(1) Western Sydney University has legal obligations to individuals whose personal information (also known as personal data) it collects, uses, holds (that is, stores) discloses and destroys. These are obligations that arise at law under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA), the Health Records and Information Privacy Act 2002 (NSW)(HRIPA); in some circumstances, the Privacy Act 1988 (Cth) (Federal Privacy Act) and foreign privacy regulations, such as the European Union General Data Protection Regulation 2016/679 (GDPR). (2) Under the PPIPA, the University is required to have a Privacy Management Plan (PMP) and embraces this obligation as an exercise of good governance and transparency in the way in which the institution deals with the personal information of staff members, students, and other members of the University community. (3) The Information Protection Principles (IPPs) are set out in the PPIPA as the guiding principles that regulate how the University can collect, use, hold, and disclose personal information of individuals. These are summarised in Section 21 – Annexure A to this PMP. (4) Under the HRIPA, the Health Privacy Principles (HPPs) set out the obligations of the University when it manages health information. These are summarised in Section 22 - Annexure B to this PMP where these differ from the IPPs. (5) There are some circumstances where the Federal Privacy Act applies to the University and these details are set out in clause (165). There are also some circumstances where foreign privacy regulations, such as the GDPR apply to the University and these are set out in Section 17. However, the University's primary obligations arise under the PPIPA, as detailed throughout this PMP. (6) The University is also bound by other legislation that regulates collection, use, storage, disclosure or destruction of personal information. These include: (7) In addition, some University professional staff are bound by professional codes of practice relating to confidentiality of personal information when providing services for staff or students (counselling services for example). University staff who undertake research involving human participants are required to comply with the ‘National Statement on Ethical Conduct in Human Research’ (updated 2018) jointly developed by the National Health and Medical Research Council, Australian Research Council and Universities Australia. In accordance with the National Statement, researchers are required to safeguard the privacy and confidentiality of research participants at all stages of the research including the collection, use, analysis, disclosure, storage, retention, disposal, sharing and re-use of participant data or information. (8) This PMP applies to all personal information and records of staff, students and members of the public held by the entire University. All academic and business units of the University must collect, manage and use the personal information they hold in accordance with this PMP. All persons who handle personal information on behalf of the University (including officers, employees, volunteers and contractors) must also comply with the requirements in this PMP. (9) This PMP also covers controlled entities of the University, which currently include Western Sydney University Enterprises Pty Ltd , Western Sydney University Early Learning Ltd, Whitlam Institute within Western Sydney University, Western Growth Development (Parramatta Innovation Hub) Pty Ltd and Western Growth Development (Westmead) Pty Ltd. (10) For the purpose of this document, a reference to a “student” includes a reference to a student enrolled in a program of study at the University and/or at The College, and a reference to University processes includes a reference to The College processes unless otherwise indicated. (11) Personal information is defined in the PPIPA as: (12) The PPIPA also defines personal information to include an individual’s fingerprints, retina prints, body samples, or genetic characteristics. (13) The University assigns employees and students with a unique identifier in the form of a staff or student ID number. Staff and student ID numbers are considered to be personal information and will be handled in accordance with applicable privacy laws. (14) Certain categories of information are often mistakenly classified as personal information, and the PPIPA also specifies classes of information that are not “personal information”. (15) The categories of information that are not personal information relevant to the University include: (16) Health information is defined in the HRIPA as personal information that is information or any opinion about: (17) It is further defined as personal information: (18) The University is a public institution participating in teaching, research, community service, and engagement activities. It collects and holds a wide range of personal information about students, alumni, staff, and members of the external University community. The University comes into contact with these individuals in carrying out its functions and activities, and it cannot function without collecting and holding information with regard to individuals. (19) It is essential that the University collects, holds, and uses the above information for the ongoing conduct of its activities. (20) Personal information may be collected for the performance of the University's key functions, including: (21) Personal information may also be collected from third parties as part of a formal investigation taken under a legislative requirement or pursuant to any rules, codes of conduct or policies of the University, including carrying out due diligence inquiries and investigations relating to alleged staff or student misconduct. (22) Health information may be collected for the University's functions including student engagement, health and welfare services, recruitment, human resources and complaint handling. (23) There is no finite list of personal information and/or health information that the University collects about individuals. However, Section 23 – Annexure C sets out examples of personal information and health information that may be collected by the University in undertaking its functions and activities. (24) The University ensures that the personal information and health information it collects from individuals is relevant to its functions. It collects the information that is required depending on who the individual is and what their relationship is with the University. For example, different information is collected from students than from staff, which is again different to information collected from donors to the University. (25) The University takes steps to minimise unreasonable intrusion to an individual and not to collect excessive information by, for example: (26) Under the PPIPA, the University must ensure that it does not hold personal information for longer than it needs to use the information. The University must also retain personal information records as required by the general retention and disposal authorities issued by the State Records Authority. The period in which records are retained depends on the type of record. (27) The ways in which the University holds, uses, discloses and destroys personal information is discussed below. (28) The University holds information for the purposes of privacy obligations if the information is: (29) The University holds personal information in a variety of media, including in hardcopy form, but primarily in data management systems and the University's records management system. Different parts of the