(1) The University of Wollongong (“the University”), in carrying out its functions and activities, has an obligation to manage an individual’s personal information and health information in compliance with NSW privacy laws. (2) The purpose of this Policy is to set out: (3) This Policy is implemented by the Privacy Management Plan which operates as a procedure document under the University’s policy framework. (4) This Policy applies to the collection, storage, access, use and disclosure of Information (see definition of this term) by the University and its staff and affiliates. (5) All staff and affiliates must comply with this Privacy Policy and the Privacy Management Plan. (6) A breach of this Policy or the Privacy Management Plan may constitute misconduct pursuant to University codes, policies and guidelines and may be subject to disciplinary action. (7) This Policy does not apply to the University’s controlled entities. The University’s controlled entities have their own policies and procedures for the management of Information provided to or collected by them. (8) The University is committed to complying with the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002, which may include regulations, guidelines, codes of practice and privacy directions made under those Acts. The Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002 contain principles that regulate the handling of an individual’s Information and cover its collection, storage, use, disclosure and rights of access/amendment. (9) The Privacy Management Plan, prepared in compliance with section 33 of the Privacy and Personal Information Protection Act 1998, sets out: (10) The University’s Data Breach Policy sets out strategies to respond to a suspected or known data breach in accordance with obligations under the relevant mandatory notification provisions such as the NSW Mandatory Notification of Data Breach Scheme and is committed to complying with the obligations under relevant privacy laws. (11) The University must only collect Information for a lawful purpose that is directly related to one of its functions or activities, and only if the collection is reasonably necessary for that purpose. The University must not collect Information by any unlawful means. (12) The University must take such steps as are reasonable in the circumstances (having regards to the purposes for which the information is collected) to ensure that the Information collected is relevant to that purpose, is not excessive, and is accurate, up to date and complete and does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates. (13) The University must, in collecting Information, collect the Information directly from the individual to whom the information relates, unless: (14) The University must when collecting Information from an individual, take such steps as are reasonable in the circumstances to ensure that, before the Information is collected or as soon as practicable after collection, the individual to whom the Information relates is made aware of the following: (15) The Privacy Management Plan provides further detail concerning collection of Information. (16) Where the University holds personal information the University must not use the Information without taking such steps as are reasonable in the circumstances to ensure that, having regards to the purpose for which the Information is proposed to be used, the information is relevant, accurate, up to date, complete and not misleading. (17) The University must respond to enquiries from an individual as to whether it holds that individual’s Information including the nature of the Information, the main purpose for the University’s use of that Information and any rights of access to it. (18) The University must allow an individual to: (19) The Privacy Management Plan provides further detail concerning access, accuracy and amendment of Information. (20) The University must ensure that Information it collects is: (21) The Privacy Management Plan provides further detail concerning retention and security of Information. (22) In general terms, ‘use’ of Information refers to the communication or handling of that Information within the University. (23) The University must only use Information for the primary purpose for which it was collected unless: (24) The Privacy Management Plan provides further detail concerning use of Information and other circumstances where the University may use Information without an individual’s consent. (25) In general terms, ‘disclosure’ of Information refers to the communication or transfer of Information outside the University. (26) The University must not disclose Information it holds unless specifically permitted to do so under the Privacy and Personal Information Protection Act 1998 or Health Records and Information Privacy Act 2002. Some of the circumstances may include: (27) The University must not disclose Information to any person or body who is in a jurisdiction outside NSW or to a Commonwealth agency unless: (28) The University must only disclose sensitive Information with the consent of the individual unless disclosure is necessary to deal with a serious and imminent threat to any individual’s life or health. (29) The Privacy Management Plan provides further detail concerning disclosure of Information and other