View Current

Disclosure and Use of Student Personal Information Guidelines

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) These guidelines are to assist staff (and students) with regard to understanding the circumstances and conditions by which information about students held by the University may be disclosed to the students themselves and to others.

(2) In reading these guidelines reference should also be made to the University's Privacy Policy and its Privacy Management Plan. A brochure, Privacy and You, is also available for students from on of the campus Student Centrals or the University's web site, refer to Associated Documents.

Top of Page

Section 2 - Definitions

(3) Nil.

Top of Page

Section 3 - Policy Reference

(4) Refer to the University's Privacy Policy.

Top of Page

Section 4 - Procedures

(5) Refer to the University's Privacy Management Plan.

Top of Page

Section 5 - Guidelines

Why is student information collected?

(6) The University collects personal information relating to students to enable the provision of educational and associated welfare services to the student and for associated administration by the University including in relation to matters of misconduct. The purposes for which personal information of the student may be disclosed are set out in these guidelines.

Accessing Student Records

(7) Students have a right to inspect the records held by the University and to seek to amend any personal information they consider to be incorrect. The University has an obligation to ensure that the personal information it holds is accurate, relevant, up to date, complete and not misleading. If the student and the University disagree as to the accuracy of information the student has a right to attach a statement to the personal information. In terms of the formal student record an application to inspect and/or amend their record should be made in writing to the Academic Registrar via Student Central.

(8) When students seek information about themselves or wish to amend personal information it is important to ensure that they are able to verify that they are who they say they are. Requests should be made in writing, by email using a University student email account or in person to any Student Central. Where necessary University staff should aim to identify individuals on the basis of primary source information held by the University. Where information is provided by telephone a formal verification process must be applied to ensure that the identity of the student caller is established beyond doubt. For access to routine information about themselves (for example, results), students must use the online services provided.

Use of Student Personal Information by University Officers or Committees

(9) The basic principle to follow here is that information should be provided only where its intended use is for the purposes related to the student's enrolment and progress at the University and associated administration of the University relating to the student. Even then, only the information necessary for the task at hand should be provided. The critical test is that the staff member, committee or agency has a legitimate, University related, reason for having access to the information.

(10) Requests by staff or committees for personal student information where that information is not normally provided as part of the staff member or committee's function should be made in writing, detailing the reasons for the request.

(11) All staff and committees that have access to personal information relating to students must ensure that the records are kept secure and confidential and protected from unauthorised access or misuse.

(12) Only authorised staff of the Academic Registrar's Office (ARO) and to a limited extent academic units are able to add entries or make amendments to student records via a system that restricts access and controls input. The ARO has an established process for the granting of various levels of access rights to the student management system to view student information.

(13) The University creates and maintains a virtual (electronic) student file for each individual student within the University's recordkeeping system (TRIM). Only authorised administrative and academic staff members are able to access and/or add to the student file. The Records and Archives Management Services Unit has an established process for the granting of various levels of access rights to the virtual students files held within the TRIM recordkeeping system to view student information and add to the student file.

(14) Students are advised that the University's key systems that hold information about students, Callista and TRIM, provide general access to student information by all registered academic staff and to administrative staff according to their role at the University. The reasons for this relate to the configuration of these systems and the need for academic staff to have access to information about students to carry out their roles. Staff accessing University systems are given explicit warnings that all information is confidential and can only be accessed, used, disclosed, amended or deleted by staff authorised to do so and only for the official business of the University and not for any personal or other use. Where a student has concerns about their privacy this can be raised with the Academic Registrar via any campus Student Central or by approaching the University's privacy officer ( Privacy at the University web site).

Disclosure of Student Personal Information to Family and Friends or to Representatives

(15) It is often the case that parents or other relatives or friends seek access to personal information about students. While in the majority of cases this is well-meaning, occasionally it may not be. Such persons have no right of access to the information unless they have the consent of the student involved. Note that the student's consent should be provided in writing on the Consent to the Disclosure of Personal Information Form, to the University not to the relative or friend.

(16) On occasions student association representatives or staff members of the University (e.g. counselling/welfare staff) or others approach the University for personal information or seek to canvass confidential matters related to a student. Once again these parties do not have a right of access to the information. In such cases there must be clear and specific consent by the student to the University for the agent or representative to be involved in this way. Normally this consent would be in writing, through the completion of the Consent to the Disclosure of Personal Information Form. If it is impractical to obtain written consent a file note should be made of the verbal consent. As far as possible general statements of consent should be avoided. The more information in terms of detailing what information can be released along with specified time periods (i.e. not opened ended consents) the better.

Disclosure of Student Personal Information in Emergency Circumstances

(17) The Privacy and Personal Information Protection Act, 1998, (PPIPA), provides limited access to personal information, for other than the purpose for which it is collected, where the disclosure of that information is necessary "to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person".

(18) Note that this provision is not limited to members of the police but they are the most likely persons to be seeking information on this basis.

(19) If staff are approached for information on this basis they should:

(20) a. if practicable seek to have the request in writing;

b. record the details of the requesting person (e.g. police number, name, rank);
c. establish the nature of the "imminent threat" to life or health;
d. provide only such information that is necessary to mitigate the "imminent threat"; and
e. make a formal record of the request and the action taken and forward it to their unit head and to the University privacy officer.

(21) Where a staff member is uncertain about an emergency request, consideration could be given to a responsible officer from the University contacting the student and notifying them about the request.

Disclosure of Student Personal Information to the Police and other Investigative Bodies

(22) All requests by police or other investigative bodies must be in writing with specific reference to the legal basis on which they rely in order to obtain the information sought.

(23) While PPIPA provides that agencies such as the University are able to provide personal information for law enforcement purposes, the University will normally only provide personal information in the context of law enforcement related to criminal investigations. Such requests should be in writing and directed to the Academic Registrar, in the case of information about students, the Executive Director, Human Resources in the case of information about staff or to the Office of General Counsel or in their absence their designated nominees.

(24) The University must adhere to directions contained in subpoenas, warrants and any other legally binding instruments regardless of whether they are criminal matters. Once again these documents should be directed to the Office of General Counsel.

Disclosure of Student Personal Information to Government or External Agencies

(25) Any externally generated request for information relating to a student needs to be assessed.

(26) Where government or external agencies seek information, they should be asked to put the request in writing, or to produce a subpoena, that demonstrates the legal basis of their request. All subpoenas or other demands for access 'on the basis of law' should be directed to the Office of General Counsel. Front line staff should not feel coerced or intimidated by such requests and where there is any doubt, ensure that the request is put in writing and dealt with by the appropriate senior officer in the unit. Normally the University will not disclose information unless there is a legal obligation to do so.

(27) The University does have specific obligations to provide information to external agencies or government bodies such as the Universities Admission Centre (UAC), Centrelink, Department of Education and Training, the Department of Immigration and Border Protection (DIPB), the Australian Taxation Office (ATO) and other government agencies. The University also has an obligation to provide relevant details of students enrolled in Medical Schools to the NSW Medical Board for the purposes of registration. In some instances the University also collects and provides student information to affiliated entities of the University or to third parties for the purposes of recovering unpaid University fees or other debts owed to the University.

(28) Where a student requests that information be provided to a third party such as a prospective employer (e.g. that the student is eligible to graduate) it is preferable to provide the statement to the student for them to convey but if it is to be provided to the third party there must be explicit consent on the part of the student.

Disclosure of Student Personal Information to other Education Institutions

(29) Where another university or educational institution seeks information about a student of the University, the University would normally supply only the details of the student's academic record. Such requests usually relate to the student transferring or enrolling at another university on the basis of studies at the University.

Disclosure of Personal Information About Graduates of the University

(30) In the case of graduates, the University maintains records of all its graduates and makes information comprising name, academic award, and year of conferral, publicly available to those with a legitimate interest in confirming that information, such as employers or other academic institutions.