University hold different information in different databases and systems. (30) Below are some examples of where the University holds personal information: (31) The University is legally obliged to protect the personal and health information it stores, including preventing unauthorised use or disclosure, and disposing of the information securely and in accordance with any other retention and destruction laws. In addition to the requirements under the PPIPA and the HRIPA, the University is bound by specific provisions in the State Records Act 1998 (NSW) and the Government Information (Public Access) Act 2009 (GIPAA). (32) Schools and organisational units must adopt processes to secure employee and student personal information and enable access to that information only in accordance with this PMP. Staff must only have access to information systems for legitimate purposes to enable them to perform the requirements of their position at the University. (33) The University's Records and Archives Management Policy also sets out the standards for creating, maintaining, and legally destroying University records and archives. (34) The University may need to store information or data outside the University (including outside New South Wales), for example by using an off-site commercial storage facility to store paper records, or by engaging a third party to host and manage electronic records or data (including by means of cloud storage). (35) In these cases, the area of the University responsible for managing these activities or contract must complete a Privacy Impact Assessment (PIA) beforehand to ensure the activity meets privacy obligations. For Information Technology and Digital Services related systems, this includes undertaking a Risk and Compliance Review (refer to the Digital Services Implementation Policy). (36) In addition, the University will ensure that third party contracts incorporate appropriate obligations to ensure compliance with the PPIPA (and, to the extent applicable, any other privacy laws) and this PMP. (37) Refer also to the section headed Transborder Data Flow of Personal Information regarding data that may contain personal information that is transferred outside of New South Wales. (38) Student records about admissions and enrolment are the responsibility of the University's Data Integrity, Quality and Operations unit. Each individual student of the University has an electronic file within TRIM, the University's recordkeeping system. (39) Student records about health and welfare services are the responsibility of the University organisational unit responsible for the provision of those health and welfare services. Such records are held in a separate secure database only accessible to authorised staff. (40) TRIM restricts access and controls input to student records by granting various levels of access rights to University staff. Only authorised staff can create, access, or amend student records. (41) All University staff that access student records within TRIM must ensure that the records are kept secure, treated confidentially, and protected from unauthorised access or misuse. Staff who are required to use TRIM are trained and given explicit warnings that all information is confidential and must only be collected, accessed, used, disclosed, amended, or deleted by staff authorised to do so and only for the official business of the University and not for any personal or other use. (42) The University also creates, stores and uses digital images of students for legitimate University identification purposes. The use of student images for other University purposes (such as publicity) is only permissible upon the receipt of a student’s signed consent form authorising the particular purpose and for a specified period of time. The consent form must be stored and linked to the image. Model release forms are available from the Office of General Counsel (OGC). The image must be deleted or destroyed when the authorised time period has lapsed. (43) Employee records are the responsibility of the Office of People. Electronic personal or confidential information about staff should only be held in TRIM or formal University systems, such as Acendre, and should never be held in collaborative areas, such as share drives and Sharepoint. (44) Staff in Office of People have access to employee records in the course of their official University duties and for no other purposes. (45) Records relating to staff grievances, disciplinary matters or other sensitive information are held in a separate Office of People TRIM file. The exceptions to this include proven cases of misconduct and unsatisfactory performance. In these instances investigation reports, allegations, employee response to allegations and letters of outcome are placed on the employee’s personal file. (46) Some information contained in employee records may not be covered by the PPIPA, particularly information about a person’s suitability for employment with the University. This may include a selection panel report, a referee’s report, a job application or records relating to misconduct. This information is treated by the University as confidential and access to those records is restricted. However, this information may be requested for release under the GIPAA or the University may be required to produce it by law to a court, tribunal or government agency (for example, a subpoena). (47) The University also creates, stores and uses digital images of staff for legitimate University identification purposes. The use of staff images for other University purposes (such as publicity) is only permissible upon the receipt of the staff member’s written consent form authorising the particular purpose and for a specified period of time. The consent form must be stored and linked to the image. Model release forms are available from the Office of General Counsel (OGC). The image must be deleted or destroyed when the authorised time period has lapsed. (48) Under s.27B of the PPIPA, there is an exemption that applies to the collection, use or disclosure of personal information used for research purposes, or the compilation or analysis of statistics in the public interest, provided that specific conditions are met. Staff engaged in research that wish to access personal information held by the University for research purposes should refer to the NSW Information and Privacy Commissioner's Statutory Guidelines on Research – Section 27B for more information and consult with the University's Privacy Officer or the Office of General Counsel. Approval from the University's authorised delegate is required before any information can be provided. (49) Research records are the responsibility of the staff and students conducting that research. The University does not have a central repository for research records within TRIM. The University's Research Data Management Policy specifies the responsibilities of the University, its researchers and research students regarding the management of research data. (50) The University's Research Code of Practice details the compliance requirements relating to research records in accordance with the Australian Code for the Responsible Conduct of Research, 2018. (51) The University manages and stores its research data as detailed in the University's Research Data Management Policy to ensure compliance with relevant legislation covering data retention, accessibility, storage and security, that the validity of the data can be demonstrated as required and also to meet its PPIPA obligations. Individual researchers should not hold the only copy of the data and