(1) Western Sydney University is subject to and must comply with the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA) when it collects, holds (that is, stores), uses, discloses and/or destroys an individual's personal information and health information. (2) The University must also comply with other legislation when it deals with personal information, such as the Privacy Act 1988 (Cth), Telecommunications (Interception and Access) Act 1979 (Cth), Government Information (Public Access) Act 2009 (NSW), Criminal Records Act 1991 (NSW), Workplace Surveillance Act 2005 (NSW), State Records Act 1998 (NSW) and the Data Sharing (Government Sector) Act 2015 (NSW). (3) This Policy sets out the University's commitment to protecting personal and health information, provides the University's Privacy Management Plan which is made in accordance with section 33 of the PPIPA; its Privacy Data Breach Response Plan which is made in accordance with Part 6A of the PPIPA, and its Privacy Impact Assessment Procedures which support legislative compliance via ‘privacy by design’. (4) The Policy applies to all University employees, students, contractors, affiliates, volunteers, associates, members of the public and University controlled entities. (5) This Policy should be read in conjunction with the Privacy Management Plan, Privacy Impact Assessment Procedures and the Privacy Data Breach Response Plan. (6) The following definitions apply for the purposes of this policy: (7) The University is committed to respecting the privacy of individuals, creating a privacy culture and promoting fair and compliant information handling practices in its educational, research, engagement, and administrative procedures and activities. (8) The University will meet its statutory requirements under the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002. (9) All staff must comply with and implement the Information Protection Principles, Health Information Principles, this Policy and the University's Privacy Management Plan, Privacy Data Breach Response Plan, Privacy Impact Assessment Procedures, and ensure staff under their supervision, or students under their direction, are made aware of their obligations under these principles and documents. (10) The University's PMP sets out how the University complies with the Information Protection Principles and Health Privacy Principles. (11) The PMP also contains information on how to make a complaint about an alleged breach of privacy, and how to seek internal review of that decision. (12) The University's Privacy and GIPA Officer, together with the Office of General Counsel, will keep the Plan current. (13) The Privacy and GIPA Officer, or the relevant University unit responsible for the release of personal or health informaiton as set out in the PMP, will respond promptly to applications for access to personal information. (14) Staff must undertake a Privacy Impact Assessment (PIA) for any new or revised activities or projects that deal with collection, use or disclosure of personal or health information in order to assess whether these have the potential to impact on individual privacy and, if so, how these will be managed in accordance with the PMP. (15) The University provides privacy education and training to staff to promote awareness of and compliance with this Policy, the PMP, the Privacy Data Breach Response Plan and the Privacy Impact Assessment Procedures. (16) Contracted third parties must comply with any privacy obligations specified in their contracts with the University and with any directions the University provides in relation to information they have access to or manage on the University's behalf. (17) Suspected or actual breaches must be managed in accordance with the Privacy Data Breach Response Plan. (18) Any University employee, student, contractor, affiliate, volunteer or associate is to report any breach of the PMP to the Privacy Officer, including any instances of accidental collection, misuse, disclosure or destruction of personal or health information. (19) A notifiable data breach is an ‘eligible data breach’ as described in clause 59D of PPIPA: (20) Serious harm is where the data breach has, or may, result in a real and substantial detrimental effect to the individual. (21) The Information Protection Principles are set out and explained in the Information and Privacy Commission's Fact Sheet: Information Protection Principles (IPPs) - PPIP Act. (22) The Health Privacy Principles are set out and explained in the Information and Privacy Commission's Fact Sheet: Health Privacy Principles (HPPS) - HRIP Act. (23) Information about privacy issues at the University can be obtained via the University's Privacy website. (24) Related documents are listed on the Associated Information page. (25) Visit the Information and Privacy Commission website for more information.Privacy Policy
Section 1 - Purpose and Context
Section 2 - Definitions
Top of Page
Where the University is providing a health service (e.g. UniClinic) the definition of health information also extends to any personal information that is collected at that time.
"... information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics." (section 4 PPIPA).Section 3 - Policy Statement
Section 4 - Procedures
Privacy Management Plan (PMP)
Privacy Impact Assessments (PIAs)
Notifiable Data Breaches
Section 5 - Guidelines
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.