Policy

Privacy Management - Policy

Printer-friendly version
Body

1.0   Purpose and Scope

1.1   Purpose

As a statutory body established by the University of Queensland Act 1998 (Qld) (UQ Act), The University of Queensland (UQ) is subject to various State, Commonwealth and international legislative requirements (relevant privacy laws) in relation to how it collects, stores, provides access to, uses and discloses personal information. 

This policy outlines UQ’s obligations and expectations regarding the management of personal information in accordance with relevant privacy laws.

1.2   Scope

This policy applies to all staff.

1.3   Legal context

As a public university established under Queensland law, UQ’s privacy obligations are primarily governed by Queensland’s Information Privacy Act 2009 (IP Act) and its eleven Information Privacy Principles (IPPs).  At various times, and with respect to certain information, UQ may also have privacy obligations under other jurisdictions as outlined below.

Commonwealth Privacy Act 1988 and the Australian Privacy Principles

UQ is generally not an “agency” nor an “organisation” for the purposes of the Privacy Act 1988 (Cth) (Privacy Act), and is generally not subject to the Privacy Act, the Australian Privacy Principles (APPs) or the requirements of the Notifiable Data Breach Scheme (NDB Scheme).

However, limited circumstances in which UQ is subject to the NDB Scheme include:

  • the handling of Tax File Numbers;
  • the handling of information (metadata) retained under section 187A of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act); and
  • where UQ has contractual obligations to comply with the NDB Scheme (e.g. funding agreements which require compliance with the APPs and the NDB Scheme).

In relation to metadata retained under the TIA Act, UQ is an “organisation” for the purposes of the Privacy Act and is subject to the Privacy Act and its APPs in relation to that metadata.

In relation to personal information collected under the Higher Education Support Act 2003 (Cth) and the VET Student Loans Act 2016 (Cth), UQ must comply with the APPs but is not subject to other Privacy Act obligations (such as the NDB Scheme) in relation to the personal information collected under these Acts.

The APPs are similar in operation to Queensland’s IPPs.

General Data Protection Regulation (EU)

UQ may at times be a “data controller”, “joint controller” or “data processor” for the purposes of the European Union’s General Data Protection Regulation (GDPR).

In limited circumstances UQ may have obligations under the GDPR to the extent that it processes personal data in relation to various “GDPR activities”.  “Personal data” as defined under the GDPR may include a broader range of information than “personal information” as defined under the IP Act and the Privacy Act (refer to section 6.1).

UQ is not subject to the GDPR in circumstances where the processing of personal data is not related to a “GDPR activity”, or where UQ does not otherwise have contractual obligations to a data controller with respect to compliance with the GDPR.

2.0   Principles and Key Requirements

2.1   Information Privacy Principles

UQ is committed to managing personal information it holds in an open and transparent manner, and in accordance with the Information Privacy Principles. To achieve this, UQ will:

  1. Only collect personal information that is necessary to fulfil, or directly related to fulfilling, a lawful purpose directly related to a function or activity of UQ.

  2. Ensure appropriate notification is provided to (or, where applicable, consent obtained from) an individual when collecting personal information directly from that individual.

  3. Take all reasonable steps to ensure that personal information in its control is protected against:

    1. Loss;
    2. Unauthorised access, use, modification or disclosure; or
    3. Any other misuse.
  1. As appropriate, provide information about the types of documents that contain personal information in the form of a personal information register.

  2. Use and disclose personal information in accordance with the requirements of the IP Act.

  3. Adopt privacy-by-design, and manage privacy risks proactively, by undertaking early assessment of privacy impacts and embedding good privacy practices into UQ’s business systems development processes and project management processes.

2.2   Access and Amendment of Personal Information

The IP Act provides individuals with the right (subject to certain exemptions and exclusions) to access documents held by UQ that contain the individual’s personal information. The IP Act also provides a right for an individual to request an amendment to UQ documents containing their personal information which the individual considers to be inaccurate, incomplete, out-of-date or misleading.

UQ also maintains a number of administrative access schemes to facilitate individuals’ access to their personal information outside of the IP Act.

The Access to and Amendment of UQ Documents Procedures outline the processes for accessing and/or amending personal information under the IP Act and UQ’s administrative access schemes.

2.3   Privacy Complaints

An individual that has concerns about how their personal information is being collected, stored, used or disclosed may make a complaint to UQ’s Right to Information and Privacy Office. The Privacy Management Procedures include further information about how an individual can make a privacy complaint to UQ and how privacy complaints will be managed.

2.4   Privacy Breaches

UQ takes its privacy and cyber-security obligations very seriously.

