University of Wollongong

Similar documents
PRIVACY MANAGEMENT PLAN

Health Records and Information Privacy Act 2002 No 71

AIA Australia Limited

The Privacy Policy links to the following Objective contained within the City Plan

Health Information Privacy Code 1994

PRIVACY POLICY. 1. OVERVIEW MEGT is committed to protecting privacy and will manage personal information in an open and transparent way.

Privacy Policy. Cabcharge will only collect personal information which is necessary for the operation of its business.

PRIVACY Policy. 1. Policy Statement. 2. Purpose. 3. Policy

Privacy in relation to VET Student Loans

Children and Young Persons (Care and Protection) Act 1998 No 157

Policies and Procedures

Privacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.

Privacy. Purpose. Scope. Policy. Appendix A

Privacy Guidelines. 1. Introduction

- and - OPINION. Reasons

QRME Australian Privacy Principles (APP) Policy

Child Protection Legislation Amendment (Children s Guardian) Act 2013 No 31

Telecommunications Information Privacy Code 2003

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

PRIVACY POLICY DOT DM Corporation Commonwealth of Dominica cctld (.dm)

A combined file and information system description and information document regarding the Data System for Administrative Matters

DATA SHARING AND PROCESSING

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Health Information Privacy Code 1994

Our ref: FOI June Phillip Sweeney via Dear Mr Sweeney

A guide to the new privacy landscape for the Commonwealth Government

Interstate Commission for Adult Offender Supervision

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

HEALTH INFORMATION ACT

Information Privacy Act 2000

Law Enforcement processing (Part 3 of the DPA 2018)

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

Port Glasgow St Andrew s Data Protection Policy

Appendix 5 (2016) STATUTORY DECLARATION Under the Oaths Act 1900 (NSW) and section 40A of the Child Protection (Working with Children) Act 2012

BILL NO. 42. Health Information Act

The Health Information Protection Act

Data Protection Policy

PRIVACY ACT 1993 SECTION ONE INTRODUCTION...3

Data Protection Policy. Malta Gaming Authority

Implications of changes to the Privacy Act 1988 for the market and social research industry

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

Role of PAS in the Privacy Act

Act CXII of on the Right of Informational Self-Determination and on Freedom of Information 1 CHAPTER I GENERAL PROVISIONS. 1.

Internal review decision made under the Freedom of Information Act 1982

MEEKER COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

Staff Data Protection Policy

Temporary Residents Program

FREEDOM OF INFORMATION

Guidelines for the Victorian-Specific Module

Identity Cards Bill EXPLANATORY NOTES. Explanatory notes to the Bill, prepared by the Home Office, are published separately as Bill 9 EN.

WASHINGTON COUNTY GUIDELINES AND PROCEDURES FOR MINNESOTA GOVERNMENT DATA PRACTICES ACT

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Policy To Protect Personal Information

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

ELECTRONIC DATA PROTECTION ACT An Act to provide for protection to electronic data with regard to the processing of electronic data in Pakistan

BALANCING THE TREATMENT OF PERSONAL INFORMATION UNDER FOI AND PRIVACY LAWS: A COMPARATIVE AUSTRALIAN ANALYSIS. PART 2

Canadian Anti-Doping Program Privacy and Personal Information Policy. processed by the CCES in the course of administrating and implementing the CADP.

How we use Personal Information

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

Condominium Management Regulatory Authority of Ontario Access and Privacy Policy

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ORDER F June 30, 2016 CALGARY POLICE SERVICE. Case File Number F7689

THE DATA PROTECTION BILL (No. XIX of 2017) Explanatory Memorandum

CONSUMER REPORTING ACT

Great Leighs Primary School. Data Protection and Freedom of Information Policy. Adopted: April Review Date: April 2018.