must ensure that a copy of the original data is retained in the academic unit, school, or research unit in the University where the chief investigator(s) is normally employed or is based for the purposes of that research project. (52) The University holds or hosts public or publicly accessible events for the purposes of community engagement, including lectures, seminars and performances at University venues or by electronic means such as videoconferencing and live streaming. The University also regularly holds graduation ceremonies both at its Australian campuses and at overseas venues (for the benefit of graduating international students) or by using live streaming or audio or other electronic means. (53) While most information and data collected through these activities (including filming or photographing these events for broadcast, including by means of live streaming on the University's website) are in the public domain, there is some information collected and maintained on a continuing basis, but which is not public and is protected by the PPIPA. This includes: (54) The University must only collect personal information and health information that is necessary for a function or activity of the University. The University's functions include learning and teaching, research, administration, welfare and community advocacy, development and engagement. However, there are other functions of the University that require the collection of personal information and health information, as detailed elsewhere in this PMP. (55) The University collects information from individuals directly, unless they have authorised collection of the information from someone else, that is, it is provided by a parent or guardian for a person under the age of 16, or the individual lacks capacity (including temporarily) to provide that information directly (for instance, if the person is involved in an accident). (56) Some ways in which the University may ask an individual to provide personal information or health information include: (57) Individuals may also volunteer solicited or unsolicited information, for example, via student surveys that the University undertakes to improve its services or students’ experiences at University, or that give individuals more choices with the type or of services or activities they can access. (58) When collecting personal information, the University will take all reasonable steps to ensure the individual understands how and why their information is being collected. Where applicable, individuals will be told of any consequences if they do not provide the information, for instance, that a service is unavailable or limited or an application may be refused. (59) The Student Declaration sets out how personal information is collected, used, disclosed and destroyed by the University. (60) Health information is usually collected from students directly by the University's Equity, Safety and Wellbeing staff and students must complete a separate consent form prior to that collection. Health information is usually collected by staff on an as needs basis, such as when processing sick leave applications. (61) The University generates some personal or health information itself – for example, academic transcripts and records, and applications or requests related to students’ academic progress (disruption to studies, academic withdrawal without penalty for example). The University treats such information as personal or health information and complies with the rules regarding the use and disclosure of that information in accordance with, as the case may be, the PPIPA and the IPPs or the HRIPA and the HPPs. (62) The University may receive information from third parties, including through third party suppliers or service providers. The University handles that information as it does information collected directly from individuals in accordance with this PMP. (63) There are some circumstances where the University is exempt from aspects of the collection principle and may collect information from third parties, including: (64) From time to time, the University may receive personal information about a member of the University community that it has not actively collected or sought, from third parties such as law enforcement agencies and other government departments. The University treats this as unsolicited information and does not have to comply with the IPPs or HPPs in relation to its collection. However, the requirements of this Plan apply to the storage, use or disclosure of unsolicited information containing personal information. (65) The University also collects information by automated means including: (66) Information collected using automated means is collected from individuals through their participation in an activity or use of a system. Where possible, the University will take steps to ensure that automatic collections are open and transparent through relevant notices or signage, terms and conditions or other methods of communication. (67) The University limits use of personal information and health information as required under the PPIPA to one or more of the following circumstances: (68) There are specific use and disclosure exceptions permitted under the PPIPA, discussed below. Additional obligations relating to the use of health information are discussed in Section 22 – Annexure B. (69) Surveillance information or records relating to University staff, as defined in the Workplace Surveillance Act 2005 may only be accessed or used in accordance with the University's Workplace Surveillance Policy or where a covert surveillance order has first been obtained under the Workplace Surveillance Act 2005. (70) The University obtains consent from individuals at the first point of contact the individual makes with the University and then from time to time as necessary. Examples of consents obtained can be found in the Student Declaration and enrolment forms and at the time of staff engagement through employment. (71) “Bundled consent” is not a legitimate form of consent and must not be used. Bundled consent refers to the practice of an organisation ‘bundling’ together multiple requests for an individual’s consent to a wide range of collections, uses and disclosures of personal information, without giving the individual the opportunity to choose which collections, uses and disclosure they agree to and which they do not. (72) The University must take steps to ensure the accuracy of the personal information it uses and that the information is relevant, accurate, up to date, complete and not misleading. The University relies on the individuals providing the personal information to provide information that is accurate and to notify the University of any changes, for example changes of names, addresses and other contact details. Individuals are usually informed of their obligations at the time the information is collected, as set out in documents such as the Student Declaration. (73) The University limits disclosure of personal information as set out under the PPIPA to another person or body in one or more of the following circumstances: (74) There are specific use and disclosure exceptions permitted under the PPIPA, discussed below. Additional obligations relating to the use of health information are discussed in Section 22 - Annexure B. (75) The University maintains an Award Verification Service which is a database that can be accessed by members of the public and searched via the University's website. The Service allows searches of graduates’ names, awards conferred and conferral dates. (76) This is a public register for the