Upon becoming aware of an actual or suspected privacy breach, UQ staff must report it as soon as possible to UQ’s Right to Information and Privacy Office or Information Technology Services (ITS).  UQ will respond to actual or suspected privacy breaches in a timely fashion in accordance with its policies, procedures and processes.

UQ will notify privacy regulators and affected individuals of privacy breaches in accordance with its legislative obligations, and with due regard to applicable guidelines published by the relevant regulators.

3.0   Roles, Responsibilities and Accountabilities

3.1   UQ Staff

All UQ staff are responsible for:

  • handling personal information in accordance with this policy; and

  • notifying UQ’s Right to Information and Privacy Office or ITS of actual or suspected privacy breaches as soon as possible.

3.2   Managers of Organisational Units

In addition to the responsibilities set out in section 3.1, managers of UQ Organisational Units are responsible for:

  • reviewing the Unit’s personal information holdings and taking steps to ensure that any personal information held within the Organisational Unit is protected from unauthorised access, modification, use or disclosure; and

  • assisting and supporting the investigation of any privacy complaints and/or breaches of this policy.

3.3   Right to Information and Privacy Office

UQ’s Right to Information and Privacy Office is responsible for:

  • providing advice and leadership in relation to privacy compliance across UQ;

  • receiving, processing and responding to privacy complaints and requests to access or amend UQ documents containing an individual’s personal information;

  • where applicable, reporting privacy breaches to the relevant Information Commissioner or privacy regulator, and providing advice to business units on notifying individuals affected by privacy breaches; and

  • providing sufficient training opportunities and awareness-raising materials to enable UQ staff to meet their obligations under this policy.

4.0   Monitoring, Review and Assurance

UQ’s Right to Information and Privacy Office will monitor, review and provide assurance on the effectiveness of this policy and the operational procedures in place to implement its principles.

5.0   Recording and Reporting

UQ’s Right to Information and Privacy Office will oversee UQ’s reporting obligations to management and government authorities as required under the IP Act and other relevant privacy laws.

6.0   Appendix

6.1   Definitions

Affiliates - academic title-holders, visiting academics, emeritus professors, adjunct and honorary title-holders, industry fellows and conjoint appointments.

GDPR activity - any activity or function of UQ where the processing of personal data is:

  • undertaken in the context of the activities of a UQ establishment in the EU; or
  • connected with the offering of goods or services to individuals in the EU; or
  • connected with monitoring the behaviour of individuals in the EU.

Personal data (GDPR) - any information relating to an identified or identifiable natural person (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

Personal information -

  • (for the purposes of the IP Act) information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion;
  • (for the purposes of the Privacy Act) information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not;
  • (for the purposes of the TIA Act) information kept under Part 5-1A of the TIA Act which relates to (a) an individual, or (b) to a communication to which an individual is party.

Privacy breach -

(a)  UQ’s breach of a relevant privacy law; or

(b)  loss or unauthorised disclosure of, or unauthorised access to, personal information or personal data where UQ has obligations or liabilities in relation to the loss, unauthorised disclosure or unauthorised access; or

(c)  UQ’s breach of, or liability arising under, a contract or other arrangement with a third party where the breach or liability relates to personal information or personal data; or

(d)  a person’s breach of a relevant privacy law where the breach relates to personal information or personal data connected with a contract or other arrangement between UQ and that and/or any other person(s); or

(e)  a third party’s breach of or liability arising under a contract or other arrangement with UQ where the breach or liability relates to personal information or personal data.

Privacy complaint - a complaint from an individual that UQ has not complied with its obligations under relevant privacy laws with respect to that individual’s personal information or personal data.

Processing of personal data - the “processing” of personal information/data means any operation/s performed on personal information/data, including (but not limited to) collection, storage and organisation, retrieval, use, disclosure, erasure and/or destruction.

Staff -

  • members of the UQ Senate;
  • all UQ employees, including continuing, fixed-term, research (contingent funded) and casual employees;
  • persons acting in an honorary or voluntary capacity for or at UQ, including work experience students; and
  • affiliates.
Custodians
Director, Governance and Risk

Procedures

Privacy Management - Procedures

Printer-friendly version
Body

1.0   Purpose and Scope

This procedure sets out how The University of Queensland (UQ) will manage personal information in compliance with the relevant State, Commonwealth and international laws (relevant privacy laws) and UQ’s Privacy Management Policy.

This procedure applies to all staff.

2.0   Process and Key Controls

  1. All staff are required to collect, store, use and disclose personal information in accordance with this procedure.

  2. Organisational Units are required to review their information holdings and ensure appropriate measures are implemented to protect personal information from loss and from unauthorised access, modification, use or disclosure.