Data Protection Policy

Smart and Skilled Qualification Application

Sexual Assault Survivors DNA Justice Act

Queensland FREEDOM OF INFORMATION ACT 1992

Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

BACKGROUND INFORMATION

3RD SESSION, 41ST LEGISLATURE, ONTARIO 67 ELIZABETH II, Bill 14. An Act with respect to the custody, use and disclosure of personal information

ARTICLE 29 Data Protection Working Party

Aviation Security Identification Card (ASIC) Application Form S002

Fragomen Privacy Notice

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

Aboriginal Land Rights Amendment Act 2014 No 75

APPLICATION FOR GRANT OF AN AUSTRALIAN PRACTISING CERTIFICATE AS A VOLUNTEER SOLICITOR AND MEMBERSHIP OF THE LAW SOCIETY OF NEW SOUTH WALES

ACCESS AND PRIVACY POLICY

to the Government Gazette of Mauritius No. 14 of 14 February 2009

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

Aviation Security Identification Card (ASIC) Application Form S002

Number 5 of Vehicle Registration Data (Automated Searching and Exchange) Act 2018

Improving Privacy Legislation in New South Wales

CCTV, videos and photos in health, aged care and retirement living and disability facilities your rights and obligations

THE FREEDOM OF INFORMATION LAW, 2007 (LAW 10 OF 2007) THE FREEDOM OF INFORMATION (GENERAL) REGULATIONS, 2008

Data Protection Policy

The NATIONAL CONGRESS decrees: CHAPTER I PRELIMINARY PROVISIONS

Appointment of a migration agent or exempt agent or other authorised recipient

48R. Application to visit Australia for tourism or other recreational activities. Who can you include in this application? Who should use this form?

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Analysis of the Workplace Surveillance Bill 2005

CHAPTER [INSERT] DATA PROTECTION BILL Acts [insert] ARRANGEMENT OF SECTIONS PART I PART II

The Freedom of Information and Protection of Privacy Act

Policy Framework for the Regional Biometric Data Exchange Solution

MANITOBA FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY RESOURCE MANUAL

APPLICATION FOR GRANT OF AN AUSTRALIAN PRACTISING CERTIFICATE AS A SOLICITOR AND MEMBERSHIP OF THE LAW SOCIETY OF NEW SOUTH WALES

STAFF-IN-CONFIDENCE (WHEN COMPLETED) NATIONAL POLICE CHECKING SERVICE (NPCS) APPLICATION/CONSENT FORM

40CH. Sponsorship for a child to migrate to Australia

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ORDER F February 9, 2018 ALBERTA JUSTICE AND SOLICITOR GENERAL

Data Protection Act 1998

Transcription:

University of Wollongong Privacy Management Plan September 2004 EXTERNAL USE Management_Plan September 2004

TABLE OF CONTENTS 1. INTRODUCTION...1 1.1 Definitions...1 1.2 Our Commitment to Privacy...1 2. WHAT IS PERSONAL INFORMATION?...1 3. WHAT ARE THE INFORMATION PROTECTION PRINCIPLES?...2 3.1 Principle 1 Collection of Personal Information for Lawful Purposes...2 3.2 Principle 2 Collection of Personal Information Directly from an Individual...2 3.3 Principle 3 Requirements when Collecting Personal Information...3 3.4 Principle 4 Other Requirements Relating to the Collection of Personal Information...3 3.5 Principle 5 Retention and Security of Personal Information...3 3.6 Principle 6 Information about Personal Information Held by Agencies...3 3.7 Principle 7 Access to Personal Information Held by Agencies...4 3.8 Principle 8 Alteration of Personal Information...4 3.9 Principle 9 Agency Must Check Accuracy of Personal Information before Use...4 3.10 Principle 10 Limits on Use of Personal Information...4 3.11 Principle 11 Limits on Disclosure of Personal Information...5 3.12 Principle 12 Special Restrictions on Disclosure of Personal Information...5 4. WHAT ARE THE HEALTH PRIVACY PRINCIPLES (HPPS)?...5 4.1 HPP 12 Identification...5 4.2 HPP 13 Anonymity...5 4.3 HPP 15 Linkage of Health Records...6 5. WHAT IS A PUBLIC REGISTER?...6 6. WHAT ARE INTERNAL REVIEWS UNDER THE PPIPA?...6 7. COLLECTING PERSONAL AND/OR HEALTH INFORMATION...7 8. PRIVACY IMPLEMENTATION PLAN...7 9. CONTACTING THE UNIVERSITY...9

