View current

Privacy Management Procedure

This is the current version of the approved document. You can provide feedback on this document to the Enquiries Contact - refer to the Status and Details tab from the menu bar above.

Section 1 - Purpose and Scope

(1) This Procedure sets out how The University of Queensland (UQ) will manage personal information in compliance with the relevant State, Commonwealth and international laws (relevant privacy laws) and Privacy Management Policy.

(2) This Procedure applies to all staff.

Top of Page

Section 2 - Process and Key Controls

(3) All staff are required to collect, store, use and disclose personal information in accordance with this Procedure.

(4) Organisational Units are required to review their information holdings and ensure appropriate measures are implemented to protect personal information from loss and from unauthorised access, modification, use or disclosure.

(5) Information stewards are required to comply with any information security classification requirements under UQ’s information management policies and procedures with respect to personal information.

(6) All privacy breaches are to be reported to UQ’s Right to Information and Privacy Office or Information Technology Services (ITS).

(7) If staff are uncertain about the application of this Procedure or relevant privacy laws, they should seek guidance from the Right to Information and Privacy Office or the Legal Services Division.

Top of Page

Section 3 - Key Requirements

Collection of Personal Information

(8) UQ collects personal information directly from individuals and from third parties in order to discharge its functions under section 5 of the University of Queensland Act 1998 (Qld) (UQ Act), including (but not limited to) teaching and learning, research, and student and staff recruitment and administration.

(9) When collecting personal information:

  1. Only personal information which is necessary to fulfil, or directly related to fulfilling, a lawful purpose directly related to a function or activity of UQ will be collected. 
  2. Personal information will be collected in a way which is lawful and fair. 
  3. Where it is reasonable and practicable to do so, personal information will be collected directly from the individual concerned rather than from a third party. 
  4. UQ will take all reasonable steps to ensure that:
    1. the information is relevant to the purpose for which it is collected;
    2. the extent of the information collected, and the way in which it is collected, are not an unreasonable intrusion into the personal affairs of the individual;
    3. the information is up-to-date, accurate and complete; and
    4. where the information is requested directly from an individual, the individual is generally aware of the following:
      1. the purpose of the collection (including, as appropriate, why the information is being collected and how it is intended to be used);
      2. the law authorising or requiring the collection of the information (where applicable); and
      3. any third parties to whom UQ routinely discloses the type of information requested (where applicable) and, if UQ is aware, any other entities those third parties routinely pass the information on to.

        Typically the above information will be provided in the form of a collection statement (often referred to as a privacy notice or privacy statement). Where practicable, individuals should be provided with this notice before or at the time of collection of the information; otherwise, as soon as practicable after the information is collected.

Storage and Security of Personal Information

(10) Personal information in UQ’s possession or under UQ’s control will be held securely, and protected from loss and unauthorised access, use, modification and disclosure by appropriate security measures.

(11) In determining the most appropriate security measures to protect personal information, staff should give consideration to:

  1. the sensitivity of the information; and/or
  2. the vulnerability of the information to misuse; and/or
  3. the form of the information (e.g. hardcopy, electronic, photographic images); and/or
  4. the possible consequences of misuse of the information for the individual to whom the information relates; and/or
  5. the availability of processes and mechanisms for the protection of the information; and/or
  6. other relevant UQ policies and guidelines.

(12) Appropriate arrangements will be put in place at the Organisational Unit level to ensure that:

  1. Personal information is stored by sufficiently secure means to prevent any unauthorised access.
  2. Access to records containing personal information is granted only to staff who have a legitimate requirement for such access in the course of their duties.
  3. When an individual ceases employment at UQ, leaves a business unit or no longer requires access to particular records containing personal information, access to those records is revoked in a timely manner.
  4. Staff take reasonable precautions to ensure personal information held within their area of responsibility is not used or disclosed inappropriately, and is protected from unauthorised access.

Use of Personal Information

(13) UQ uses personal information in order to discharge its functions under section 5 of the UQ Act, including (but not limited to) teaching and learning, research, and student and staff recruitment and administration. “Use” of personal information by UQ includes (but is not limited to) whenever that information is:

  1. searched, viewed, manipulated or otherwise dealt with;
  2. considered in the course of making a decision;
  3. transferred from one business unit or functional area of UQ to another business unit or functional area; or
  4. provided to a third party in circumstances where (e.g. under a contract) UQ retains control of who will know the information in the future.

(14) Subject to exceptions in relevant privacy laws, personal information will only be used for the purpose for which it was collected, and only those parts of the personal information that are directly relevant to fulfilling the particular purpose.

(15) Personal information collected for a purpose may only be used for another purpose where:

  1. The individual expressly or impliedly agrees to the information being used for another purpose.
  2. The proposed use is necessary to prevent or lessen a serious threat to life, health, safety or welfare of an individual or the public generally.
  3. The proposed use is authorised or required by law.
  4. The proposed use is necessary for law enforcement activities by or for a law enforcement agency.
  5. The purpose for which the information is to be used is directly related to the original purpose for which the information was collected; or
  6. the proposed use is necessary for research or the compilation or analysis of statistics in the public interest, the information is to be de-identified before publication, and it is not practicable to obtain the express or implied agreement of the individual concerned.

(16) Before using personal information, staff must take all reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, complete and up-to-date.

Disclosure of Personal Information

(17) UQ discloses personal information when:

  1. it gives the information to a third party or places it in a position to be able to find it out; and
  2. prior to receiving the information from UQ or via UQ, the third party did not know the personal information and was not in a position to be able to find it out; and
  3. UQ ceases to have control over the third party in relation to who will know the personal information in the future.

(18) UQ will not disclose personal information about an individual to a third party, except where such disclosure is:

  1. to the individual to whom it relates;
  2. under one of the circumstances listed under clauses 23 to 37 below; or
  3. otherwise permitted under relevant privacy laws.

(19) If an individual is unable to access their personal information through the relevant Organisational Unit, they may apply for access to their personal information through UQ’s administrative access schemes or via a formal application under the Information Privacy Act 2009 (Qld) (IP Act), as outlined in the Access to and Amendment of UQ Documents Procedure.

(20) Where personal information is disclosed to a third party under clauses 23 through 37, UQ will take all reasonable steps to ensure that the relevant entity will not use or disclose the information for a purpose other than the purpose for which the information was disclosed.

Information Published as a Matter of Public Record

(21) A limited amount of personal information held by UQ is published as a matter of public record or otherwise made available to the public as a generally-available publication, including:

  1. an individual’s status as a graduate of UQ (limited to name, award and date of conferral), which is available via UQ’s Online Verification of Qualifications platform and in bound volumes housed in the Fryer Library (Call No. LG711.5.C4);
  2. staff contact details (available via the UQ Contacts directory); and
  3. researcher profiles and contact details (available via UQ Researchers).

(22) A student’s current or historical enrolment at (or admission to) UQ, and non-routine personal information of staff (e.g. information not already published via UQ Contacts or UQ Researchers), are not matters of public record. Such information may only be disclosed in accordance with clauses 23 through 37 of this Procedure, or where otherwise permitted under relevant privacy laws.

Disclosure with the Individual's Agreement or Awareness

(23) Personal information of an individual may be disclosed to a third party if:

  1. the individual has expressly or impliedly agreed to the disclosure; or
  2. the individual is reasonably likely to have been aware, or to have been made aware via a collection statement (as described in clauses 8 to 9), that it is UQ’s usual practice to disclose that type of personal information to the relevant entity.

Disclosure Authorised or Required under a Law

(24) Queensland and Commonwealth legislation may grant a body the power to require UQ to provide certain information (including personal information) or may authorise or require UQ to disclose certain information (including personal information). Court orders may also require UQ to disclose certain information.

(25) All requests from statutory authorities and any other bodies (including private companies serving court orders) purporting to require under law the production of documents containing personal information should be directed to Legal Services or the Right to Information and Privacy Office for an assessment as to whether the disclosure is authorised or required.

Disclosure to Law Enforcement Agencies

(26) In the course of investigations and other law enforcement activities, law enforcement agencies may request UQ to disclose personal information of students, staff and other individuals. Law enforcement agencies include the Queensland Police Service, the Crime and Corruption Commission, Australian Federal Police and any other agency defined as a "law enforcement agency" under the IP Act.

(27) All requests for personal information from law enforcement agencies should be directed to the Right to Information and Privacy Office, except where otherwise arranged with the UQ's Right to Information and Privacy Office.

(28) Generally, requests from law enforcement agencies should be made on UQ's IPP11(1)(e) Request for Disclosure form. UQ may release relevant personal information to law enforcement agencies where permitted under, and in accordance with, the IP Act.

(29) Where personal information is disclosed under this exception, a notation regarding this disclosure is to be kept with the relevant record.

Disclosure in Emergencies or to Prevent Harm

(30) The IP Act allows UQ to disclose personal information if the disclosure is considered necessary to lessen or prevent a serious threat to an individual or to the public. This may include disclosure to law enforcement agencies and other relevant third parties in emergency situations.

(31) This exception only applies where UQ is satisfied on reasonable grounds that:

  1. there is a serious threat to either an individual’s life, health, safety or welfare, or to public health, safety or welfare; and
  2. the disclosure of the information is necessary to lessen or prevent the threat (i.e. there is a sufficient link between the disclosure of the information and the prevention or lessening of the threat).

(32) Where information is disclosed under this exception, the relevant staff member should:

  1. make a record of the date, time and any information disclosed; and
  2. advise the Right to Information and Privacy Office of the disclosure.

Disclosure for Research, or for the Compilation or Analysis of Statistics

(33) The IP Act allows UQ to disclose personal information to an entity if the disclosure is necessary for research or for the compilation or analysis of statistics in the public interest, and if all of the following apply:

  1. The information is to be de-identified before publication.
  2. It is not practicable to obtain the express or implied agreement of the individual concerned before the disclosure; and
  3. UQ is satisfied on reasonable grounds that the entity UQ discloses it to will not disclose the personal information to another entity.

Disclosure to Third-party Contractors

(34) Where UQ enters into a contract or agreement for the supply of goods or services by a third party, and UQ intends to share personal information with that third party (or the third party will collect personal information for or transfer personal information to UQ, or will in any way deal with personal information for UQ), UQ will take reasonable steps to ensure that the contract requires the third party to comply with Parts 1 and 3 of Chapter 2 of the IP Act as if it were UQ.

(35) UQ may disclose personal information to a contractor in the circumstances where disclosure is permitted under the IP Act as described in this Procedure.

(36) Where the contract with the third party enables UQ to have control over the third party in relation to who will know the personal information in the future, the sharing of relevant personal information with the third party comprises a use rather than a disclosure of the information.

(37) Otherwise, UQ may disclose personal information to a contractor only where disclosure is permitted under the IP Act, as described in this Procedure.

Transfer of Personal Information outside Australia

(38) In certain circumstances, it may be necessary for UQ to transfer personal information outside of Australia. For example:

  1. UQ may provide personal information pertaining to a student to an overseas educational institution or placement provider for the purpose of an international exchange or placement; or
  2. where personal information is to be held by a service provider outside of Australia (including, for example, survey platforms, file storage and file-sharing services, and SaaS solutions).

(39) Where personal information is transferred outside of Australia, the transfer will be in accordance with section 33 of the IP Act.

Privacy-by-Design

(40) “Privacy-by-Design” is the process of embedding good privacy practices into the design, development and implementation of systems, business processes and physical infrastructure.

(41) UQ acknowledges that managing privacy risks proactively is more effective and efficient than making retrospective changes to systems and processes. When considering the implementation of a new system or process, or a change to an existing system or process, UQ will give due consideration to privacy requirements at a sufficiently early stage. Depending on the nature and scope of a proposed project, this may require a formal privacy impact assessment.

Privacy Complaints

(42) Individuals can make a privacy complaint to UQ if they believe that UQ has not complied with its obligations under relevant privacy laws in respect to their personal information or personal data.

(43) Privacy complaints must be submitted in writing, and may be submitted via UQ’s central Complaints and Appeals submission website, by email to rtip@uq.edu.au, or in hardcopy to the Right to Information and Privacy Office. Complainants are encouraged to discuss their concerns with the Right to Information and Privacy Manager before submitting a complaint.

(44) Upon receipt of a privacy complaint, the Right to Information and Privacy Office will:

  1. where required, seek clarification of the issues and concerns from the complainant;
  2. consult with the head of the relevant Organisational Unit to facilitate an investigation into the matter; and
  3. notify the complainant in writing within 45 business days regarding the outcome of their complaint.

(45) For complaints under the IP Act, if the complainant does not receive a notification of outcome within 45 business days of making their privacy complaint, or if the complainant is dissatisfied with the outcome of their complaint, they may escalate their complaint to the Office of the Information Commissioner (Queensland).

Top of Page

Section 4 - Roles, Responsibilities and Accountabilities

UQ Right to Information and Privacy Office

(46) The functions of UQ’s Right to Information and Privacy Office include:

  1. Advising staff regarding privacy-related matters concerning UQ;
  2. Assisting UQ Organisational Units with privacy impact assessments;
  3. Managing applications under the IP Act and UQ’s administrative access schemes, in accordance with the Access to and Amendment of UQ Documents Procedure;
  4. Managing enquiries and complaints from individuals regarding UQ’s management of their personal information; and
  5. providing sufficient training opportunities and awareness-raising materials to enable staff to meet their obligations under this Procedure.
Top of Page

Section 5 - Monitoring, Review and Assurance

(47) UQ’s Right to Information and Privacy Office is responsible for:

  1. Monitoring UQ’s compliance with its obligations under relevant privacy laws and this Policy and Procedure.
  2. Reviewing this Procedure as required to ensure:
    1. its currency and accuracy; and
    2. that UQ’s processes comply with requirements under relevant legislation; and
  3. providing sufficient training opportunities and awareness-raising materials to enable UQ staff to meet their obligations under this Procedure.
Top of Page

Section 6 - Recording and Reporting

(48) UQ’s Right to Information and Privacy Office is responsible for:

  1. providing management with an Annual Report on UQ’s compliance with the IP Act and other relevant privacy laws; and
  2. reporting breaches of privacy to the relevant privacy regulator, in accordance with relevant privacy laws and the Privacy Management Policy.

(49) UQ’s Right to Information and Privacy Office also reports annually to Queensland’s Department of Justice and Attorney-General in relation to the operation of the RTI and IP Acts by UQ.

Top of Page

Section 7 - Appendix

Definitions

(50) Terms used in this Procedure that are defined in the Privacy Management Policy have the meaning given in that Policy.