Guide to Privacy Obligations and Requirements
- What information can ACU collect
- What does ACU have to tell the individual
- When should notification occur?
- Does the individual have to be notified of everything, every time?
- How can the individual be notified of collection of information?
- How must the collecting be done?
- What if ACU is provided with information from other sources which it has not requested (unsolicited information)?
- What can ACU do with personal information?
- What is using personal information?
- What is disclosing personal information?
- What is consent?
- Opt out provisions
- Warrant, subpoena, notice to produce
- Requests from Police and other law enforcement agencies
- Suspected criminal offences and unlawful behaviour
- Collecting health information for research
- Using and disclosing health information for research
- HREC and obligations of researchers
- Collecting, using and disclosing personal health information in the course of providing a health service
- Disclosure without consent
- Genetic information
- Sensitive information about - race, ethnicity, religion, political opinions, sexual orientation or practices, criminal record and health
- Other times when collection, use and disclosure of personal information is permitted
- What is direct marketing?
- When can personal information be used for direct marketing?
- What is disclosing personal information overseas?
- Can ACU disclose personal information overseas for operational purposes?
- Can ACU disclose personal information overseas in emergencies, cases of wrong doing or for law enforcement purposes?
- How responsible is ACU for what an overseas recipient does with personal information received from ACU?
- What if foreign law requires disclosure by an overseas recipient of personal information provided ACU?
- Access to information
- Can ACU refuse to give an individual access to their personal information?
- Can ACU charge for responding to a request for personal information?
- Other means of accessing information
- Right to correction of information
It is based on the Australian Privacy Principles Guidelines (APPs) issued by the Office of the Australian Information Commissioner.
What is Privacy?
The Privacy Act protects personal information.
Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable that:
- includes academic records, assessments and contact information.
- includes photographs.
- includes opinions.
- does not include information about deceased persons.
What Activities Does the Privacy Act Cover?
The Privacy Act covers the following:
- collecting personal information
- giving out personal information
- using personal information
- keeping personal information
Records of acts done or practices engaged in by ACU which are directly related to a current or former employment relationship between ACU and the individual are exempted from the Privacy Act. Such records however will generally be considered to be confidential and must be treated accordingly.
Employment records are exempt only insofar as they relate directly to the employment relationship. Payroll or contact details for example are exempt only in relation to their use in the employment relationship. They cannot be used or disclosed for other purposes unless under the terms of the Privacy Act.
The personal information of individuals who are not or do not become employees is not covered by this exemption. This includes personal information of unsuccessful job applicants (including possibly references) or information about persons in ACU employment records who are not employees (e.g. information about an individual’s family).
What information can ACU collect?
ACU can collect personal information only if it is reasonably necessary for, or directly related to, its functions and activities. This includes support functions, including administration, security, public relations and recruitment activities. It will not include information which is more than required, may be useful as opposed to necessary, or for other entities where the purpose is not necessary for, or directly related to an ACU function or activity. Photographs of students in a class, for example, may not be considered reasonably necessary or directly related to teaching if they are taken only for the convenience of the lecturer as opposed to confirming identity to prevent cheating or for security purposes.
What does ACU have to tell the individual?
When ACU collects information about an individual it must take reasonable steps to tell the individual (where applicable):
- ACU’s name and contact details:
- Generally this will be the contact details of the ACU Privacy Coordinator (on behalf of the Privacy Officer) and the email address firstname.lastname@example.org.
- The fact and circumstances of collection:
- This applies where ACU collects information from another entity such as another University, a Government authority or the individual may not be aware of the collection of the information (e.g. cookies on the website).
- If it is impractical to refer to a specific entity, it is sufficient to indicate the kinds of entities from whom the information is collected (e.g. other educational institutions or work placements).
- Where information is collected by, for example, cookies or electronic tags, the method of collection should be explained.
- Whether it is required or authorised by law:
- It is not necessary to identify any law and usually no law requires or authorises the collection of the information. If there is a legal requirement or authorisation however the applicable law(s) or type of laws should be identified. This can be done generically where applicabl (e.g. as required by taxation laws or immigration laws).
- The purpose of collection:
- This can include a number of purposes.
- It is not necessary to specify purposes which are part of internal normal business practice e.g. billing or managing a student record.
- Stating the general purposes of collection will be sufficient. It is not necessary to outline all specific purposes.
