View Current

Privacy Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose of Policy

(1) The University of Wollongong (“UOW”), in carrying out its functions and activities, has an obligation to ensure that the management of an individual’s Personal information and Health information complies with NSW privacy laws.

(2) The purpose of this Policy is to set out:

  1. UOW’s commitment to complying with the Privacy and Personal Information Protection Act 1998, the Health Records and Information Privacy Act 2002 which may include regulations, statutory guidelines, codes of practice and privacy directions made under those Acts;
  2. UOW’s commitment to complying with the key principles regulating the management of Personal and Health information;
  3. an individual’s entitlement to raise concerns regarding UOW’s handling of their information; and 
  4. the responsibilities of UOW, its Staff and Affiliates.

(3) This Policy is implemented by UOW’s Privacy Management Plan which operates as a procedure document under UOW’s policy framework.

Top of Page

Section 2 - Application and Scope

(4) This Policy applies to the collection, storage, access, use and disclosure of Information (see definition of this term) by UOW and its Staff and Affiliates, in accordance with the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002.

(5) All Staff and Affiliates must comply with this Privacy Policy and the Privacy Management Plan.

(6) A breach of this Privacy Policy or the Privacy Management Plan may constitute misconduct pursuant to UOW codes, policies and guidelines and may be subject to disciplinary action.

(7) This Policy does not apply to UOW’s Related entities. UOW’s Related entities have their own policies and procedures for the management of Information provided to or collected by them.

(8) Staff and Affiliates should also be aware that certain activities may be subject to obligations under other privacy laws such as the Privacy Act 1988 and the (EU) General Data Protection Regulation 2016/679, where applicable. Further information can be found in UOW’s Privacy Management Plan or by contacting a UOW Privacy Officer.

Top of Page

Section 3 - UOW’s Commitment to Privacy

(9) UOW is committed to complying with the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002, which may include regulations, guidelines, codes of practice and privacy directions made under those Acts. The Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 contain principles that regulate the handling of an individual’s Information and cover its collection, storage, use, disclosure and rights of access/amendment.

(10) UOW’s Privacy Management Plan, prepared in compliance with section 33 of the Privacy and Personal Information Protection Act 1998, sets out:

  1. how UOW complies with the Privacy and Personal Information Protection Act 1998, the Health Records and Information Privacy Act 2002 and other applicable privacy laws;
  2. how UOW disseminates its policies and practices regarding privacy at UOW;
  3. how an individual can gain access to or make amendments to their Information held by UOW; and
  4. how an individual may make a privacy complaint or lodge a request for formal review of UOW’s conduct if dissatisfied with UOW’s handling of their Information, and how such complaints will be managed.

(11) Where research involving the collection or use of Information is to be conducted in or by UOW, it must be approved by UOW’s accredited Human Research Ethics Committee.

Top of Page

Section 4 - Collection of Information

(12) UOW will collect Information in an open and transparent manner. This includes providing individuals with details relating to:

  1. the purpose for the collection of the Information;
  2. how it will be handled by UOW; and
  3. any consequences that may apply if the Information is not provided.

(13) UOW will only collect Information for a lawful purpose which is directly related to one of its functions or activities, and only if the collection is reasonably necessary for that purpose.

(14) UOW will ensure that Information collected is accurate, up to date, not excessive (having regard to the purpose of collection), and does not intrude to an unreasonable extent on the personal affairs of the individual.

(15) UOW will collect Information directly from the individual concerned unless:

  1. it is unreasonable or impracticable to do so; or
  2. the individual has authorized the collection of their Information from someone else; or
  3. in the case where a person is under 16 years of age, the information is provided by the parent or guardian.

(16) UOW’s Privacy Management Plan provides further detail concerning collection of Information.

Top of Page

Section 5 - Access, Accuracy and Amendment of Information

(17) All reasonable steps will be taken by UOW to ensure that information it collects, holds or discloses is accurate, complete, up to date and not misleading (having regard to the purpose).