circumstances where the University may disclose Information without an individual’s consent or appropriate prior notice. (30) In relation to health information, the University must: (31) The Privacy Management Plan provides further detail concerning anonymity and identifiers relating to health information. (32) The University is a statutory corporation established under the University of Wollongong Act 1989 and as such, is not an agency that falls within the scope of the Privacy Act 1988. However, in some circumstances, Information handled by the University may be expressly governed by the Privacy Act 1988. These circumstances may include: (33) The Privacy (Australian Government Agencies – Governance) APP Code 2017, requires all Australian Government agencies (as defined by s 5 of the Privacy (Australian Government Agencies – Governance) APP Code 2017) to have a designated Privacy Officer and a designated Privacy Champion. (34) The University may also have obligations under the (EU) General Data Protection Regulation 2016/679 (GDPR) and other foreign laws in relation to the University’s functions and activities. The Privacy Management Plan provides further detail regarding the University’s commitment to managing its obligations under the GDPR and other relevant privacy laws as they apply to the University’s functions and activities. (35) All privacy enquiries should be directed to the University’s Privacy Officer via email at icu-enquiry@uow.edu.au. Additional contact details can be found on the University’s Privacy homepage. (36) If an individual has any concerns about the way the University is managing their Information or believes that the University may have breached their privacy, that individual may: (37) For more information about lodging a complaint and/or requesting an internal review of the University’s conduct, please see the Privacy Management Plan or visit the University’s Privacy homepage. (38) The University’s designated Privacy Champion is the Chief Operating Officer and Vice-President Operations who is responsible for the following functions: (39) The General Counsel as Principal Privacy Officer is responsible for: (40) The University’s Privacy Officers in the Information Compliance Unit are responsible for: (41) Further information regarding the role of the University’s Privacy Officers can be found in the University’s Privacy Management Plan. (42) All staff and affiliates are responsible for: (43) Staff and affiliates should be aware that:Privacy Policy
Section 1 - Purpose of Policy
Section 2 - Application and Scope
Section 3 - The University’s Commitment to Privacy
Section 4 - Collection of Information
Section 5 - Access, Accuracy and Amendment of Information
Section 6 - Retention and Security of Information
Section 7 - Use of Information
Section 8 - Disclosure of Information
Section 9 - Anonymity and Identifiers
Section 10 - Application of Commonwealth Privacy Act and Other Relevant Privacy Laws
Section 11 - Complaints and Enquiries
Section 12 - Roles and Responsibilities
Top of PageSection 13 - Definitions
Controlled Entity
Controlled Entities are those entities over which the University has control, as defined in section 15A of the University of Wollongong Act 1989 (as amended) and section 1.2(1) of the Government Sector Finance Act 2018.
• an individual’s express wishes about the future provision of health services to him or her, or
• a health service provided, or to be provided, to an individual, or
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
Word/Term
Definition
Affiliate
Includes people holding University of Wollongong Honorary Awards as conferred by the University Council, including the awards of Emeritus Professor, Honorary Doctor and University Fellow; people appointed in accordance with the University’s Appointment of Visiting and Honorary Academics Policy; and people engaged by the University as agency staff, contractors, volunteers and work experience students.
Health information
Health information, for the purpose of this Policy, refers to health information defined in the Health Records and Information Privacy Act 2002 (or as amended in the Health Records and Information Privacy Act 2002 from time to time) as personal information that is information or an opinion about:
• the physical or mental health or a disability (at any time) of an individual, or
Information
Health information and/or personal information as the context permits.
Law Enforcement Agency
As defined in the Privacy and Personal Information Protection Act 1998 and/or the Health Records and Information Privacy Act 2002 as the context applies.
Personal information
Personal information, for the purpose of this policy, refers to personal information defined in the Privacy and Personal Information Protection Act 1998 (or as amended in the Privacy and Personal Information Protection Act 1998 from time to time) as:
“Information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
Under the Privacy and Personal Information Protection Act 1998, personal information does not include:
Sensitive information
A subclass of personal information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.
Staff
All people employed by the University including conjoint appointments, whether on continuing, permanent, fixed term, casual or cadet or traineeship basis.