- The consequences if the information is not collected:
- This applies if there are significant consequences of not providing information (e.g. the enrolment will not be processed; a placement cannot be allocated; a concession cannot be granted; or not providing the information will result in slower delivery of a service). It is not necessary to state consequences which are obvious.
- The usual disclosures of personal information of the type collected
- If it is not practicable to list specific entities to whom disclosure may be made it is sufficient to refer to the type of entities (e.g. other Universities; Government agencies administering Higher Education funding or Immigration laws).
- Information about:
- the right to access and correction of personal information; and
- the right to complain and how complaints are dealt with.
- Other entities or types of entities to which that kind of personal information is usually disclosed (e.g. immigration authorities; placement providers; other educational institutions).
- Whether ACU is likely to disclose personal information to overseas recipients and if practicable, where those recipients are located. This does not include routing information overseas or use by ACU of the information overseas (e.g. for operation of the Rome Centre).
When should notification occur?
This information should be provided before, or at the time of collection or, if this is not practicable, as soon as practicable after collection of the information. It may be considered impracticable to provide information before collection if, for example, there is an urgent situation or collection of the information is by telephone.
Does the individual have to be notified of everything, every time?
It may not be reasonable to notify the individual of all or some of the required information. In which case, ACU may not have to give the information. ACU must be able to justify this clearly.
Reasons for not notifying of some or all of the required information may include:
- the information is collected from the individual on a recurring basis for the same purpose
- it is impracticable (e.g. details of an emergency contact received from a student or staff member)
- there is a legal obligation of confidentiality
- the circumstances are such that some or all of the matters required to be notified are obvious and clear from the context of obtaining the information
How can the individual be notified of collection of information?
Options for providing notice of the information required to be given on collection of personal information include:
- in paper form which is provided at the time of, or prior to, collection
- a readily accessible and prominent link to a pro-forma notice online
- by a telephone script if the information is collected in this way or, if this is not practicable, in any subsequent electronic or paper communication, or directing the individual to a notice on the ACU website
- if the information is collected by a third party, the contract with that third party should include a requirement to provide the required notifications
How must collecting be done?
Collection of personal information must be done:
- lawfully and fairly. Lawful collection excludes information obtained by, for example, unlawful surveillance, hacking or theft. Fairly means that there should not be intimidation or deception or taking unfair advantage. Individuals should not be misled as to the circumstances purpose and nature of the collection of the information (e.g. representing that there is a requirement to provide the information when there is not. Cultural differences or the particular circumstances of a person may need to be taken into account in considering whether this requirement is complied with.
- from the individual unless it is unreasonable or impracticable. This requirement covers not only collecting information about an individual from other persons, but also collecting information by e.g. aggregating data from various sources or even doing a Google search.
- Relevant considerations in determining whether it is unreasonable or impracticable may be:
- whether the individual would reasonably expect the information to come directly from him/her or from someone else
- if the information is sensitive (as defined by the Privacy Act) or not. If it is sensitive, then there is a greater burden on ACU to establish that it is unreasonable or impracticable. Sensitive information includes health information and financial information
- if direct collection jeopardises the purpose of collection or the integrity of the information
- the privacy risk in collecting from another source
- the time and cost in collecting information directly from the individual – the time/cost burden must be excessive in all the circumstances
What if ACU is provided with information from other sources which it has not requested (unsolicited information)?
Unsolicited information includes additional information to unrequested information (e.g. examples of work not requested for a job application).
ACU must, within a reasonable period after receipt of the information, decide whether it can collect the information. If it could not collect the information and it is lawful and reasonable to do so, ACU must destroy or de-identify it as soon as practicable. The information may also be returned to the person who provided it.
It will generally be lawful to destroy the information unless there is e.g. a court order in place or there is an audit requirement.
If ACU keeps the information it must be treated in the same way as other personal information.
Using and Disclosing Personal Information
What can ACU do with personal information?
ACU may use or disclose information only for the purpose for which it was collected e.g. enrolment information may only be used for the purposes of enrolment and administration of a student’s studies unless:
- there is consent; or
- the individual would reasonably expect the use or disclosure and the purpose of the use or disclosure is related to the reason why it was collected; or
- it is authorised by law or a court or tribunal; or
- there is a permitted health situation or permitted general situation; or
- ACU reasonably believes that the use or disclosure is reasonably necessary for an enforcement related activity conducted by or for an enforcement body (e.g. police).
What is using personal information?