1. Introduction The University of Wollongong ( the University ) has produced this Privacy Management Plan ( Plan ) to comply with Section 33 of the NSW Privacy and Personal Information Protection Act 1998 ( PPIPA ). The Plan is a strategic planning document which identifies: the policies and practices that the University has in place to comply with PPIPA and the Health Records and Information Privacy Act 2002 ( HRIPA ); the dissemination of privacy policies and practices within the University; procedures in relation to an internal review under part 5 of the Act; and other matters which are considered relevant to the University in relation to the Act. This Plan may be revised or amended on occasions, in line with changes to the Act or any directions or rulings from the Office of the Commissioner. As part of the University s compliance to the Act, a copy of this Plan is freely available to any person. Information relating to the PPIPA and HRIPA can be found at the Privacy Commissioner s web site: http://www.lawlink.nsw.gov.au Click here for the University of Wollongong s Privacy Website 1.1 Definitions For the purposes of this Management Plan, the University means the University of Wollongong as established by the University of Wollongong Act 1989 (NSW) and includes all its associated and controlled entities. 1.2 Our Commitment to Privacy The University is committed to ensuring the protection of the privacy of individuals pursuant to the PPIPA, the HRIPA and the Privacy Amendment (Private Sector) Act 2000 (Commonwealth). 2. What is Personal Information? The PPIPA defines Personal information as follows: personal information means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information includes such things as an individual s fingerprints, retina prints, body samples or generic characteristics. 1

However, there are several exclusions to what Personal Information includes, for example: Information regarding an individual who has been deceased for more than 30 years; Information about an individual that is readily available in a publicly available publication; Information or an opinion about an individual s suitability for appointment or employment as a public sector official; and Information about an individual that is of a class, or is contained in a document of a class, prescribed by the regulations for the purposes of this subsection. The HRIPA defines health information as follows: In this Act, health information means: (a) personal information that is information or an opinion about: (i) the physical or mental health or a disability (at any time) of an individual, or (ii) an individual s express wishes about the future provision of health services to him or her, or (iii) a health service provided, or to be provided, to an individual, or (b) other personal information collected to provide, or in providing, a health service, or (c) other personal information about an individual collected in connection with the donation, or intended donation, or an individual s body parts, organs or body substances, or (d) other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, but does not include health information, or a class of health information or health information contained in a class of document, that is prescribed as exempt health information for the purposes of this Act generally or for the purposes of specified provisions of the Act. 3. What are the Information Protection Principles? There are twelve Information Protection Principles (IPP s), described in Sections 8 to 19 of the PPIPA. 3.1 Principle 1 Collection of Personal Information for Lawful Purposes The University must not collect personal information unless: The information is collected for a lawful purpose that is directly related to a function or activity of the University; and The collection of the information is reasonably necessary for that purpose. The University must not collect any personal information by unlawful means. 3.2 Principle 2 Collection of Personal Information Directly from an Individual The University must, when collecting personal information, collect it from the individual to whom the information relates, unless: The individual has given consent for the collection of personal information from someone else, or 2