purposes of the PPIPA and its purpose is to protect the value and integrity of qualifications conferred by the University and its antecedent institutions. (77) The University makes some information available through its website and publications, including publications that are publicly accessible, for example graduation booklets. (78) The University will also confirm to third parties the existence of a qualification (see clause 132) or authenticity of a University document, including a transcript, testamur or other academic record provided by the University or any of its antecedent institutions. This is a matter of public interest and is considered vital to protect the value and integrity of qualifications conferred by the University and its antecedent institutions. (79) The University uses public social media platforms increasingly as a means of communicating with current and potential students. Images of students, staff and others posted to public social media domains are limited to those images for which a consent form can be matched, as per clauses (42) and (47) of this Plan. (80) The University uses Yammer as an internal organisational social network that can be accessed by University staff. (81) When using social media, users are expected to not use it to collect or disclose any personal information. Any communications made to University students or staff must comply with the PPIPA and this PMP. (82) The University also broadcasts (including by livestreaming) public events and activities through its website, including graduation ceremonies. (83) There are special restrictions regarding the transborder (outside of New South Wales) data flow of personal information under PPIPA. These align with the requirements of transborder data flow under the HRIPA. (84) In the course of its business, the University may provide or receive personal information to or from organisations outside New South Wales (including outside Australia). This includes information regarding overseas students. The University will only provide this information to those organisations: (85) Examples of contracts referred to in clause (84)d. include arrangements with third party providers of cloud-based technologies, data storage facilities or digital services (including online and mobile services, such as “live chat”). See clause (36) of this PMP. (86) The University does not transfer personal information or health information to organisations outside New South Wales except as permitted under the PPIPA or the HRIPA, and the circumstances referred to in clause (84). (87) Division 3 of PPIPA sets out the exceptions to compliance with IPPs. The exemptions relevant to University operations are set out below. (88) These should not be read as an exhaustive list of exemptions and any University officer unsure whether an exemption applies when handling personal information in their role should discuss the matter with their supervisor or contact the Privacy Officer. (89) The University may use personal information and disclose it for the purpose of preventing or lessening a serious and imminent threat to the life or health of a person. (90) This exception has been determined by the NSW Civil and Administrative Tribunal (NCAT) to be permitted in very limited circumstances. The threat must be both serious and imminent: imminent meaning likely to occur at any moment, or impending. There must also be a belief held on reasonable grounds about the serious and imminent threat by the officer of the University when this exception is relied on. (91) Staff involved in assessing any threat should speak to their supervisor and also contact the University's Privacy Officer and/or the Office of General Counsel for advice. (92) The University is not required to comply with the privacy obligations under the PPIPA if: (93) The University is not required to comply with the obligations under the PPIPA if: (94) A reference to “law enforcement purposes” includes law enforcement purposes of any state or territory, or the Commonwealth, of Australia. (95) Examples of other legislation which may authorise non-compliance include the GIPAA, the State Records Act 1998 (NSW) and the Data Sharing (Government Sector) Act 2015. The operation of this and any other legislation that permits non-compliance with the PPIPA does not affect the University's handling of the personal information and health information, other than for the purpose of the exempt conduct. (96) The University is also exempt from various provisions of the PPIPA where: (97) The University may also have mandatory reporting obligations to regulatory bodies, such as the NSW Independent Commission Against Corruption (ICAC), and other government agencies. (98) The PPIPA provides a restriction on disclosure for “sensitive” types of information, which are defined as an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual activities. The University will not disclose this type of information unless it is necessary to prevent a serious and imminent threat to the life or health of an individual. (99) It should be remembered that sensitive personal information may be contained in identification documents, such as passports and drivers’ licences. For example, photos might establish racial origin or religion and a document evidencing an individual’s marital status may disclose their sexual orientation. (100) Destruction of personal information by the University will always be undertaken in accordance with University policy and its obligations under the State Records Act 1998 (NSW). If there is a contract in place between the party who has provided the personal information and the University, any destruction obligations contained in that contract must also be complied with, subject always to the requirements of the State Records Act 1998 (NSW). (101) The University cannot destroy records that are, or may be, the subject of a request under the GIPAA, subpoena or other formal request for access, or relate to any ongoing action, such as an appeal, regardless of whether the minimum statutory retention period has expired. (102) The University acknowledges that technology is constantly changing and seeks to embrace those changes while at the same time maintaining legislative compliance. The University aims to utilise the most up-to-date technology to meet its key functions and to enhance the student experience. The University is working to adopt new technologies to enhance the student experience and allow staff and community members to best utilise technology in their practices to meet the key functions of the University. (103) The University has in place policies regarding data storage, information technology security, and systems approval and implementation to ensure that the University complies with all relevant laws and industry standards regarding data security. (104) In embracing new technology, the University will ensure that its information technology contractors are able to meet these standards and the requirements in this PMP. The University cannot abrogate its statutory obligations when it contracts with technology providers, and business units are responsible for ensuring that contractual arrangements include terms and conditions that comply with the University's policies related to procurement and implementation of systems handling personal information. (105) Users of University information technology are informed if they are using software or services that operate outside or independently of systems or services operated by or on behalf of the University. When using these systems, students and employees should be aware