Using personal information includes reading it; searching for it in records; making a decision on the basis of it; access to it by an employee or one part of ACU passing it to another.
What is disclosing personal information?
Disclosing means making it accessible outside ACU and releasing control of it. It includes accidental disclosure and unauthorised release by a member of ACU staff if they are acting in the course of their employment. It does not include an external “hack” of ACU systems or theft unless ACU has failed to take reasonable steps to protect the information.
What is consent?
In relation to consent:
- it may be express or implied. For example, consent to use personal information for administration of a student’s studies, including assessment and arranging placements required for those studies may be implied by enrolment
- express consent will be necessary to use this information for e.g. using enrolment information for research or marketing purposes
- the individual must have adequate information before giving consent
- the consent must be voluntary
- the consent must be current and specific. Simply giving notice of a proposed collection, use or disclosure of the personal information will not normally be sufficient
The individual must have the capacity to understand and communicate the consent.
Opt out provisions
An opt out provision can be used for the purposes of consent but it must be used appropriately and constructed carefully in order to be effective. Usually, express consent and an opt in mechanism is preferred.
Use of an opt out consent is more likely to be effective if:
- the opt out option is clear and prominent
- the individual is likely to receive and read relevant information
- there is information on the implications of not opting out
- the option is freely available and not bundled with other purposes
- it is easy for the individual to opt out – there is little or no financial cost or effort
- the consequences of failure to opt out are not serious
- opting out at a later time will not give rise to significant disadvantage
The Police and the Law
Warrant, subpoena, notice to produce
If ACU is served with a valid warrant, a subpoena or a notice to produce information under an Act, then personal information required to be produced must be produced.
The warrant, subpoena or notice and the information to be produced must however be referred to the Office of General Counsel to ensure that it is valid and that the information produced falls within the strict terms of what is required to be produced otherwise ACU may breach the Privacy Act.
In some circumstances an order to provide counselling or health records may be contestable.
Requests from police and other law enforcement agencies
ACU may respond to a proper request for information that it reasonably believes is reasonably necessary for the purposes of the law enforcement agency. ACU requires a request in writing from the agency with sufficient information to enable it to decide whether it can release information and what information is reasonably necessary.
ACU does not have to release the information and any request must be referred to the Office of General Counsel.
A written note of the use or disclosure of the information must be kept with details ofthe disclosure or use, and the basis for the reasonable belief which was the basis of the disclosure. The Office of General Counsel will generally do this on its file.
Suspected criminal offences and unlawful behaviour
If ACU has reason to suspect unlawful activity that relates to ACU functions or activities and reasonably believes that it needs to collect, use or disclose personal information to deal with this then it can do so. This allows reports to police or other appropriate authorities with information relating to the report or required for investigation of the report – for example in the case of a suspected fraud on ACU, ACU may provide details of relevant payments to a person and bank details. It also allows ACU to collect, use or disclose personal information to investigate suspected unlawful behaviour itself. There must be grounds on which to base the suspicion of unlawful activity by the individual concerned such as a credible complaint or a record of suspect transactions or activity on a credit card.
The unlawful activity must relate to ACU and includes discrimination or harassment. Any information collected, used or disclosed must be only what is reasonably believed is necessary.
Suspected serious misconduct
If ACU has reason to suspect serious misconduct by a student or employee or associate of ACU that relates to ACU functions or activities and reasonably believes that it needs to collect, use or disclose personal information to deal with this, then it can do so. This enables ACU to e.g. investigate a suspected serious breach of the Code of Conduct such as significantly wrongful use of its internet resources.
The suspected conduct must be serious and the use or disclosure of the personal information must only be what is reasonably believed is necessary to deal with it. There must be grounds on which to base the suspicion of misconduct against the individual concerned such as a credible complaint or a record of suspect transactions or activity on an internet account.
Complaints or Allegations
Dealing with complaints or allegations made to ACU
If an individual makes a complaint about ACU then that individual may reasonably expect that ACU will use their personal information to deal with that complaint, including investigation of the complaint and informing persons complained of about the complaint.
Only information required for dealing with the complaint should be used or disclosed. Best practice is to obtain the consent of the complainant for the use or disclosure of their personal information or, at least inform them of the intention to disclose information before doing so.
Where a complaint is made under the Protected Disclosures Policy particular processes and obligations apply and no disclosure should be made without complying with the Policy.