(18) UOW will respond to enquiries from an individual as to whether it holds that individual’s Information including the nature of the Information, the main purpose for UOW’s use of that Information and any rights of access to it.

(19) UOW will allow an individual to:

  1. access their own Information without unreasonable delay or expense;
  2. request that appropriate amendments, corrections or updates are made to their Information to ensure that it is accurate and remains relevant, up to date, complete and not misleading (having regard to the purpose for which it was collected and is to be used by UOW).

(20) UOW’s Privacy Management Plan provides further detail concerning access, accuracy and amendment of Information.

Top of Page

Section 6 - Retention and Security of Information

(21) UOW will ensure that Information it collects is:

  1. held for no longer than is necessary for the purpose for which it may be lawfully used and in order to meet its legal obligations;
  2. disposed of securely and in accordance with the retention and disposal requirements under the State Records Act 1998 and Records Management Policy; and
  3. protected to the extent reasonable in the circumstances from loss, unauthorized access, use, modification or disclosure and against all other misuse.

(22) Where UOW becomes aware of a data breach, UOW will follow the procedures as outlined in UOW’s Data Breach Response Plan.

(23) UOW’s Privacy Management Plan provides further detail concerning retention and security of Information.

Top of Page

Section 7 - Use of Information

(24) In general terms, ‘use’ of Information refers to the communication or handling of that Information within UOW.

(25) UOW will only use Information for the primary purpose for which it was collected unless:

  1. the use of the Information is directly related to the primary purpose for which it was collected; or
  2. the use of the Personal information is necessary to deal with a serious and imminent threat to any individual’s life or health; or
  3. the use of the Health information is necessary to deal with a serious and imminent threat to any individual’s life, health or safety, or is necessary to lessen or prevent a serious threat to public health or public safety; or
  4. the individual provides consent to another use; or
  5. the use is permitted by provisions of the Privacy and Personal Information Protection Act 1998 and/or the Health Records and Information Privacy Act 2002 relating to law enforcement and other related matters; or
  6. the use is permitted or required under an Act or any other law; or
  7. the use is for the purpose of assisting in a stage of an emergency, it is reasonably necessary for that purpose, and it is unreasonable or impracticable to seek the consent of the individual; or
  8. the use is reasonably necessary for the purpose of research, or the compilation of statistics, in the public interest and:
    1. either the purpose cannot be served by de-identified Information and it is impracticable to seek the consent of the individual for the use, or reasonable steps have been taken to de-identify the Information; and
    2. if it could reasonably be expected to identify individuals, the Information is not published in a publicly available publication; and
    3. the use is in accordance with any guidelines issued by the NSW Privacy Commissioner.
  9. for Health information, where the use is reasonably necessary for research or for the training of employees or persons working with UOW and:
    1. either the purpose cannot be served by de-identified information and it is impracticable to seek the consent of the individual for the use, or reasonable steps are taken to de-identify the information; and
    2. if it could reasonably be expected to identify individuals, the information is not published in a generally available publication; and
    3. the use is in accordance with any guidelines issued by the NSW Privacy Commissioner.

(26) UOW’s Privacy Management Plan provides further detail concerning use of Information and other circumstances where UOW may use Information without an individual’s consent.

Top of Page

Section 8 - Disclosure of Information

(27) In general terms, ‘disclosure’ of Information refers to the communication or transfer of Information outside UOW.

(28) UOW will not disclose Information it holds unless specifically permitted to do so under the Privacy and Personal Information Protection Act 1998 or Health Records and Information Privacy Act 2002. Some of the circumstances may include:

  1. the disclosure of the Information is directly related to the primary purpose for which it was collected and there is no reason to believe that the individual concerned would object to the disclosure; or
  2. the individual is reasonably likely to have been aware, or has been made aware, that Information of that kind is usually disclosed to a third party; or
  3. the disclosure of the Personal information is necessary to deal with a serious and imminent threat to any individual’s life or health; or
  4. the disclosure of the Health information is necessary to deal with a serious and imminent threat to any individual’s life, health or safety, or is necessary to lessen or prevent a serious threat to public health or public safety; or
  5. the individual provides consent to any other disclosure; or
  6. disclosure is permitted by provisions of the Privacy and Personal Information Protection Act 1998 and/or the Health Records and Information Privacy Act 2002 relating to law enforcement and related matters such as:
    1. disclosing information to a Law Enforcement Agency for the purpose of ascertaining the whereabouts of an individual who has been reported to police as a missing person; or
    2. disclosing information to a Law Enforcement Agency in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed; or
  7. the disclosure is for the purpose of assisting in a stage of an emergency, it is reasonably necessary for that purpose, and it is unreasonable or impracticable to seek the consent of the individual; or
  8. disclosure is permitted or required under an Act or any other law; or
  9. the disclosure is reasonably necessary for the purpose of training, research, or the compilation of statistics, in the public interest, and:
    1. either the purpose cannot be served by de-identified information, and it is impracticable to seek the consent of the individual for the disclosure, or reasonable steps have been taken to de-identify the information; and
    2. if it could reasonably be expected to identify individuals, the information is not published in a publicly available publication; and
    3. the use is in accordance with any guidelines issued by the NSW Privacy Commissioner.

(29) UOW will not disclose Information to any person or body who is in a jurisdiction outside NSW or to a Commonwealth agency unless one of the following additional criteria are met:

  1. UOW reasonably believes that the recipient of the Information is subject to a law, binding scheme or contract that upholds the principles for the fair handling of the Information that are substantially similar to the principles of NSW privacy laws; or
  2. the individual expressly consents to the disclosure; or
  3. the disclosure is necessary for the performance of a contract between the individual and UOW; or
  4. for Personal information, the disclosure is necessary, on reasonable grounds, to prevent or lessen a serious and imminent threat to the life or health of any individual; or
  5. for Health information, the disclosure is necessary, on reasonable grounds, to lessen or prevent a serious or imminent threat to the life, health or safety of any person or a serious threat to public health or public safety; or
  6. the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law; or
  7. UOW has taken reasonable steps to ensure that the Information disclosed will be handled by the recipient in a manner that is consistent with NSW privacy laws.

(30) UOW will only disclose Sensitive information with the consent of the individual unless disclosure is necessary to deal with a serious and imminent threat to any individual’s life or health.

(31) UOW’s Privacy Management Plan provides further detail concerning disclosure of Information and other circumstances where UOW may disclose Information without an individual’s consent or appropriate prior notice.

Top of Page

Section 9 - Anonymity and Identifiers 

(32) In relation to Health information, UOW will:

  1. provide individuals with the option of receiving health services or entering into transactions anonymously, wherever it is lawful and practicable; and/or
  2. assign a unique identification number to an individual, if the assignment of identifiers is reasonably necessary to enable UOW to carry out its functions efficiently.

(33) UOW’s Privacy Management Plan provides further detail concerning anonymity and identifiers relating to Health information.

Top of Page

Section 10 - Application of Commonwealth Privacy Act

(34) In some circumstances, Information handled by UOW may be expressly governed by the Privacy Act 1988. These circumstances may include:

  1. where UOW collects tax file numbers from students, Staff and Affiliates;
  2. via UOW’s contractual interactions with Commonwealth funding agencies;
  3. through UOW’s IT service delivery to its Related entities; and
  4. to meet compliance obligations under relevant Commonwealth legislation such as the Higher Education Support Act 2003 relating to Commonwealth assistance to students.

(35) The Privacy (Australian Government Agencies – Governance) APP Code 2017, requires all Australian Government agencies (as defined by s 5 of the Privacy (Australian Government Agencies – Governance) APP Code 2017) to have a designated Privacy Officer and a designated Privacy Champion.

Top of Page

Section 11 - Complaints and Enquiries

(36) All privacy enquiries should be directed to a UOW Privacy Officer via email at icu-enquiry@uow.edu.au. Additional contact details can be found on UOW’s Privacy homepage.