that the PPIPA may not apply and they should check the relevant privacy policy of any third party software or service provider before providing their personal information. This is particularly important when providing personal information that may be stored overseas and/or in systems utilising cloud-based technology. (106) University staff using personal devices for business purposes must also ensure that they comply with the relevant University policy in relation to storage and disclosure of personal or health information. At a minimum, staff using personal devices should always ensure their device is protected or secured in accordance with University policies relating to the acceptable use, and security, of devices including by using a security password or passcode to prevent unauthorised access. For more information on the acceptable use of personal devices, refer to the Acceptable Use of Digital Services Policy. (107) A Privacy Impact Assessment (PIA) is a risk assessment tool designed to identify the impact that the technology or project may have on the privacy of individuals and for identifying and evaluating solutions to mitigate privacy risks. PIAs must be undertaken for any new or revised project or process which has the potential to impact on the collection, storage, access to, use or destruction of personal information, or when making changes to existing ways of handling personal information. Some examples include: (108) PIA’s should also be completed for any activities to which the foreign privacy legislation, such as the GDPR, may apply.(Refer to Section 17). (109) The University must, when requested to do so, provide an individual with access to their personal information or health information it holds. (110) The process to request access to personal or health information under the PPIPA or the HRIPA held by the University will depend on whether the individual is a student, staff member, member of the general public or a third party organisation. (111) The University must be able to verify the identity of an individual when requests are made to access or amend personal or health information. The University may refuse access or amendment of personal or health information if it is unable to confirm the individual’s identity through the appropriate verification process. (112) The University will amend personal and health information it holds about an individual at the request of the individual to ensure it is accurate and, taking into account the purpose for which that information was collected, is relevant, up to date, complete and not misleading. (113) The University may refuse to amend information in certain circumstances, for example: (114) If the University refuses a request to amend information, the individual will be advised of the decisions and reasons why, as well as any right to have that decision reviewed. For more information, refer to Section 13 of this PMP. (115) My Student Records (MySR) is where students can view and manage their student record online. A student may amend certain personal information, such as their address, personal and emergency contacts, through MySR. (116) For information not available through MySR, a student may apply to inspect and/or amend their student records (excluding records held in Equity, Safety and Wellbeing) either: (117) A student seeking access to their student records (those records not available through MySR) must put their request in writing. An appointment will be arranged for the student to view their file in the presence of a staff member familiar with the student. A student may receive a copy of their records but must provide a signed release form or other form of identity verification. (118) University staff will require students to identify themselves on the basis of information held by the University, and may either request photo identification, or to undertake additional verification steps to verify the student’s identity. (119) Parents and guardians of students do not have an automatic right of access to any personal information held by the University about their child or ward. The written consent of the student will be required before student information is released. Students should complete the Consent to Release Personal or Health Information To Third Parties (Students) Form and provide it to the University via their student email account or in person at a Student Central. (120) There may be situations where a student is granted access to only part, or a redacted form, of their student record if, for example, release of the complete record would breach another person’s privacy. (121) An employee must apply to Office of People in order to inspect those electronic employee records that are not available to them already. An employee can view their electronic personal information in the presence of an Office of People staff member. (122) An employee may amend certain personal information, such as their address, personal and emergency contacts through the University's Staff Online portal, or via the University's service and knowledge portal, WesternNow. Other personal information can only be amended by contacting Office of People directly, such as a staff member’s name, tax file number, date of birth and qualifications. (123) An employee may request to amend personal information on their record. In the case of a disagreement between the University and the employee about the amendment, the employee is entitled to put a statement on their record of the amendment sought. (124) Any employee who requires assistance with a request should contact their Senior HR Partner. (125) An application to inspect and/or amend personal information held by the University about a member of the general public may be made to the University's Right to Information Officer. (126) Disclosure of personal information of a student, staff member or any other individual in the University community can only be made in accordance with the PPIPA and the disclosure principles referred to in this document, or as otherwise permitted by law. (127) The PPIPA provides an emergency exception to disclosure of personal information where necessary “to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or to another person.” Any University staff approached for information on this basis should, in consultation with their manager: (128) The University must adhere to directions to produce information contained in legal documents, such as subpoenas, warrants, court orders, and other legally binding instruments. All documents of this kind must be directed to the Office of General Counsel for review and advice. (129) The University may also be required to disclose personal information about individuals to external agencies or government bodies, such as the Universities Admissions Centre; Centrelink; Department of Education; Department of Employment and Workplace Relations; Department of Home Affairs; the Australian Taxation Office, and other bodies in accordance with any statutory or other legal obligations. All requests from Commonwealth or NSW government agencies or statutory bodies should also be reviewed by the Office of General Counsel. (130) The University will usually only supply academic records in response to requests from other universities or educational institutions where the student provides express consent to transfer personal information contained in their student file. (131) In the case of all other requests made by third parties (such as insurance companies), the University requires the written consent from the individual whose personal information is requested. The University must be satisfied that such request has the authorisation of that individual and for this purpose may take additional steps as necessary. For example, it may direct that the consent form be emailed from the person’s University email account or require verification of the individual’s identity or signature from documents held on file by the University, or by contacting that individual directly. (132) Information about University graduates, including a graduate’s name, academic award and year of conferral, is made publicly available on the University's Award Verification Service which is treated as a public register (refer to the section in this PMP headed “Public Registers”). Any additional information sought about a University graduate must follow the processes required for any third party request. (133) University staff will identify individuals on the basis of primary source information held by the University. (134) Where information is sought by telephone, a formal verification process must be applied to ensure the identity of the caller is established beyond doubt. (135) In all requests for access to personal or health information, the University may direct the individual to lodge a written request to be provided, as appropriate, from the student or staff email address or by providing an original consent form signed by the individual. (136) Any person, other than a current employee or student, who has an enquiry as to whether the University holds their personal information or health information, the nature of that information and the purpose for which it was collected should contact the Right to Information Officer at the University at rti@westernsydney.edu.au. An application to inspect University records may also be made under the GIPAA through the University's Office of Governance Services. (137) Under the PPIPA, individuals who feel aggrieved by the University's conduct are entitled to an internal review if it is alleged that the University breached: (138) If a matter does not fall into one of these categories, then it will be dealt with as a regular complaint. If it is unclear whether the matter should be an internal review or not, the Privacy Officer may write to the complainant seeking clarification of the nature of the complaint. (139) A person aggrieved may also complain directly to the NSW Privacy Commissioner. More information on this process can be found on the NSW Information and Privacy Commission - Complaint webpage. (140) An internal review application must be: (141) The University's Privacy Officer can be contacted through on (02) 4570 1428 or by email at privacy@westernsydney.edu.au. (142) The University's internal review application form can be found on the University's Privacy website. (143) Applications must be lodged within six months from the time the complainant first became aware of the conduct that is the subject of the application. (144) In most cases, the University's Privacy Officer or the Associate Director, Complaints Management and Resolution will conduct the internal review on behalf of the University. However, if either of those persons is unable to conduct the review for any reason, the University's Privacy Officer may designate another appropriate person to do so. (145) The person conducting the internal review must: (146) In accordance with the requirements of the PPIPA, the University must notify the NSW Privacy Commissioner of the internal review applications it receives, the progress made in dealing with applications, and any findings and actions taken. The NSW Privacy Commissioner may make submissions to the University with respect to applications for internal review and the University will consider such submissions when finalising the internal review. (147) The internal review must be completed by the University within 60 days from the day on which the application was received. Following the completion of the internal review, the University has 14 days in which to advise the applicant of the outcome. Once a review has been completed, the University may decide to do one or more of the following: (148) When notifying the complainant of the outcome of the request for internal review, the following information will be provided: (149) If a complainant is not satisfied with the outcome of an Internal Review, or if the University has not dealt with the matter within 60 days, they may make an application for review to NCAT. (150) Alternatively, a complainant dissatisfied with an outcome may seek to resolve the matter informally through the University's Complaints Resolution Unit. (151) The University cannot provide any legal advice in relation to an internal review. Some procedural assistance with applications may be provided by the University's Privacy Officer. (152) The University will provide information via email upon request, and on the University's Privacy website. (153) A privacy breach occurs when there is unauthorised access to or collection, use or disclosure, loss or disposal of personal information held in the custody or control of the University (or a third party on behalf of the University) in contravention of the PPIPA or, where relevant, the Federal Privacy Act. (154) Any University employee who becomes aware of an actual or potential privacy breach must immediately inform their unit head and the University's Privacy Officer. If the privacy breach involves any University systems (for example, suspected or actual hacking) that person should also report it to the Chief Information and Digital Officer. (155) The University's Privacy Officer will, in consultation with the relevant unit head and, where applicable, the Chief Information and Digital Officer, decide the next steps taking into account the extent and seriousness of the alleged breach. (156) The University's Privacy Officer is responsible for ensuring appropriate steps are taken to limit the extent and effect of any breach, which may include: (157) The University's Privacy Officer will, in conjunction with other University staff as necessary, assess risks associated with the breach, including: (158) Following steps to mitigate risks associated with the breach, the University's Privacy Officer will investigate the cause of the breach, which may involve a security audit of physical, organisational and technological measures. Existing policies and processes will be reviewed to implement any lessons learned from that investigation including audit recommendations. (159) The University may collect information if it is in connection with court or tribunal proceedings in which the University is involved. (160) The University may also collect information if it is for law enforcement purposes or it is to be provided to a law enforcement agency in accordance with the PPIPA. (161) The University receives subpoenas or demands for the production of documents from time to time in legal claims and proceedings. There are a number of different ways in which courts, tribunals or others can legally demand information from the University. If a demand is made in this way, which has the force of law, the University may be compelled to disclose the personal information of others. (162) The University may also disclose personal information of individuals as evidence in connection with any complaint, investigation or proceeding under the PPIPA or any other law (for instance, a claim for unlawful discrimination under a Commonwealth or a State Act) and to which the University and that individual are parties. (163) There is often confusion between the operation of the Privacy Act 1988 (Cth) (Federal Privacy Act) and the PPIPA