Dealing with complaints or allegations about ACU
If an individual makes a complaint or attack on ACU in the media then that individual may reasonably expect that ACU may respond publicly to those comments revealing personal information of the individual but only if that information is specifically relevant to the particular issues raised. For example, if a student complains to the media that international students are treated more favourably than domestic students, it would not be acceptable to make a public statement including information about that particular student’s academic record. If a student complains to the media that they have been discriminated against in the way in which they were assessed, it may be acceptable to make a statement which includes information about that student’s academic record where it is relevant.
Emergency and Threat Situations
If ACU reasonably believes that collecting, using or disclosing personal information is necessary to lessen or prevent a serious threat to the life, health or safety of any person or to public health or safety and it is unreasonable or impracticable to obtain the individual’s consent then ACU may collect, use and disclose personal information.
Relevant considerations include:
- the nature of and potential consequences of the threat – how urgent and serious it is and how likely it is
- the adverse effects on individual of not obtaining consent. This will usually be a question of the possible adverse effects of disclosure of personal information.
- whether the individual is capable of or able to give consent – the individual may not be in a proper physical or psychological state or may be non contactable within the relevant time-frame.
- the number of persons who have to give consent – this may make it impracticable to obtain consent
- inconvenience, time and cost of obtaining consent.
- the threat must be a present threat (i.e. not a threat that has passed).
Collection, Use and Disclosure of Personal Information for Purposes of ACU
Normal business requirements
If use of personal information is part of normal business processes then the individual will be considered to have given implied consent to its use e.g. by enrolling the student gives implied consent to use of personal information for enrolment and administration of the student’s study and student experience, including the opportunity to participate as an alumnus after graduation, but not for the purposes of fund-raising.
If a photograph can identify a particular person it is personal information.
Taking photographs where persons can be identified can be done without consent but the general requirements around collecting personal information apply and the taking of the photograph must be reasonably necessary for ACU’s functions or activities. If, for example, photographs are expected to be taken at an event of an audience so that persons in that audience may be identifiable, if practicable, invitations or material distributed at the event should state that photographs of the event will be taken and provide the usual information such as the purpose of taking the photographs and how they will be used.
If a person’s racial, ethnic origin or religious belief may be identified by the photograph, then this is considered to be sensitive information.
If there is explicit consent, then personal information may be used within the terms of that consent. Consent must be freely given, the individual must be adequately informed and if possible, there should be provision to opt in or out.
Health Information includes:
- opinion about an individual’s health or disability
- an individual’s wishes about provision of health services to him/her
- information collected to provide or in providing a health service
A health service includes any activity that is intended or claimed by the individual or person providing it to assess, record, maintain or improve the individual’s health; diagnosis; treatment or prescription. It includes a fitness centre or gym.
Collecting health information for research
ACU may collect personal health information about an individual if the research (including the compilation or analysis of statistics):
- is relevant to public health and safety; or
- the management, funding or monitoring of a health service (e.g. quality assurance processes); and
- the purpose of the research cannot be served by de-identified information; and
- it is impracticable to obtain the individual’s consent (this includes adversely affecting the integrity or validity of the research as well as practical problems such as lack of current contact details for individuals); and
- it is either:
- required by or under an Australian law;
- in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind the organisation; or
- it is accordance with NHRMC Guidelines approved under the Privacy Act.
Reasonable steps must be taken to ensure that the information is de-identified before it is disclosed or published.
Using and disclosing health information for research
Researchers may use and disclose personal health information for research if:
- it is necessary for the research; and
- it is impracticable to obtain the individual’s consent to the use or disclosure; and
- it is done in accordance with the NHMRC Guidelines approved under the Privacy Act; and
- ACU (the researcher) reasonably believes that the recipient of the information will not disclose the information.
Disclosure of health information should be in de-identified form if reasonably possible.
Normally, if personal health information is being provided to a person or entity outside of ACU because it is necessary for the research, a confidentiality deed will be required before this can occur. If the person or entity is an investigator on the grant, then a deed of confidentiality will not usually be required.
Without specific consent of the individual and approval of the Human Research Ethics Committee (HREC), no personal health information may be published.
HREC and obligations of researchers
All research involving collection of personal health information will normally require the approval of the HREC and, in that case, the HREC will consider and apply the privacy obligations so that the HREC application and approval processes will cover the Privacy Act requirements to enable collection of the information.
Researchers will be responsible for ensuring that the information is collected, used, stored and disclosed in accordance with the HREC approval and the Privacy Act.