(37) If an individual has any concerns about the way UOW is managing their Information or believes that UOW may have breached their privacy, that individual may:

  1. lodge a complaint with a UOW Privacy Officer; or
  2. submit a formal request for an internal review of UOW’s conduct by completing UOW’s Privacy Complaint Internal Review Application Form; or
  3. contact the Information and Privacy Commission NSW.

(38) For more information about lodging a complaint and/or requesting an internal review of UOW’s conduct, please see UOW’s Privacy Management Plan or visit UOW’s privacy homepage.

Top of Page

Section 12 - Roles and Responsibilities

(39) UOW’s designated Privacy Champion is the Deputy Vice-Chancellor (Strategy and Assurance)) who must ensure that the following functions are carried out:

  1. Promoting a culture of privacy within the agency that values and protects personal information;
  2. Providing leadership within the agency on broader strategic privacy issues;
  3. Ensuring that the agency’s privacy management plan is regularly reviewed;
  4. Providing regular reports to the agency’s executive, including about any privacy issues arising from the agency’s handling of personal information.

(40) UOW’s Privacy Officers are:

  1. Senior Manager, Information Compliance – as UOW’s designated Privacy Officer and main contact person for privacy enquiries – phone 02 4221 4368 or email icu-enquiry@uow.edu.au; and
  2. UOW General Counsel as Principal Privacy Officer; and
  3. Officers in the Information Compliance Unit.

(41) UOW’s Privacy Officers are responsible for UOW’s overall compliance with its privacy obligations. Further information regarding the role of UOW’s Privacy Officers can be found in UOW’s Privacy Management Plan.

(42) All Staff and Affiliates are responsible for:

  1. complying with UOW’s privacy obligations and practices as specified in this Privacy Policy, the Privacy Management Plan and UOW’s Code of Conduct when handling Information;
  2. attending training or completing online privacy training to ensure that the principles of privacy best practice are maintained when handling Information;
  3. responding to data breaches in accordance with UOW’s Data Breach Response Plan.

(43) Staff and Affiliates should be aware that:

  1. a breach of this Policy may constitute misconduct pursuant to UOW policy document and may be subject to disciplinary action.
  2. for any research which involves the collection, use or disclosure of Information, ethics review may be required. Further information can be found in UOW’s Privacy Management Plan or by contacting a UOW Privacy Officer.
Top of Page

Section 13 - Definitions

Word/Term
Definition
Affiliate
Includes people holding University of Wollongong Honorary Awards as conferred by the University Council, including the awards of Emeritus Professor, Honorary Doctor and University Fellow; people appointed in accordance with the University’s Appointment of Visiting and Honorary Academics Policy; and people engaged by the University as agency staff, contractors, volunteers and work experience students.
Health information
Health information, for the purpose of this Policy, refers to health information defined in the Health Records and Information Privacy Act 2002 (or as amended in the Health Records and Information Privacy Act 2002 from time to time) as:
“(a) personal information that is information or an opinion about:
the physical or mental health or a disability (at any time) of an individual, or
(ii) an individual’s express wishes about the future provision of health services to him or her, or
(iii) a health service provided, or to be provided, to an individual; or
(b) other personal information collected to provide, or in providing, a health service; or
(c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances; or
(d)other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual; or
(e)healthcare identifiers”
Information
Health information and/or Personal information as the context permits.
Law Enforcement Agency
Personal information
Personal information, for the purpose of this policy, refers to personal information defined in the Privacy and Personal Information Protection Act 1998 (or as amended in the Privacy and Personal Information Protection Act 1998 from time to time) as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
Under the Privacy and Personal Information Protection Act 1998, personal information does not include:
  1. information regarding an individual who has been deceased for more than 30 years;
  2. information about an individual that is readily available in a publicly available publication; and
  3. information or an opinion about an individual’s suitability for appointment or employment as a public sector official.
Related entities
Sensitive information
A subclass of Personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.
Staff
All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis