information kept in a public register.

(125) An individual also has the right to contact the Information and Privacy Commission NSW to discuss any concerns relating to privacy or to make a complaint about UOW’s conduct. Where a concern relates to UOW’s alleged conduct referred to in clause 124, the Privacy Commissioner may recommend that it would be more appropriate for an Internal Review application to be made.

The Internal Review process

(126) Individuals are entitled to seek a formal review of UOW’s conduct by submitting an application for an Internal Review. An application for Internal Review should:

1. be in writing;
2. be addressed to UOW;
3. specify a return address in Australia; and
4. be lodged with a UOW Privacy Officer within 6 months of the date the applicant first became aware of the alleged conduct. UOW may exercise its discretion to accept an application which is received after the end of the 6 month period.

(127) Individuals can use the Privacy Complaint Internal Review Application Form, available on UOW’s Privacy homepage, to make an application for an Internal Review.

(128) The Internal Review will be conducted by a UOW Privacy Officer without any conflict of interest and/or involvement in the conduct which is the subject of the application.

(129) Internal Reviews will be conducted in accordance with the requirements of Part 5 of the Privacy and Personal Information Protection Act 1998 and with regard to any guidance produced by the NSW Privacy Commissioner. This includes the ‘Internal Review Checklist for the Respondent Agency’ published by the Information and Privacy Commission NSW.

(130) On receiving an application for an Internal Review UOW will, as soon as practicable, inform the Information and Privacy Commission NSW of the complaint and provide that office with a copy of the Internal Review application. The Privacy Commissioner will be kept informed of the outcome of the Internal Review and any action UOW proposes to take as a result of the Internal Review.

(131) The Privacy Officer authorised to deal with the Internal Review (the reviewing officer) will assess the application and inform the applicant in writing of the following:

1. the name, title and contact details of the reviewing officer;
2. the reviewing officer’s understanding of the conduct complained about and the privacy principle/s at issue;
3. that UOW is conducting the review under the Privacy and Personal Information Protection Act 1998 or the Health Records and Information Privacy Act 2002, as appropriate;
4.  the reviewing officer’s suitability to deal with the maters raised by the application;
5. the required completion date for the review process (maximum of 60 days);
6. that an external review may be lodged with the NSW Civil and Administrative Tribunal (NCAT) if the review is not completed within the required timeframe; and
7. that the Information and Privacy Commission NSW will be kept informed of the progress and findings of the Internal Review.

(132) UOW will consider any relevant material submitted by the applicant or by the Information and Privacy Commission NSW during the Internal Review.

(133) Once the Internal Review has been completed, the reviewing officer, on behalf of UOW, may do one or more of the following:

1. take no further action on the matter;
2. make a formal apology to the applicant;
3. take such remedial action as it thinks appropriate;
4. provide undertakings that the conduct will not occur again; and/or
5. implement administrative measures to ensure that the conduct will not occur again.

(134) Within 14 days of the completion of the Internal Review, the reviewing officer on behalf of UOW, will notify the applicant in writing of:

1. the findings of the Internal Review (and the reasons for those findings);
2. the action proposed to be taken by UOW (and the reasons for taking them); and
3. the right of the individual to have those findings, and the proposed action, reviewed by the NSW Civil and Administrative Tribunal.

How to Lodge an Appeal of UOW’s Internal Review Decision

(135) An applicant who has lodged an Internal Review application is entitled to seek a review by the NSW Civil and Administrative Tribunal of the conduct complained about if:

1. the applicant is not satisfied with the findings of the Internal Review; or
2. the applicant is not satisfied with the proposed actions to be taken by UOW; or
3. UOW has not dealt with the Internal Review application within the required 60 day timeframe.

Section 8 - Application of other privacy laws

Application of Commonwealth Privacy Act

(136) UOW is a statutory corporation established under the University of Wollongong Act 1989, and as such, is not an agency that falls within the scope of the Privacy Act 1988.

(137) However, in some circumstances, Information handled by UOW may be expressly governed by the Privacy Act 1988. These circumstances may include:

1. where UOW collects tax file numbers from students, staff and affiliates;
2. via UOW’s contractual interactions with Commonwealth funding agencies;
3. through UOW’s IT service delivery to its related entities; and
4. to meet compliance obligations under relevant Commonwealth legislation such as the Higher Education Support Act 2003 relating to Commonwealth assistance to students.

(138) The Privacy (Australian Government Agencies – Governance) APP Code 2017, requires all Australian Government agencies (as defined by section 5 of the Privacy (Australian Government Agencies – Governance) APP Code 2017) to have a designated Privacy Officer and a designated Privacy Champion.

Application of General Data Protection Regulation (GDPR) and Other Relevant Privacy Laws

(139) The (EU) General Data Protection Regulation 2016/679 and other applicable foreign laws may apply in certain circumstances, in relation to UOW’s functions and activities. For example:

1. the (EU) General Data Protection Regulation 2016/679, which extends its territorial scope outside the European Union (EU), may apply to UOW where it either has an establishment in the EU or offers goods and services or monitors the behaviour of individuals in or from the EU;
2. China’s Personal Information Protection Law also extends its territorial scope to the processing of an individual’s personal information outside of China, where products or services are provided to individuals in or from China;

(140) UOW has developed an Information Sheet – UOW and the EU General Data Protection Regulation (GDPR) to assist its staff and affiliates to comply with the key principles of the (EU) General Data Protection Regulation 2016/679;

(141) Where the (EU) General Data Protection Regulation 2016/679 applies to any third party engagement, UOW will seek to comply with the Standard Contractual Clauses as set forth by the provisions of the (EU) General Data Protection Regulation 2016/679. The Information Sheet - Data Security and Third Party Engagement provides guidance specific to the application of the (EU) General Data Protection Regulation 2016/679.