Providing a Health Service
Collecting, using and disclosing personal health information in the course of providing a health service
Where ACU is providing a health service it may collect, use and disclose personal health information if:
Providing the health service:
- the information is necessary to provide a health service to the individual and:
- either the collection is required or authorised by an Australian law; or
- it is collected in accordance with rules established by a competent health or medical body that deals with obligations of professional confidentiality which bind ACU (i.e. there is a sanction or adverse consequence if the rules are breached). This would apply to the Counselling Service or a medical clinic operated by ACU.
Management and administration of the health service:
- For the purposes of management and administration of the health service; and
- the purpose cannot be served by de-identified information;
- it is impracticable to obtain the individual’s consent; or
- it is collected in accordance with rules established by a competent health or medical body that deals with obligations of professional confidentiality which bind ACU i.e. there is a sanction or adverse consequence if the rules are breached. This would apply to the Counselling Service or a medical clinic operated by ACU.
Any disclosure of health information should be de-identified.
Disclosure without consent
If ACU is providing a health service and is satisfied that either:
- disclosure is necessary to provide appropriate care or treatment of the individual;
- the disclosure is for compassionate reasons;
- the individual is physically or legally incapable of giving consent;
- physically cannot communicate consent;
- the recipient of the disclosure is a responsible person for the individual;
- the disclosure is not contrary to any prior wish expressed by the individual of which ACU could reasonably be expected to be aware;
- the disclosure is limited to the extent reasonable and necessary for the purpose.
There is provision in the Privacy Act for disclosure of genetic information obtained in the course of providing a health service where there is a risk to a genetic relative of the individual.
Sensitive information about race, ethnicity, religion, political opinions, sexual orientation or practices, criminal record and health
Information about a person’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, professional or trade association/trade union membership, sexual orientation or practices or criminal record, health information, genetic or biometric information is considered sensitive information and there are additional restrictions which apply to how this information is collected, used and disclosed.
Other times when collection, use and disclosure of personal information is permitted
The Privacy Act allows the collection, use and disclosure of personal information in various circumstances and under specific situations including:
- locating missing persons
- defending legal claims
- participating in alternative dispute process
Matters relating to these matters should be referred to the ACU Privacy Coordinator.
What is direct marketing?
Direct marketing is the use or disclosure of personal information to communicate directly with an individual to promote goods and services. It would not include invitations to public lectures, but would include invitations to post-graduate courses.
When can personal information be used for direct marketing?
ACU can use personal information for direct marketing when:
- the individual has the opportunity to opt out
- the information has been collected directly from the individual and the individual would reasonably expect it to be used for direct marketing or the individual has consented to the use of personal information. This can be done by notifying the individual of ACU’s intention to use the personal information in this way. The consent must remain current and be specific, or
- The individual has the opportunity to opt out
- information has been collected directly from the individual but the individual would not reasonably expect it to be used for direct marketing or it is obtained from a third party
- the individual has consented or it is impracticable to obtain that consent.
The opt out must be:
- clear and visible
- not complicated and easy to use
Requests to identify source of personal information
An individual may ask ACU to identify the source of the personal information it uses for direct marketing. This must be given within a reasonable period – generally 30 days unless it is impracticable or unreasonable to provide the information.
Spam Act and Do Not Call Register
The Spam and Do Not Call Register Acts apply as well as the Privacy Act to direct marketing.
Disclosing Personal Information Overseas
What is disclosing personal information overseas?
Disclosing personal information overseas includes:
- information delivered or exchanged at a conference overseas
- publication on the internet –intentionally or otherwise – which is accessible to a person located overseas
- sharing personal information with a person overseas by any means
Can ACU disclose personal information overseas for operational purposes?
Advice should be sought from OGC before personal information is disclosed to an overseas recipient.
In general terms, there are provisions allowing disclosure to overseas recipients in circumstances which should be assessed carefully. ACU can:
- send personal information overseas if it is to a unit or staff member of ACU located overseas e.g. to the Rome Centre. The general rules regarding privacy apply to the use, disclosure and handling of personal information as in Australia
- send personal information to an overseas recipient if the individual is expressly informed of this and consents to it. The information provided to the recipient prior to any consent should include a statement that ACU will not be accountable under the Privacy Act and will not be able to seek redress under the Privacy Act. If the information is particularly sensitive, then more information may be required to be given in order to establish that the consent was sufficient
- use servers located overseas for the purposes of routing information to a recipient. This is not considered a disclosure
- use overseas located services (cloud service provider) for purposes of storing and accessing data provided that the contract with the cloud service provider:
- provides that ACU owns the data;
- ensures that the provider and any contractors handle the information only for the purposes of ACU storing and accessing the data;
- gives ACU on-going control of how the data is managed and accessed (including retrieval or disposal); and
- has appropriate provisions for security of the data
- engage an overseas based contractor to perform services for it such as marketing or data analysis on the basis that ACU still holds the information and there are measures in place to ensure that the data receives the protections and management required by the Privacy Act. ACU will be liable for any mishandling of the information by its contractor. As a result:
- The contract for the services must include specific privacy provisions
- There may be a requirement for auditing compliance with privacy requirements
If the overseas recipient is subject to a privacy law or some form of regulation which is equivalent to the Australian law and which has mechanisms which enable a complainant to use that law, then the burden on ACU is much less.
Arrangements which involve personal information being sent overseas to be used by a third party must be reviewed by OGC.
Can ACU disclose personal information overseas in emergencies, cases of wrong doing or for law enforcement purposes?
ACU may disclose personal information where:
- it reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health and safety and it is unreasonable or impracticable to obtain the individual’s consent.
- it has reason to suspect that unlawful activity or misconduct of a serious nature that relates to ACU functions or activities has been, is being or may be engaged in, and ACU reasonably believes that the disclosure is necessary for it to take appropriate action in relation to the matter
- it reasonably believes that the disclosure is reasonably necessary to assist an entity subject to the Privacy Act to locate a person reported as missing and it the disclosure complies with rules made by the Information Commissioner.
These provisions are similar to those which apply to disclosure of personal information within Australia and more information on how they are applied is set out above. Where practicable the advice of OGC should be sought before disclosing personal information to an overseas recipient.
How responsible is ACU for what an overseas recipient does with personal information received from ACU?
ACU may be liable for the actions or practices of an overseas entity in relation to personal information disclosed by it to that entity. This may be the case even where the entity has taken reasonable steps to comply with Australian requirements, the fault lies with the overseas entity’s sub-contractor or the breach of the Australian requirements is inadvertent.
It is important to ensure that the circumstances around the disclosure minimise the risk that ACU will be exposed to penalties for the failures of an overseas entity to whom it has disclosed personal information. OGC should be consulted on all potential arrangements involving disclosure of personal information to overseas recipients to prevent or minimise this risk.
What if foreign law requires disclosure by an overseas recipient of personal information provided by ACU?
If ACU discloses personal information to an overseas recipient and that recipient is required by a law of that jurisdiction to disclose the personal information then this will not be a breach of the Privacy Law. A contract with the overseas recipient should deal with this possibility and provide for notification to ACU in the event of disclosure under compulsion of law and consideration should be given as to whether individuals should be notified that disclosure of this type may be required. The US USA Patriot Act for example gives the US Government extensive powers to obtain personal information.
Keeping and Maintaining Personal Information
ACU must take reasonable steps to ensure that the personal information it holds and discloses is accurate, up-to-date and complete. This is an on-gong and positive obligation.
Practices which assist in demonstrating that ACU has met its obligations with respect to data quality include:
- auditing, monitoring and correction of data quality
- use of a consistent format for collecting and recording information
- ensuring that updated or new information is promptly added
- providing means for individuals to review and update their information
- getting rid of personal information which is no longer needed and which is old information
- where personal information is received from a third party, checking to ensure that there are appropriate quality processes and procedures in place
- not using data without first considering its quality
Data security obligations
- ACU must take reasonable steps to protect personal information from misuse, interference and loss, unauthorised access, modification or disclosure
- Where the information is no longer needed it must be destroyed or de-identified.
How can ACU meet its obligations for data security?
Practices and procedures which can help to show that ACU is meeting its obligations to keep data secure are:
- local policies, procedures and awareness about data security
- training and instruction
- access restrictions – both physical and system access restrictions
- contracts with third parties which address issues of data security
- regular audits and reviews
- incorporating destruction and de-identification into management of data
- written and promulgated standards for maintaining security of data.
While data security may be managed principally by IT systems, breaches of data security can occur by inadequate local policies, procedures and practices such as:
- staff copying or downloading data and losing it in a public place
- failure to keep back-ups of information
- circumvention of or failure to comply with IT security processes
- failure to destroy or de-identify information appropriately
What Rights Has the Individual Whose Personal Information ACU Holds?
Access to information
ACU must give an individual access to their personal information unless specific exceptions apply (see below).
There are time periods for responding to requests and other procedural requirements which are set out in the ACU Inquiries and Complaints Procedure. The information required to be provided includes not only information but also may include opinions.
The request for access must be made by the individual concerned or a person properly authorised by that individual and ACU must satisfy itself that the request is from the appropriate person.
Can ACU refuse to give an individual access to their personal information?
ACU can refuse access by an individual to their personal information if:
- ACU reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual tor to public health or safety
- giving access would have an unreasonable impact on the privacy of other individuals
- the request is frivolous or vexatious
- the information relates to existing or anticipated legal proceedings between ACU and the individual and the information would not be accessible by legal discovery processes in the proceedings (e.g. information covered by legal professional privilege)
- the information would reveal ACU’s intentions in relation to negotiations with the individual so as to prejudice those negotiations
- giving access would be unlawful
- ACU has reason to suspect that there is, has been or may be unlawful activity or misconduct of serious nature relating to its functions or activities and giving access to the material is likely to prejudice taking appropriate action in relation to that activity or misconduct
- giving access would be likely to prejudice an enforcement related activity conducted by or on behalf of an enforcement body
- giving access would reveal evaluative information generated within ACU in connection with a commercially sensitive decision-making process
Consideration must be given to whether material can be produced in an alternative form if applying one of these exceptions. It may be possible for example, to redact the information of other persons, or provide a summary of the information, or deleting the information or facilitating access by providing the material for inspection but not providing it in hard copy or electronic form or using an intermediary to provide the information (e.g. providing it through a suitably qualified medical professional where the material may be sufficiently distressing to the individual to lead to a concern about self-harm by that individual).
ACU must provide the individual with reasons for a refusal to respond to a request for access to information and the individual must be provided with certain information such as the way in which the individual can complain about the refusal.
Can ACU charge for responding to a request for personal information?
ACU can charge for costs in finding and producing requested information, including costs of deciding which information to provide and copying costs and the like. The costs must not be excessive and do not include costs of legal advice or of consulting with the individual about how access is provided. If it is proposed to make a charge (which would be only in exceptional circumstances), a record must be kept of all expenditure and time and the costs charged must be on a reasonable basis. Costs must be communicated and explained before access is given.
Other means of accessing information
Unlike many other Universities, ACU is not bound by Freedom of Information legislation. This applies only to government entities.
Information however may be subject to production in Court proceedings.
Right to correction of information
ACU must take reasonable steps to correct personal information if requested by the individual.
ACU must respond to a request for correction of personal information within 30 calendar days and deal with it within a reasonable period (generally 30 days).
If ACU receives a request for correction of information it must assure itself that the information is incorrect.
The ACU Privacy Inquiries and Complaints Procedure sets out how requests for correction of information are made and dealt with however requests for correction of information can be made informally and it is not necessary to state the request is made under the Privacy Act.
ACU must, if requested take reasonable steps to notify any third party which comes under the Privacy Act or the correction to the personal information if requested and it is not impracticable or unlawful to do so. If a third party has been informed of incorrect information and it is not impracticable or unlawful, ACU should take steps to correct the information held by the third party whether or not there is a request and/or prompt a request.
If ACU refuses a request to correct personal information it must give the individual reasons for that refusal (unless this is unreasonable or unlawful) and advise the individual of matters such as available complaint mechanisms.
If a request for correction of personal information is refused, the individual may request ACU to have an associated statement of the individual’s belief that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. If it is reasonable and practicable ACU must comply with the request. This can be done by attaching the statement to a physical record or by an electronic link to a digital record or, if this is not practicable, a note on the record which references where the statement can be found. ACU is not obliged to accept overly long, irrelevant, defamatory, offensive, abusive or unlawful statements (e.g. a statement which breaches another individual’s privacy) but if such objections are made, then ACU should attempt to negotiate with the individual on the form and substance of the statement.
ACU cannot charge for a request for correcting personal information, correcting information or for associating a statement with the personal information.
Further Information and Assistance
|Policy applies to||
|Approval Authority||Vice-Chancellor And President|
|Date of Last Revision||Not Applicable|
* Unless otherwise indicated, this policy will still apply beyond the review date.