(1) Nil. (2) Nil. (3) Western Sydney University is committed to fair personal and health information handling practices in its educational, research, engagement, and associated administrative procedures and activities. (4) In protecting the privacy of personal and health information entrusted to it, the University will meet its statutory requirements under the Privacy and Personal Information Protection Act 1998 (PPIPA) and the Health Records and Information Privacy Act 2002 (HRIPA). In particular the University will reference its practices and activities against the Information Protection Principles (IPPs), and the Health Privacy Principles (HPPs) contained in those Acts. (5) All staff and functional units of the University have an obligation, in their day to day practices, to adhere to and implement the privacy principles and practices established by legislation and given detailed expression in this and other privacy related policies and guidelines and the University's Privacy Management Plan. (6) This policy applies to the University and its employees. It does not apply to the related entities that have separate legal status. Those bodies may come within the ambit of the Federal privacy law and will be asked by the University to adopt policies compatible with general University policies. (7) In establishing a policy and administrative framework to protect the privacy of personal information entrusted to the University it is important to understand what constitutes personal information as defined in the legislation (PPIPA): (8) Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics." (s.4 PPIPA) (9) Section 4 of the Privacy and Personal Information Protection Act 1998 also goes on to outline a range of exceptions and more information related to that can be found in the Act itself or the University's Privacy Management Plan (see section 4 below). (10) Under the Health Records and Information Privacy Act 2002 (HRIPA), health information is defined as: (11) Where the University is providing a health service (e.g. UniClinic) the definition of health information also extends to any personal information that is collected at that time. (12) There are twelve Information Protection Principles (IPPs) and fifteen Health Privacy Principles (HPPs) that represent the legal obligations that the University must adhere to when it collects, stores, uses or discloses personal and health information. These are contained in PPIPA and HRIPA and are detailed in the University's Privacy Management Plan. In summary form the Principles are as follows: (13) The University has a Privacy Management Plan developed in accordance with section 33 of PPIPA. That Plan documents in detail the requirements placed on the University by PPIPA and HRIPA and provides a detailed schedule of strategies to ensure that the University's practices are examined regularly with a view to compliance. Supplementary guidelines and explanatory material related to specific areas of privacy within the University will be produced in accordance with the directions set in the Plan. (14) The Plan also contains information on how to make a complaint about a privacy issue and how to seek a formal Internal Review by the University where a breach of privacy may have occurred. A pro forma is available to assist complainants to fully articulate their concerns. This procedure applies to complaints related to both personal and health information. (15) Information about privacy issues at the University can be obtained via the University's Privacy web site. A range of very useful information can also be obtained from Privacy NSW, the State Government body responsible for administration and implementation of privacy law in NSW. (16) Related documents are listed on the Associated Information page. (17) Nil.Privacy Policy
Section 1 - Purpose and Context
Section 2 - Definitions
Section 3 - Policy Statement
Part A - Definitions of Personal Information and Health Information
Part B - Personal and Health Information Protection Principles
Table 1: Privacy Principles
In these principles information is a reference to both personal information and health information
Top of Page
PRIVACY PRINCIPLES
COLLECTION
Necessary - only collect personal information for a lawful purpose. Only collect the information if it is directly related to the University's activities and which is information necessary for that purpose.
Direct - only collect information directly from the person concerned, unless they have given consent otherwise.
Open - inform the person as to what information is being collected, why it is being collected and who will be storing and using it, and how they can see and correct this information.
Relevant - ensure that the information is relevant, accurate, not excessive and up-to-date. Ensure that the collection does not unreasonably intrude into the personal affairs of the individual.
STORAGE
Secure - ensure that the information is stored securely, not kept any longer than necessary, and disposed of appropriately. Information should be protected from unauthorised access, use or disclosure.
ACCESS AND ACCURACY
Transparent - explain to the individual what the information about them is being stored, why it is being used and any rights they have to access it.
Accessible - allow people to access their information without unreasonable delay or expense.
Correct - allow people to update, correct or amend their information where necessary.
Accurate - take reasonable steps to ensure that the personal information is relevant and accurate before using it.
USE
Limited - only use information for the purpose for which it was collected, for a directly related purpose that the person would expect, or for a purpose to which the individual has given consent. There are some special exceptions that allow use in particular circumstances.
DISCLOSURE
Limited - only disclose information for the purpose for which it was collected, for a directly related purpose that the person would expect, or for a purpose to which the individual has given consent. There are some special exceptions that allow disclosure in particular circumstances, or where there is a legal requirement.
Safeguarded - do not disclose sensitive information, information about a person's ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities or trade union membership. You can only disclose sensitive information without consent in order to deal with a serious or imminent threat to any person's health or safety.
ADDITIONAL HEALTH PRIVACY PRINCIPLES (HPPs)
HPPs 12 to 15 - deal with the specialist use of health information mainly related to health service providers. They cover: the use identifiers (e.g. patients record numbers); the provision of anonymous access to health services where lawful and practicable; the circumstances under which health information about a person can be transferred out of NSW and; the need for consent where health information about a person is to be included in a data linkage system.
EXEMPTIONS
Some conditional exemptions apply from adherence to the principles, for example for enforcement, investigations, and disclosure to bodies such as ICAC, use of health information for research.
Acknowledgement - This summary of the IPPs and HPPs is derived from the Privacy NSW Fact Sheets Nos. 2 & 4. For a comprehensive listing of the Principles and related exemptions refer to the University's Privacy Management Plan.Section 4 - Procedures
Management of Privacy within the University
Section 5 - Guidelines
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.
"In this Act, personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.