View Current

Privacy Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) Nil.

Top of Page

Section 2 - Definitions

(2) Nil.

Top of Page

Section 3 - Policy Statement

(3) Western Sydney University is committed to fair personal and health information handling practices in its educational, research, engagement, and associated administrative procedures and activities.

(4) In protecting the privacy of personal and health information entrusted to it, the University will meet its statutory requirements under the Privacy and Personal Information Protection Act 1998 (PPIPA) and the Health Records and Information Privacy Act 2002 (HRIPA). In particular the University will reference its practices and activities against the Information Protection Principles (IPPs), and the Health Privacy Principles (HPPs) contained in those Acts.

(5) All staff and functional units of the University have an obligation, in their day to day practices, to adhere to and implement the privacy principles and practices established by legislation and given detailed expression in this and other privacy related policies and guidelines and the University's Privacy Management Plan.

(6) This policy applies to the University and its employees. It does not apply to the related entities that have separate legal status. Those bodies may come within the ambit of the Federal privacy law and will be asked by the University to adopt policies compatible with general University policies.

Part A - Definitions of Personal Information and Health Information

(7) In establishing a policy and administrative framework to protect the privacy of personal information entrusted to the University it is important to understand what constitutes personal information as defined in the legislation (PPIPA):

"In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

(8) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics." (s.4 PPIPA)

(9) Section 4 of the Privacy and Personal Information Protection Act 1998 also goes on to outline a range of exceptions and more information related to that can be found in the Act itself or the University's Privacy Management Plan (see section 4 below).

(10) Under the Health Records and Information Privacy Act 2002 (HRIPA), health information is defined as:

  1. personal information that is information or an opinion about:
    1. the physical or mental health or a disability (at any time) of an individual, or
    2. an individual's express wishes about the future provision of health services to him or her, or
    3. a health service provided, or to be provided, to an individual, or
  2. other personal information collected to provide, or in providing, a health service, or
  3. other personal information about an individual' collected in connection with the donation, or intended donation, of an individual's body parts, organs or body substances, or
  4. other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time of the individual or of any sibling, relative or descendant of the individual. (S.6, HRIPA)

(11) Where the University is providing a health service (e.g. UniClinic) the definition of health information also extends to any personal information that is collected at that time.

Part B - Personal and Health Information Protection Principles

(12) There are twelve Information Protection Principles (IPPs) and fifteen Health Privacy Principles (HPPs) that represent the legal obligations that the University must adhere to when it collects, stores, uses or discloses personal and health information. These are contained in PPIPA and HRIPA and are detailed in the University's Privacy Management Plan. In summary form the Principles are as follows:

Table 1: Privacy Principles

In these principles information is a reference to both personal information and health information

Necessary - only collect personal information for a lawful purpose. Only collect the information if it is directly related to the University's activities and which is information necessary for that purpose.

Direct - only collect information directly from the person concerned, unless they have given consent otherwise.

Open - inform the person as to what information is being collected, why it is being collected and who will be storing and using it, and how they can see and correct this information.

Relevant - ensure that the information is relevant, accurate, not excessive and up-to-date. Ensure that the collection does not unreasonably intrude into the personal affairs of the individual.
Secure - ensure that the information is stored securely, not kept any longer than necessary, and disposed of appropriately. Information should be protected from unauthorised access, use or disclosure.
Transparent - explain to the individual what the information about them is being stored, why it is being used and any rights they have to access it.

Accessible - allow people to access their information without unreasonable delay or expense.

Correct - allow people to update, correct or amend their information where necessary.

Accurate - take reasonable steps to ensure that the personal information is relevant and accurate before using it.
Limited - only use information for the purpose for which it was collected, for a directly related purpose that the person would expect, or for a purpose to which the individual has given consent. There are some special exceptions that allow use in particular circumstances.
Limited - only disclose information for the purpose for which it was collected, for a directly related purpose that the person would expect, or for a purpose to which the individual has given consent. There are some special exceptions that allow disclosure in particular circumstances, or where there is a legal requirement.
Safeguarded - do not disclose sensitive information, information about a person's ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership. You can only disclose sensitive information without consent in order to deal with a serious or imminent threat to any person's health or safety.
HPPs 12 to 15 - deal with the specialist use of health information mainly related to health service providers. They cover: the use identifiers (e.g. patients record numbers); the provision of anonymous access to health services where lawful and practicable; the circumstances under which health information about a person can be transferred out of NSW and; the need for consent where health information about a person is to be included in a data linkage system.
Some conditional exemptions apply from adherence to the principles, for example for enforcement, investigations, and disclosure to bodies such as ICAC, use of health information for research.

Acknowledgement - This summary of the IPPs and HPPs is derived from the Privacy NSW Fact Sheets Nos. 2 & 4. For a comprehensive listing of the Principles and related exemptions refer to the University's Privacy Management Plan.
Top of Page

Section 4 - Procedures

Management of Privacy within the University

(13) The University has a Privacy Management Plan developed in accordance with section 33 of PPIPA. That Plan documents in detail the requirements placed on the University by PPIPA and HRIPA and provides a detailed schedule of strategies to ensure that the University's practices are examined regularly with a view to compliance. Supplementary guidelines and explanatory material related to specific areas of privacy within the University will be produced in accordance with the directions set in the Plan.

(14) The Plan also contains information on how to make a complaint about a privacy issue and how to seek a formal Internal Review by the University where a breach of privacy may have occurred. A pro forma is available to assist complainants to fully articulate their concerns. This procedure applies to complaints related to both personal and health information.

(15) Information about privacy issues at the University can be obtained via the University's Privacy web site. A range of very useful information can also be obtained from Privacy NSW, the State Government body responsible for administration and implementation of privacy law in NSW.

(16) Related documents are listed on the Associated Information page.

Top of Page

Section 5 - Guidelines

(17) Nil.