• Section 1 - Purpose and Context
• Section 2 - Definitions
• Section 3 - Policy Statement
• Section 4 - Procedures
• Section 5 - Guidelines

Section 1 - Purpose and Context

(1) Western Sydney University is subject to and must comply with the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA) when it collects, holds, uses and/or discloses an individual's personal information and health information.

(2) The University must also comply with other legislation when it deals with personal information, such as the Privacy Act 1988 (Cth), Telecommunications (Interception and Access) Act 1979 (Cth), Government Information (Public Access) Act 2009 (NSW), Criminal Records Act 1991 (NSW), Workplace Surveillance Act 2005 (NSW), State Records Act 1998 (NSW) and the Data Sharing (Government Sector) Act 2015 (NSW).

(3) This Policy sets out the University's commitment to protecting personal and health information and provides the University's Privacy Management Plan which is made in accordance with section 33 of the PPIPA.

(4) The Policy applies to all University employees, students, contractors, affiliates, volunteers, associates, members of the public and University controlled entities.

(5) This Policy should be read in conjunction with the Privacy Management Plan.

Section 2 - Definitions

(6) The following definitions apply for the purposes of this policy:

1. health information has the same meaning as in the Health Records and Information Privacy Act 2002 (NSW), that is:
   1. personal information that is information or an opinion about:
      1. the physical or mental health or a disability (at any time) of an individual, or
      2. an individual's express wishes about the future provision of health services to him or her, or
      3. a health service provided, or to be provided, to an individual, or
   2. other personal information collected to provide, or in providing, a health service, or
   3. other personal information about an individual collected in connection with the donation, or intended donation, of an individual's body parts, organs or body substances, or
   4. other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or
   5. healthcare identifiers. (section 6 HRIPA)
      Where the University is providing a health service (e.g. UniClinic) the definition of health information also extends to any personal information that is collected at that time.
2. Health Privacy Principles means the principles set out in Schedule 1 of the Health Records and Information Privacy Act 2002 (NSW).
3. Information Protection Principles means the principles set out in Part 2 Division 1 of the Privacy and Personal Information Protection Act 1998 (NSW).
4. personal information has the same meaning as in the Privacy and Personal Information Protection Act 1998 (NSW), that is:
   "... information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
   Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics." (section 4 PPIPA).
5. Plan means the Privacy Management Plan implemented pursuant to this Policy and pursuant to s.33 of the PPIPA.

Section 3 - Policy Statement

(7) The University is committed to respecting the privacy of individuals, creating a privacy culture and promoting fair and compliant information handling practices in its educational, research, engagement, and administrative procedures and activities.

(8) The University will meet its statutory requirements under the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002.

(9) All staff must:

1. comply with and implement the Information Protection Principles, Health Information Principles, this Policy and the University's Privacy Management Plan, and ensure staff under their supervision, or students under their direction, are made aware of their obligations under these principles, the Policy and the plan.

Section 4 - Procedures

(10) The University's Privacy Management Plan sets out how the University complies with the Information Protection Principles and Health Privacy Principles.

(11) The Plan also contains information on how to make a complaint about an alleged breach of privacy, and how to seek internal review of that decision.

(12) The University's Privacy Officer, together with the Office of General Counsel, will keep the Plan current.

(13) Staff, students and affiliates are to report any breach of the Plan to the Privacy Officer, including any instances of accidental collection, misuse, disclosure or destruction of personal or health information.

(14) The Privacy Officer, or the relevant University unit responsible for the release of personal or health information as set out in the Plan, will respond promptly to applications for access to personal information.

(15) Staff must undertake a risk analysis for any new activities or projects that deal with collection, use or disclosure of personal or health information in order to assess whether these have the potential to impact on individual privacy and, if so, how these will be managed in accordance with the Plan.

(16) The University provides privacy education and training to staff to promote awareness of and compliance with this Policy and the Plan.

(17) Contracted third parties must comply with any privacy obligations specified in their contracts with the University and with any directions the University provides in relation to information they have access to or manage on the University's behalf.
 

Section 5 - Guidelines

(18) The Information Protection Principles are set out and explained in the Information and Privacy Commission's Fact Sheet: Information Protection Principles (IPPs) - PPIP Act.

(19) The Health Privacy Principles are set out and explained in the Information and Privacy Commission's Fact Sheet: Health Privacy Principles (HPPS) - HRIP Act. 

(20) Information about privacy issues at the University can be obtained via the University's Privacy website.

(21) Related documents are listed on the Associated Information page.

(22) Visit the Information and Privacy Commission website for more information.