and the HRIPA. The University is defined as a “public sector agency” under the PPIPA and the HRIPA and must comply with the privacy obligations arising under those laws, which are the University's primary privacy obligations. (164) The Federal Privacy Act and the Australian Privacy Principles apply to private and public sector organisations that fall within the definition of an “APP entity”. The University falls within the definition of a “State or Territory authority” for the purpose of the Federal Privacy Act. (165) However, there are some circumstances in which the Federal Privacy Act applies to the University, for example in the handling of tax file numbers and in its contractual relations with the Australian Government and its agencies, including funding bodies such as the Australian Research Council. The University at all times complies with the terms of these obligations. (166) Foreign privacy regulation, such as the GDPR, may apply to a variety of University activities including: (167) Under some foreign privacy regulations, such as the GDPR, it is a requirement where information is collected, used or disclosed as a result of express consent given by an individual, that consent may be withdrawn by that individual at any time. The individual may have the right to request the erasure, portability or restriction of processing of their personal data, and to object to the processing of their personal data. (168) To access, correct or rectify personal information or for further enquiries, please contact the University's Privacy Officer on (02) 4570 1428 or email privacy@westernsydney.edu.au. (169) The Australian Government has established a Notifiable Data Breach Scheme (“NDB Scheme”) under the Federal Privacy Act to ensure that individuals are notified about serious data breaches of their personal or health information. The NDB Scheme took effect from 22 February 2018. At the time of approval of this Plan, there is no requirement for mandatory reporting under the PPIPA or the HRIPA. (170) A notifiable data breach is a data breach that is likely to result in serious harm to an individual to whom the personal or health information relates. A data breach occurs when personal or health information held by an organisation becomes lost or if any unauthorised access, modification, disclosure or other misuse or interference occurs. Examples include where data systems are hacked or where personal information is provided to a third party in error. (171) The NDB Scheme applies directly to the University in limited circumstances, including because it holds the tax file numbers of employees and students for the purposes of complying with its statutory obligations. (172) The NDB Scheme also applies to the University in circumstances where it holds unsolicited personal information such as Individual Health Identifiers. (173) In addition, the NDB Scheme applies to contractors and other organisations with which the University does business because they are subject to the Federal Privacy Act. Some of those contractors or organisations may have access to or store personal or health information on behalf of the University. A typical example is a third party engaged to provide cloud hosting services for the University (see clauses 34 and 84). (174) The University will establish processes for responding to data breaches and reporting notifiable data breaches in line with the requirements of the Federal Privacy Act and, as applicable, other Australian laws, such as the PPIPA and the HRIPA and, where applicable, foreign privacy laws such as the GDPR. (175) The University will incorporate standard provisions for all contracts with contractors and other organisations who handle personal or health information on behalf of the University. These provisions will include, as a minimum, requirements to: (176) The processes and procedures set out in this PMP are correct as of [19 April 2022], and may be updated from time to time as required, or when relevant laws are amended. (177) This PMP was available for consultation with staff before its implementation and, following approval, all staff will be provided with information about the plan and how to access it on the University's publicly available Policy Document Development System (Policy DDS). (178) Staff responsibilities with respect to privacy are incorporated into the University's staff induction program. In addition, supervisors are responsible for ensuring that staff under their supervision, including contractors and casual staff, are informed of their privacy responsibilities and, where possible, undertake appropriate training. (179) Training about privacy requirements should be incorporated into all training programs relating to use of University's systems and processes where privacy issues are relevant. This includes the University’s staff induction program. Customised training sessions about privacy requirements can be delivered upon request. (180) The University has developed an online privacy training module which is mandatory for all staff to complete every two years. The online module is also made available to research students and contractors to complete. (181) The University also has comprehensive, publicly available, information on its privacy policies available on its University's Privacy website. The website provides high level information about how the University complies with privacy legislation and provides a link to further information about privacy at the University, including resources and contact information. (182) This PMP is publicly available on the University's Policy DDS. Copies can be sent to individuals upon a written request to privacy@westernsydney.edu.au. (183) A copy of this PMP has been provided to the NSW Privacy Commissioner as required under the PPIPA. (184) This PMP is subject to reviews to be undertaken by the Office of University Secretary and the Office of General Counsel together with the University's Privacy Officer. (185) This PMP should be read alongside the University's Privacy Policy and Privacy Impact Assessment Procedures. Other related policies include: (186) Staff and students should refer to the University's Privacy website or the Policy DDS to obtain copies of these documents. (187) The University's Privacy Officer can be contacted as follows: (188) Other useful external contacts include: (189) Information Protection Principles are the guiding principles which regulate how the University can collect, use, hold and disclose personal information of individuals. They are set out in a number of different parts of the relevant legislation. (190) In general terms, the Information Protection Principles (sections 8-21 of the PPIPA) are as follows. (191) Lawful purpose (192) Collection from individual directly (193) Requirements when collecting information (194) Retention and security (195) Openness (196) Access (197) Amendment of personal information (198) Ongoing accuracy obligation (199) Limits on use (200) Limits on disclosure (201) Sensitive personal information and serious and imminent threat (202) Transborder data flows (outside of NSW) (203) The HRIPA contains Health Privacy Principles which are very similar the Information Protection Principles those contained in the PPIPA. To avoid duplication, set out below are only the areas where the Health Privacy Principles differ from the Information Protection Principles. This should not be read as an exhaustive summary and staff requiring detailed advice about their obligations under the HRIPA should contact the Office of General Counsel. (204) Some “personal information” will also be classified as “health information” and governed by the principles in the Health Records and Information Privacy Act 2002 (NSW) (the HRIPA). (205) “Health information” is defined as personal information that is information or any opinion about: (206) The University does not assign healthcare identifiers to individuals. (207) Under the HRIPA, health information must be collected from the individual concerned unless it is “unreasonable or impracticable to do so”. (208) The HRIPA contains additional requirements than the PPIPA to inform individuals of certain matters when information is collected. Individuals must also be made aware of: (209) If the health information is collected from a third party, steps must be taken to ensure the individual concerned is aware of the above matters, unless informing the individual concerned would pose a serious threat to the life or health of any individual or the collection is made in accordance with guidelines issued by the NSW Privacy Commissioner. (210) Exceptions to these requirements include: (211) There are some additional exceptions to those under the PPIPA which University staff dealing with health information should be aware of. They include, but are not limited to: (212) Using health information to assist students or staff with a disability is an appropriate use of the information. Access and use is not confined to one area of the University, but this should only occur on a strictly “need to know” basis. Any such access and use should be made known to the individual concerned and, wherever possible, authorisation should first be obtained. (213) For use and disclosure of information in circumstances described in (210)(a) [where appropriate] and (210)(b), reasonable steps must be taken to de-identify the information. (214) HPP 13 provides that, wherever lawful and practicable, individuals should be given the opportunity to remain anonymous when receiving health services from the University. (215) This is an option for staff using the Employee Assistance Program (EAP) for support or counselling. (216) However, due to the nature of the health services provided by the University, it is impracticable for students accessing Equity, Safety and Wellbeing services to remain anonymous. (217) The University engages over 49,000 domestic and international students, including students enrolled within The College and the University's institutes. The University must collect a wide variety of personal information to maximise the student experience. This includes collection of information using a digital service (including online and mobile services). (218) The types of information collected about prospective and current students related to student enrolment, include: (219) The University employs in excess of 3,500 academic and professional staff. There are a wide range of skills, professions, and activities undertaken by employees of the University. (220) The University collects a wide scope of records in relation to employees, including: (221) Through the Western Sydney Alumni network, the University also collects and holds personal information about former students and graduates. The alumni database builds on central University records held for students. Additional information that may be held includes but is not limited to: (222) The University collects and holds information in relation to a significant range of people who are neither students of, nor employed by, the University including: (223) Types of information of this kind include, but are not limited to, the following: (224) The University also has in place a Workplace Surveillance Policy that details the University's rights and responsibilities with respect to surveillance of University employees in the workplace.Privacy Management Plan
Section 1 - What is a Privacy Management Plan?
Scope and Application
Section 2 - Personal Information Defined
What is personal information?
What is not personal information?
What is health information?
Top of PageSection 3 - Why Does the University Collect Personal Information?
Rationale
Purposes for which Information is Collected
Only Relevant Information is Collected
Top of PageSection 4 - Holding Information
Overview
Examples of Information Held
Top of Page
Section 5 - Storage and Maintenance of Information
Storage of Personal Information Outside the University
Student Records
Employee Records
Research Records
University Community Engagement and Public Events
Top of PageSection 6 - How does the University Collect Personal Information?
Requirements
Examples of Information Collected
Information Provided to Individuals
Information Received from Third Parties
Automated Collection
Section 7 - How does the University Use Personal Information it Collects?
Limits on Use
Consent
Accuracy of Information Held by the University
Section 8 - How does the University Disclose Personal Information to Others?
Limits on Disclosing Information
Public Registers
Other Information that can be Accessed by Third Parties
Use of Social Media and Livestreaming
Transborder Data Flow of Personal Information
Section 9 - Exemptions
Overview of PPIPA Exemptions
Serious and Imminent Threat
Investigations
Law Enforcement Purposes or Otherwise Lawfully Authorised
Other Exemptions
Disclosure of “Sensitive” Personal Information
Section 10 - How does the University Destroy Personal Information?
Requirements
Section 11 - How does Privacy Interact with Changes to Technology or Projects that Involve Handling Personal Information?
Changes to Technology and Projects Handling Personal Information
Privacy Impact Assessments (PIAs)
Section 12 - How can an Individual Access and/or Amend their Personal or Health Information held by the University?
Access
Amendment
Requests by University Students
Requests by University Employees
Request by Third Parties
Information about University Graduates
Verification of Identity
Who to Contact
Section 13 - Complaints in Relation to Privacy Matters
Introduction
Internal Review Applications
How is the Internal Review Conducted?
Notification to the Complainant
Assistance with Complaints
Section 14 - How the University Handles Breaches of Privacy
Reporting
Containment and Risk Assessment
Prevention
Section 15 - Law Enforcement and Litigation
Collection
Disclosure
Section 16 - Federal Privacy Laws
Section 17 - Privacy Regulation of Foreign Countries
Applicability
Section 18 - Notifiable Data Breaches
Description of Regime
University Processes
Top of PageSection 19 - Implementation of this Privacy Management Plan
Processes and Procedures
Consultation, Training and Information
Publication
Review
Section 20 - Related Documents, Further Information and Useful Contacts
Related Policies and Other Documents
Contacts
Level, 15 McKell Building, 2-24 Rawson Place, Haymarket 2000 (correct as at 7 April 2022)
www.ipc.nsw.gov.au
John Maddison Tower, Level 10, 86-90 Goulburn Street Sydney 2000 (correct as at 7 April 2022)
1800 006 228
www.ncat.nsw.gov.auSection 21 - Annexure A: Information Protection Principles
Summary
General Terms
Top of Page
Section 22 - Annexure B: Health Privacy Principles
Summary
Collection from Individual Directly
Requirements when Collecting Health Information
Limits on Use and Disclosure
Anonymity
Section 23 - Annexure C: Types of Personal Information Collected by the University
Students
Employee and Individual Contractors
Alumni
Others
Workplace Surveillance
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.
information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
Information and Privacy Commissioner of New South Wales
Civil and Administrative Tribunal of New South Wales
Top of Page