The information is provided by a parent or guardian of a person who is under the age of 16. 3.3 Principle 3 Requirements when Collecting Personal Information The University must ensure when collecting personal information from an individual that during or at a practicable time soon after the collection, the individual is made aware that: The fact that the information is being collected; The purposes for which the information is being collected; All recipients of the information; Whether the giving of information is voluntary or a legal requirement and any consequences that may arise from refusal to provide the requested information; What rights of access and/or correction (if any) that are allowed of the information; and The contact details of the University that is collecting the information and any other agent that is to hold the information. 3.4 Principle 4 Other Requirements Relating to the Collection of Personal Information The University must take reasonable steps to ensure that: The information it is collecting is relevant to that purpose, not excessive, accurate, up-todate and complete; and The collection does not intrude to an unreasonable extent on the personal affairs of the individual to whom the information relates. 3.5 Principle 5 Retention and Security of Personal Information The University must ensure that: The information collected is not kept for longer than is required for the purpose it was collected for; The information is disposed of securely and in accordance with any requirements for the retention and disposal of personal information; All personal information held is protected, by taking safeguards to ensure that there is reasonable security in place to guard against loss, unauthorised access, use, modification or disclosure; and against all other misuse; and If it is necessary for the information to be given to a third party that the University takes all reasonable measures to prevent unauthorised use or disclosure of the information. 3.6 Principle 6 Information about Personal Information Held by Agencies The University must take such steps that it is reasonable for an individual to ascertain: Whether the University holds personal information; Whether that information held, relates to the individual; If the University holds such information on that individual: o The nature of that information; o The main purpose for which the information is used; and o The individual s entitlement to gain access to the information. 3

3.7 Principle 7 Access to Personal Information Held by Agencies The University must, at the request of the individual to whom personal information relates and without excessive delay or expense, provide the individual with access to the information. 3.8 Principle 8 Alteration of Personal Information The University must, at the request of an individual to whom held personal information relates, make appropriate amendments (whether by way of corrections, deletions or additions) to ensure that the personal information: is accurate; and having regard to the purpose for which the information was collected (or is to be used) and to any purpose that is directly related to that purpose, is relevant, up-to-date, complete and not misleading. If the University believes that information provided by an individual does not warrant a change to the information held, then the University will take all reasonable steps necessary (if requested by the individual) to attach any statement, provided by the individual, of the amendment sought, so that it is capable of being read with the held information. If the personal information is amended, in accordance with this principle, the individual to whom the information relates is entitled, if it is reasonably practicable, to have recipients of that information notified of the amendments made by the University. 3.9 Principle 9 Agency Must Check Accuracy of Personal Information before Use The University, in holding personal information, must not use the information without taking such steps as are reasonable in the circumstances to ensure that, having regard to the purpose for which the information is proposed to be used, the information is relevant, accurate, up-to-date, complete and not misleading. 3.10 Principle 10 Limits on Use of Personal Information The University, in holding personal information, must not use the information for a purpose other than that for which it was collected unless: The individual to whom the information relates has consented to the use of the information for that other purpose, or The other purpose for which the information is used is directly related to the purpose for which the information was collected, or The use of the information for that other purpose is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual to whom the information relates or of another person. 4

3.11 Principle 11 Limits on Disclosure of Personal Information The University, in holding personal information, must not disclose the information to a person (other that the individual to whom the information relates) or other body, whether or not such other person or body is a University or Public sector agency, unless: The disclosure is directly related to the purpose for which the information was collected, and the agency disclosing the information has no reason to believe that the individual concerned would object to the disclosure, or The individual concerned is reasonably likely to have been aware, or has been made aware in accordance with section 10, that information of that kind is usually disclosed to that other person or body, or The University believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to life or health of the individual concerned or another person. 3.12 Principle 12 Special Restrictions on Disclosure of Personal Information The University must not disclose personal information relating to an individual s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual activities unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of the individual concerned or another person. The University, in holding personal information, must not disclose the information to any person or body which is in a jurisdiction outside New South Wales unless: A relevant privacy law that applies to the personal information concerned is in force in that jurisdiction, or The disclosure is permitted under a privacy code of practice. 4. What are the Health Privacy Principles (HPPs)? There are 15 HPPs set out in Schedule 1 of the HRIPA. Other than HPP 12, 13 and 15, the HPPs are identical to the IPPs in relation to the collection, use, storage, and disclosure of health information. 4.1 HPP 12 Identification The University may only assign identification numbers if such identifiers are reasonably necessary to carry out its functions efficiently. 4.2 HPP 13 Anonymity Wherever it is lawful and practicable, individuals must be given the opportunity to not identify themselves whenever entering into transactions with or receiving health services from the University. 5

