View Current

Privacy Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose and Context

(1) Western Sydney University is subject to and must comply with the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA) when it collects, holds (that is, stores), uses, discloses and/or destroys an individual's personal information and health information.

(2) The University must also comply with other legislation when it deals with personal information, such as the Privacy Act 1988 (Cth), Telecommunications (Interception and Access) Act 1979 (Cth), Government Information (Public Access) Act 2009 (NSW), Criminal Records Act 1991 (NSW), Workplace Surveillance Act 2005 (NSW), State Records Act 1998 (NSW) and the Data Sharing (Government Sector) Act 2015 (NSW).

(3) This Policy sets out the University's commitment to protecting personal and health information, provides the University's Privacy Management Plan which is made in accordance with section 33 of the PPIPA; its Privacy Data Breach Response Plan which is made in accordance with Part 6A of the PPIPA, and its Privacy Impact Assessment Procedures which support legislative compliance via ‘privacy by design’.

(4) The Policy applies to all University employees, students, contractors, affiliates, volunteers, associates, members of the public and University controlled entities.

(5) This Policy should be read in conjunction with the Privacy Management PlanPrivacy Impact Assessment Procedures and the Privacy Data Breach Response Plan.

Top of Page

Section 2 - Definitions

(6) The following definitions apply for the purposes of this policy:

  1. health information has the same meaning as in the Health Records and Information Privacy Act 2002 (NSW), that is:
    1. personal information that is information or an opinion about:
      1. the physical or mental health or a disability (at any time) of an individual, or
      2. an individual's express wishes about the future provision of health services to him or her, or
      3. a health service provided, or to be provided, to an individual, or
    2. other personal information collected to provide, or in providing, a health service, or
    3. other personal information about an individual collected in connection with the donation, or intended donation, of an individual's body parts, organs or body substances, or
    4. other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual, or
    5. healthcare identifiers. (section 6 HRIPA)
      Where the University is providing a health service (e.g. UniClinic) the definition of health information also extends to any personal information that is collected at that time.
  2. Health Privacy Principles means the principles set out in Schedule 1 of the Health Records and Information Privacy Act 2002 (NSW).
  3. Information Protection Principles means the principles set out in Part 2 Division 1 of the Privacy and Personal Information Protection Act 1998 (NSW).
  4. notifiable data breach has the meaning detailed in that Section of this Policy.
  5. personal information has the same meaning as in the Privacy and Personal Information Protection Act 1998 (NSW), that is:
    "... information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.”
    Personal information includes such things as an individual's fingerprints, retina prints, body samples or genetic characteristics." (section 4 PPIPA).
  6. PMP means the Privacy Management Plan implemented pursuant to this Policy and s.33 of the PPIPA.
Top of Page

Section 3 - Policy Statement

(7) The University is committed to respecting the privacy of individuals, creating a privacy culture and promoting fair and compliant information handling practices in its educational, research, engagement, and administrative procedures and activities.

(8) The University will meet its statutory requirements under the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002.

(9) All staff must comply with and implement the Information Protection Principles, Health Information Principles, this Policy and the University's Privacy Management Plan, Privacy Data Breach Response Plan, Privacy Impact Assessment Procedures, and ensure staff under their supervision, or students under their direction, are made aware of their obligations under these principles and documents.

Top of Page

Section 4 - Procedures

Privacy Management Plan (PMP)

(10) The University's PMP sets out how the University complies with the Information Protection Principles and Health Privacy Principles.

(11) The PMP also contains information on how to make a complaint about an alleged breach of privacy, and how to seek internal review of that decision.

(12) The University's Privacy Officer, together with the Office of General Counsel, will keep the Plan current.

(13) The Privacy Officer, or the relevant University unit responsible for the release of personal or health informaiton as set out in the PMP, will respond promptly to applications for access to personal information.

Privacy Impact Assessments (PIAs)

(14) Staff must undertake a Privacy Impact Assessment (PIA) for any new or revised activities or projects that deal with collection, use or disclosure of personal or health information in order to assess whether these have the potential to impact on individual privacy and, if so, how these will be managed in accordance with the PMP.

(15) The University provides privacy education and training to staff to promote awareness of and compliance with this Policy, the PMP, the Privacy Data Breach Response Plan and the Privacy Impact Assessment Procedures.

(16) Contracted third parties must comply with any privacy obligations specified in their contracts with the University and with any directions the University provides in relation to information they have access to or manage on the University's behalf.

Notifiable Data Breaches

(17) Suspected or actual breaches must be managed in accordance with the Privacy Data Breach Response Plan.

(18) Any University employee, student, contractor, affiliate, volunteer or associate is to report any breach of the PMP to the Privacy Officer, including any instances of accidental collection, misuse, disclosure or destruction of personal or health information.

(19) A notifiable data breach is an ‘eligible data breach’ as described in clause 59D of PPIPA:

  1. there is an unauthorised access to, or unauthorised disclosure of, personal information held by the University and a reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates, or
  2. personal information held by the University is lost in circumstances where:
    1. unauthorised access to, or unauthorised disclosure of, the information is likely to occur, and
    2. if the unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to an individual to whom the information relates.

(20) Serious harm is where the data breach has, or may, result in a real and substantial detrimental effect to the individual. 

Top of Page

Section 5 - Guidelines

(21) The Information Protection Principles are set out and explained in the Information and Privacy Commission's Fact Sheet: Information Protection Principles (IPPs) - PPIP Act.

(22) The Health Privacy Principles are set out and explained in the Information and Privacy Commission's Fact Sheet: Health Privacy Principles (HPPS) - HRIP Act

(23) Information about privacy issues at the University can be obtained via the University's Privacy website.

(24) Related documents are listed on the Associated Information page.

(25) Visit the Information and Privacy Commission website for more information.