Section 9 - UOW Accountability

Compliance with its Privacy Obligations

(142) UOW is committed to transparency and accountability in respect of its obligations under the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002. It aims to educate members of the public on how it complies with the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 and sets out the rights of individuals as outlined in those Acts. UOW demonstrates its commitment to privacy compliance through:

1. the Privacy Policy and this Plan, which is endorsed and approved by the University Council;
2. a dedicated Privacy webpage contains best practice advice and resources for staff and affiliates and provides important details regarding UOW’s handling of an individual’s Information (including rights of the individual);
3. a dedicated team of Privacy Officers, who provide specialized training and advice and seek to ensure best practice guidance is embedded into UOW functions and activities.

(143) UOW’s Principal Privacy Officer (or delegate) may audit UOW’s compliance with this Plan.

(144) A breach of UOW’s Privacy Policy or this Plan by staff or affiliates may constitute misconduct pursuant to UOW codes, policies and guidelines and may be subject to disciplinary action.

(145) It is also an offence under the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 for current or former staff or affiliates, as part of their employment, to:

1. intentionally disclose or use Information that they have accessed, unless it is for a lawful or authorised purpose; and/or
2. supply, by way of a bribe or other similar corrupt conduct, any Information about an individual to another individual.

(146) Refer to the Roles and Responsibilities Section for further details.

Responding to a Data Breach

(147) Where UOW becomes aware of a suspected, potential or actual data breach involving Personal information or Health information it will take appropriate steps to identify, address and mitigate the impacts of the breach.

(148) The Data Breach Response Plan sets out UOW’s procedures for managing a data breach, including the considerations around notifying those persons whose privacy may be affected by the breach as well as reporting to the appropriate regulator where relevant.

(149) Staff and affiliates are expected to report data breaches to a UOW Privacy Officer at icu-enquiry@uow.edu.au. UOW’s Privacy Officer will provide assistance and guidance to work through UOW’s Data Breach Response Plan and take appropriate action.

(150) In some circumstances UOW may have mandatory data breach notification requirements under other relevant privacy laws. Decisions regarding notification will be assessed on a case by case basis in accordance with the Data Breach Response Plan and the relevant privacy laws.

Training and Education

(151) UOW is committed to providing a robust privacy training and education program for its staff and affiliates, which includes providing:

1. privacy training as part of its induction programs;
2. clear expectations within the employment agreements of staff and affiliates regarding privacy obligations;
3. access to a Privacy homepage which contains a range of information and resources about privacy including a Privacy Awareness e-book, privacy statements in use by UOW, a privacy training video and FAQ section;
4. access to current and informative guidance documents and tools such as:
   1. the Privacy Policy;
   2. this Plan;
   3. UOW’s Information Sheet – Privacy;
   4. UOW’s Privacy Impact Assessment (PIA) tool;
   5. the Data Breach Response Plan; and
   6. various other Information Sheets and tools (available via the ‘Resources for Staff’ section on UOW’s Privacy homepage);
5. privacy education via newsletters, information sessions, workshops and online training modules;
6. privacy advice on a case by case basis to staff and affiliates.

(152) UOW Privacy Officers are committed to keeping abreast of best practice approaches to privacy compliance via regular attendance at the NSW privacy practitioners’ group meetings held quarterly and other relevant meetings /conferences held from time to time.

Section 10 - Roles and Responsibilities

(153) UOW’s designated Privacy Champion is the Deputy Vice-Chancellor (Strategy and Assurance) who must ensure that the following functions are carried out:

1. promoting a culture of privacy within the agency that values and protects personal information;
2. providing leadership within the agency on broader strategic privacy issues;
3. ensuring that the agency’s privacy management plan is regularly reviewed; and
4. providing regular reports to the agency’s executive, including about any privacy issues arising from the agency’s handling of personal information.

(154) UOW’s Privacy Officers are:

1. General Counsel as UOW’s Principal Privacy Officer;
2. Senior Manager, Information Compliance – as UOW’s designated Privacy Officer and main contact for privacy;
3. Officers in the Information Compliance Unit.

(155) The Privacy Officers are responsible for:

1. training and education, including the development of guidance documents and tools;
2. providing advice and making best practice recommendations to staff and affiliates on privacy issues;
3. assisting with the development of Collection Statements;
4. liaising with relevant regulatory agencies such as the Information and Privacy Commission NSW;
5. responding to privacy complaints and conducting Internal Reviews;
6. implementing and maintaining UOW’s Privacy Policy and this Plan;
7. ensuring UOW’s Privacy homepage contains current, relevant and best practice privacy information; and
8. preparing mandatory reports relating to privacy.

(156) All Staff and affiliates are responsible for:

1. complying with UOW’s privacy obligations and practices as specified in its Privacy Policy, this Plan and the University Code of Conduct when managing Information; and
2. attending training or completing online privacy training to ensure that the principles of privacy best practice are maintained when handling Information.

Section 11 - Privacy Contacts

Internal Contacts

(157) Privacy enquiries may be directed to the Information Compliance Unit:

External Contacts

(158) Information and Privacy Commission NSW:

(159) NSW Civil and Administrative Tribunal:

Section 12 - Definitions