  3. Information stewards are required to comply with any information security classification requirements under UQ’s information management policies and procedures with respect to personal information.

  4. All privacy breaches are to be reported to UQ’s Right to Information and Privacy Office or Information Technology Services (ITS).

  5. If staff are uncertain about the application of this procedure or relevant privacy laws, they should seek guidance from the Right to Information and Privacy Office or Legal Services.

3.0   Key Requirements

3.1   Collection of personal information

UQ collects personal information directly from individuals and from third parties in order to discharge its functions under section 5 of the University of Queensland Act 1998 (Qld) (UQ Act), including (but not limited to) teaching and learning, research, and student and staff recruitment and administration.

When collecting personal information:

  1. Only personal information which is necessary to fulfil, or directly related to fulfilling, a lawful purpose directly related to a function or activity of UQ will be collected. 

  2. Personal information will be collected in a way which is lawful and fair. 

  3. Where it is reasonable and practicable to do so, personal information will be collected directly from the individual concerned rather than from a third party. 

  4. UQ will take all reasonable steps to ensure that:

    1. the information is relevant to the purpose for which it is collected;

    2. the extent of the information collected, and the way in which it is collected, are not an unreasonable intrusion into the personal affairs of the individual;

    3. the information is up-to-date, accurate and complete; and

    4. where the information is requested directly from an individual, the individual is generally aware of the following -

      • the purpose of the collection (including, as appropriate, why the information is being collected and how it is intended to be used);

      • the law authorising or requiring the collection of the information (where applicable); and

      • any third parties to whom UQ routinely discloses the type of information requested (where applicable) and, if UQ is aware, any other entities those third parties routinely pass the information on to.

Typically the above information will be provided in the form of a collection statement (often referred to as a privacy notice or privacy statement).  Where practicable, individuals should be provided with this notice before or at the time of collection of the information; otherwise, as soon as practicable after the information is collected.

Further information regarding collection notices is available in UQ’s Collection of Personal Information Guideline.

3.2   Storage and security of personal information

Personal information in UQ’s possession or under UQ’s control will be held securely, and protected from loss and unauthorised access, use, modification and disclosure by appropriate security measures.

In determining the most appropriate security measures to protect personal information, staff should give consideration to:

  • the sensitivity of the information; and/or

  • the vulnerability of the information to misuse; and/or

  • the form of the information (e.g. hardcopy, electronic, photographic images); and/or

  • the possible consequences of misuse of the information for the individual to whom the information relates; and/or

  • the availability of processes and mechanisms for the protection of the information; and/or

  • other relevant UQ policies and guidelines.

Appropriate arrangements will be put in place at the Organisational Unit level to ensure that:

  1. personal information is stored by sufficiently secure means to prevent any unauthorised access;

  2. access to records containing personal information is granted only to staff who have a legitimate requirement for such access in the course of their duties;

  3. when an individual ceases employment at UQ, leaves a business unit or no longer requires access to particular records containing personal information, access to those records is revoked in a timely manner;

  4. staff take reasonable precautions to ensure personal information held within their area of responsibility is not used or disclosed inappropriately, and is protected from unauthorised access.

3.3   Use of personal information

UQ uses personal information in order to discharge its functions under section 5 of the UQ Act, including (but not limited to) teaching and learning, research, and student and staff recruitment and administration. “Use” of personal information by UQ includes (but is not limited to) whenever that information is:

  • searched, viewed, manipulated or otherwise dealt with;

  • considered in the course of making a decision;

  • transferred from one business unit or functional area of UQ to another business unit or functional area; or

  • provided to a third party in circumstances where (e.g. under a contract) UQ retains control of who will know the information in the future.

Subject to exceptions in relevant privacy laws, personal information will only be used for the purpose for which it was collected, and only those parts of the personal information that are directly relevant to fulfilling the particular purpose.

Personal information collected for a purpose may only be used for another purpose where:

  • the individual expressly or impliedly agrees to the information being used for another purpose;

  • the proposed use is necessary to prevent or lessen a serious threat to life, health, safety or welfare of an individual or the public generally;

  • the proposed use is authorised or required by law;

  • the proposed use is necessary for law enforcement activities by or for a law enforcement agency;

  • the purpose for which the information is to be used is directly related to the original purpose for which the information was collected; or

  • the proposed use is necessary for research or the compilation or analysis of statistics in the public interest, the information is to be de-identified before publication, and it is not practicable to obtain the express or implied agreement of the individual concerned.

Before using personal information, staff must take all reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, complete and up-to-date.

3.4   Disclosure of personal information

UQ discloses personal information when:

  • it gives the information to a third party or places it in a position to be able to find it out; and

  • prior to receiving the information from UQ or via UQ, the third party did not know the personal information and was not in a position to be able to find it out; and

  • UQ ceases to have control over the third party in relation to who will know the personal information in the future.

UQ will not disclose personal information about an individual to a third party, except where such disclosure is:

  1. to the individual to whom it relates;

  2. under one of the circumstances listed in sections 3.4.2 through 3.4.7 below; or

  3. otherwise permitted under relevant privacy laws.

If an individual is unable to access their personal information through the relevant Organisational Unit, they may apply for access to their personal information through UQ’s administrative access schemes or via a formal application under the Information Privacy Act 2009 (Qld) (IP Act), as outlined in the Access to and Amendment of UQ Documents Procedures.

Where personal information is disclosed to a third party under sections 3.4.2 through 3.4.7, UQ will take all reasonable steps to ensure that the relevant entity will not use or disclose the information for a purpose other than the purpose for which the information was disclosed.

3.4.1   Information published as a matter of public record

A limited amount of personal information held by UQ is published as a matter of public record or otherwise made available to the public as a generally-available publication, including:

  • an individual’s status as a graduate of UQ (limited to name, award and date of conferral), which is available via UQ’s Online Verification of Qualifications platform and in bound volumes housed in the Fryer Library (Call No. LG711.5.C4);

  • staff contact details (available via the UQ Contacts directory); and

  • researcher profiles and contact details (available via UQ Researchers).

A student’s current or historical enrolment at (or admission to) UQ, and non-routine personal information of staff (e.g. information not already published via UQ Contacts or UQ Researchers), are not matters of public record.  Such information may only be disclosed in accordance with sections 3.4.2 through 3.4.7 of this procedure, or where otherwise permitted under relevant privacy laws.

3.4.2   Disclosure with the individual's agreement or awareness

Personal information of an individual may be disclosed to a third party if:

  1. the individual has expressly or impliedly agreed to the disclosure; or

  2. the individual is reasonably likely to have been aware, or to have been made aware via a collection statement (as described in section 3.1), that it is UQ’s usual practice to disclose that type of personal information to the relevant entity.

3.4.3   Disclosure authorised or required under a law

Queensland and Commonwealth legislation may grant a body the power to require UQ to provide certain information (including personal information) or may authorise or require UQ to disclose certain information (including personal information). Court orders may also require UQ to disclose certain information.

All requests from statutory authorities and any other bodies (including private companies serving court orders) purporting to require under law the production of documents containing personal information should be directed to Legal Services or the Right to Information and Privacy Office for an assessment as to whether the disclosure is authorised or required.

3.4.4   Disclosure to law enforcement agencies

In the course of investigations and other law enforcement activities, law enforcement agencies may request UQ to disclose personal information of students, staff and other individuals.  Law enforcement agencies include the Queensland Police Service, the Crime and Corruption Commission, Australian Federal Police and any other agency defined as a "law enforcement agency" under the IP Act.

All requests for personal information from law enforcement agencies should be directed to the Right to Information and Privacy Office, except where otherwise arranged with the UQ's Right to Information and Privacy Office.

Generally, requests from law enforcement agencies should be made on UQ's IPP11(1)(e) Request for Disclosure form.  UQ may release relevant personal information to law enforcement agencies where permitted under, and in accordance with, the IP Act.

Where personal information is disclosed under this exception, a notation regarding this disclosure is to be kept with the relevant record.

3.4.5   Disclosure in emergencies or to prevent harm

The IP Act allows UQ to disclose personal information if the disclosure is considered necessary to lessen or prevent a serious threat to an individual or to the public.  This may include disclosure to law enforcement agencies and other relevant third parties in emergency situations.

This exception only applies where UQ is satisfied on reasonable grounds that:

  • there is a serious threat to either an individual’s life, health, safety or welfare, or to public health, safety or welfare; and

  • the disclosure of the information is necessary to lessen or prevent the threat (i.e. there is a sufficient link between the disclosure of the information and the prevention or lessening of the threat).

Where information is disclosed under this exception, the relevant staff member should:

  • make a record of the date, time and any information disclosed; and

  • advise the Right to Information and Privacy Office of the disclosure.

3.4.6   Disclosure for research, or for the compilation or analysis of statistics

The IP Act allows UQ to disclose personal information to an entity if the disclosure is necessary for research or for the compilation or analysis of statistics in the public interest, and if all of the following apply:

  • the information is to be de-identified before publication;

  • it is not practicable to obtain the express or implied agreement of the individual concerned before the disclosure; and

  • UQ is satisfied on reasonable grounds that the entity UQ discloses it to will not disclose the personal information to another entity.

3.4.7   Disclosure to third-party contractors

Where UQ enters into a contract or agreement for the supply of goods or services by a third party, and UQ intends to share personal information with that third party (or the third party will collect personal information for or transfer personal information to UQ, or will in any way deal with personal information for UQ), UQ will take reasonable steps to ensure that the contract requires the third party to comply with Parts 1 and 3 of Chapter 2 of the IP Act as if it were UQ.

UQ may disclose personal information to a contractor in the circumstances where disclosure is permitted under the IP Act as described in this procedure.

Where the contract with the third party enables UQ to have control over the third party in relation to who will know the personal information in the future, the sharing of relevant personal information with the third party comprises a use rather than a disclosure of the information.

Otherwise, UQ may disclose personal information to a contractor only where disclosure is permitted under the IP Act, as described in this procedure.

3.5   Transfer of personal information outside Australia

In certain circumstances, it may be necessary for UQ to transfer personal information outside of Australia.  For example:

  • UQ may provide personal information pertaining to a student to an overseas educational institution or placement provider for the purpose of an international exchange or placement; or

  • where personal information is to be held by a service provider outside of Australia (including, for example, survey platforms, file storage and file-sharing services, and SaaS solutions).

Where personal information is transferred outside of Australia, the transfer will be in accordance with section 33 of the IP Act.

3.6   Privacy-by-Design

“Privacy-by-Design” is the process of embedding good privacy practices into the design, development and implementation of systems, business processes and physical infrastructure.

UQ acknowledges that managing privacy risks proactively is more effective and efficient than making retrospective changes to systems and processes.  When considering the implementation of a new system or process, or a change to an existing system or process, UQ will give due consideration to privacy requirements at a sufficiently early stage.  Depending on the nature and scope of a proposed project, this may require a formal privacy impact assessment.

3.7   Privacy complaints

Individuals can make a privacy complaint to UQ if they believe that UQ has not complied with its obligations under relevant privacy laws in respect to their personal information or personal data.

Privacy complaints must be submitted in writing, and may be submitted via UQ’s complaints portal, by email to rtip@uq.edu.au or in hardcopy to the RTI & Privacy Office.  Complainants are encouraged to discuss their concerns with the RTI & Privacy Coordinator before submitting a complaint.

Upon receipt of a privacy complaint, the RTI & Privacy Office will:

  • where required, seek clarification of the issues and concerns from the complainant;

  • consult with the head of the relevant Organisational Unit to facilitate an investigation into the matter; and

  • notify the complainant in writing within 45 business days regarding the outcome of their complaint.

For complaints under the IP Act, if the complainant does not receive a notification of outcome within 45 business days of making their privacy complaint, or if the complainant is dissatisfied with the outcome of their complaint, they may escalate their complaint to the Office of the Information Commissioner (Queensland).

4.0   Roles, Responsibilities and Accountabilities

4.1   UQ Right to Information and Privacy Office

The functions of UQ’s Right to Information and Privacy Office include:

  • advising staff regarding privacy-related matters concerning UQ;

  • assisting UQ Organisational Units with privacy impact assessments;

  • managing applications under the IP Act and UQ’s administrative access schemes, in accordance with the Access to and Amendment of UQ Documents Procedures;

  • managing enquiries and complaints from individuals regarding UQ’s management of their personal information; and

  • providing sufficient training opportunities and awareness-raising materials to enable staff to meet their obligations under this procedure.

5.0   Monitoring, Review and Assurance

UQ’s Right to Information and Privacy Office is responsible for:

  • monitoring UQ’s compliance with its obligations under relevant privacy laws and this policy and procedure;

  • reviewing this procedure as required to ensure –

    • its currency and accuracy; and

    • that UQ’s processes comply with requirements under relevant legislation; and

  • providing sufficient training opportunities and awareness-raising materials to enable UQ staff to meet their obligations under this procedure.

6.0   Recording and Reporting

UQ’s Right to Information and Privacy Office is responsible for

  • providing management with an Annual Report on UQ’s compliance with the IP Act and other relevant privacy laws; and

  • reporting breaches of privacy to the relevant privacy regulator, in accordance with relevant privacy laws and the Privacy Management Policy.

UQ’s Right to Information and Privacy Office also reports annually to Queensland’s Department of Justice and Attorney-General in relation to the operation of the RTI and IP Acts by UQ.

7.0   Appendix

7.1   Definitions

Terms used in this procedure that are defined in the Privacy Management Policy have the meaning given in that policy.

Custodians
Director, Governance and Risk
Custodians
Director, Governance and Risk