4.3 HPP 15 Linkage of Health Records The University must obtain the express consent of an individual before the health information of the individual is included in linked records extending beyond the University. 5. What is a Public Register? Both the PPIPA and the HRIPA define a public register as: A register of personal or health information that is required by law to be, or is made, publicly available or open to public inspection (whether or not on payment of a fee). The University does not have any public registers. 6. What are Internal Reviews under the PPIPA? An internal review will be held when a person is aggrieved by the conduct of the University over a privacy matter and brings it to their attention. The review will be conducted internally by the University. An application for such a review must: be in writing; be addressed to The Privacy Officer at the University of Wollongong; specify an address in Australia to which a notice may be sent; and be lodged at an office of the University within 6 months (or such later date as the agency may allow) from the time the applicant first became aware of the conduct which is the subject of the application. The review will be conducted by the Privacy Officer, where the Privacy Officer is not substantially involved in the matter relating to the application. Other suitably qualified members of University staff may be called upon to conduct the review if the Privacy Officer is involved in the matter. At all times, the review will be held by an employee or officer of the University. In reviewing the conduct which is the subject of the application, the individual dealing with the application must consider any relevant material submitted by: the applicant; and the Privacy Commissioner. The University will endeavour to complete the review as soon as is reasonably practicable. The University will complete the review within 60 days from the day on which the application was received. If the review is not completed within this time the applicant may apply for a review of the conduct concerned to the Administrative Decisions Tribunal under Section 55. On receiving an application for an internal review, the University must : inform the Privacy Commissioner as soon as is practicably possible of the application; keep the Privacy Commissioner informed of the progress of the internal review; and 6

inform the Privacy Commissioner of the findings of the review and of the action proposed to be taken by the agency in relation to the matter. Once the internal review has been completed, the University may do one or more of the following: take no further action on the matter; make a formal apology to the applicant; take such remedial action as it thinks appropriate; provide undertakings that the conduct will not occur again; and implement administrative measures to ensure that the conduct will not occur again. Within 14 days of the completion of the review, the University will notify the applicant in writing of: the findings of the review (and the reasons for those findings); the action proposed to be taken by the agency (and the reasons for taking them); and the right of the person to have those findings, and the agency s proposed action, reviewed by the Tribunal. 7. Collecting Personal and/or Health Information In the course of carrying out its functions, the University collects and records various personal information of individuals which is collected via application forms on paper or electronically. Such collected information includes: Full Name Date of Birth Email Address Academic Background Languages spoken Visa status Health conditions (allergies / dietary requirements / physical restrictions/ mental health/disability Nationality(inc Australian Aboriginal or Torres Straight Islander descent) Full Address (inc overseas address) Gender Telephone Number (inc Mobiles) Marital status Tax File Number (TFN) Passport details Emergency Contact name and address The University is obliged to collect and forward a students tax file number (TFN) to the Australian Taxation Office. 8. Privacy Implementation Plan Phase 1 Access Steps Status Comments Carry out workshop interviews with key stakeholders Identify and document information systems and processes that will have to be assessed 7

Determine what information the University is collecting Determine how this information is being collected Determine where and how this information is being stored (e.g. on which databases, paper documents) Identify the purposes for which information is used and to whom this information is disclosed (internal and external to the University) Identify the extent to which customers are informed of the use of this information Determine if the information is accurate, current and relevant Collate all University forms & document Phase 2 Design Steps Status Comments Develop Privacy Policy for University Develop Privacy Management Plan (this plan) Develop Consent and disclosures and opt out for application forms Produce internal policy for access and complaints requests Develop training and awareness strategy for all staff Phase 3 Implement Steps Status Comments Implement all disclosures / opt outs onto University forms Provide training and awareness to all University staff Publish Privacy Policy Summary on www.uow.com.au/about/privacy Website Publish Links to full Privacy Policy and www.uow.com.au/about/privacy/ Management Plan (this plan) on website for public access Phase 4 Monitor Steps Status Comments Develop reviews and audit procedures, run on regular basis Ongoing 8

9. Contacting the University In all instances, please contact the University in writing, at the following address: The Privacy Officer Administration Building (36) University of Wollongong Wollongong NSW 2522 9

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback