Printer-friendly version
Body

1.0   Purpose and Scope

1.1   Purpose

As a statutory body established by the University of Queensland Act 1998 (Qld) (UQ Act), The University of Queensland (UQ) is subject to various State, Commonwealth and international legislative requirements (relevant privacy laws) in relation to how it collects, stores, provides access to, uses and discloses personal information. 

This policy outlines UQ’s obligations and expectations regarding the management of personal information in accordance with relevant privacy laws.

1.2   Scope

This policy applies to all staff.

1.3   Legal context

As a public university established under Queensland law, UQ’s privacy obligations are primarily governed by Queensland’s Information Privacy Act 2009 (IP Act) and its eleven Information Privacy Principles (IPPs).  At various times, and with respect to certain information, UQ may also have privacy obligations under other jurisdictions as outlined below.

Commonwealth Privacy Act 1988 and the Australian Privacy Principles

UQ is generally not an “agency” nor an “organisation” for the purposes of the Privacy Act 1988 (Cth) (Privacy Act), and is generally not subject to the Privacy Act, the Australian Privacy Principles (APPs) or the requirements of the Notifiable Data Breach Scheme (NDB Scheme).

However, limited circumstances in which UQ is subject to the NDB Scheme include:

  • the handling of Tax File Numbers;
  • the handling of information (metadata) retained under section 187A of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act); and
  • where UQ has contractual obligations to comply with the NDB Scheme (e.g. funding agreements which require compliance with the APPs and the NDB Scheme).

In relation to metadata retained under the TIA Act, UQ is an “organisation” for the purposes of the Privacy Act and is subject to the Privacy Act and its APPs in relation to that metadata.

In relation to personal information collected under the Higher Education Support Act 2003 (Cth) and the VET Student Loans Act 2016 (Cth), UQ must comply with the APPs but is not subject to other Privacy Act obligations (such as the NDB Scheme) in relation to the personal information collected under these Acts.

The APPs are similar in operation to Queensland’s IPPs.

General Data Protection Regulation (EU)

UQ may at times be a “data controller”, “joint controller” or “data processor” for the purposes of the European Union’s General Data Protection Regulation (GDPR).

In limited circumstances UQ may have obligations under the GDPR to the extent that it processes personal data in relation to various “GDPR activities”.  “Personal data” as defined under the GDPR may include a broader range of information than “personal information” as defined under the IP Act and the Privacy Act (refer to section 6.1).

UQ is not subject to the GDPR in circumstances where the processing of personal data is not related to a “GDPR activity”, or where UQ does not otherwise have contractual obligations to a data controller with respect to compliance with the GDPR.

2.0   Principles and Key Requirements

2.1   Information Privacy Principles

UQ is committed to managing personal information it holds in an open and transparent manner, and in accordance with the Information Privacy Principles. To achieve this, UQ will:

  1. Only collect personal information that is necessary to fulfil, or directly related to fulfilling, a lawful purpose directly related to a function or activity of UQ.

  2. Ensure appropriate notification is provided to (or, where applicable, consent obtained from) an individual when collecting personal information directly from that individual.

  3. Take all reasonable steps to ensure that personal information in its control is protected against:

    1. Loss;
    2. Unauthorised access, use, modification or disclosure; or
    3. Any other misuse.
  1. As appropriate, provide information about the types of documents that contain personal information in the form of a personal information register.

  2. Use and disclose personal information in accordance with the requirements of the IP Act.

  3. Adopt privacy-by-design, and manage privacy risks proactively, by undertaking early assessment of privacy impacts and embedding good privacy practices into UQ’s business systems development processes and project management processes.

2.2   Access and Amendment of Personal Information

The IP Act provides individuals with the right (subject to certain exemptions and exclusions) to access documents held by UQ that contain the individual’s personal information. The IP Act also provides a right for an individual to request an amendment to UQ documents containing their personal information which the individual considers to be inaccurate, incomplete, out-of-date or misleading.

UQ also maintains a number of administrative access schemes to facilitate individuals’ access to their personal information outside of the IP Act.

The Access to and Amendment of UQ Documents Procedures outline the processes for accessing and/or amending personal information under the IP Act and UQ’s administrative access schemes.

2.3   Privacy Complaints

An individual that has concerns about how their personal information is being collected, stored, used or disclosed may make a complaint to UQ’s Right to Information and Privacy Office. The Privacy Management Procedures include further information about how an individual can make a privacy complaint to UQ and how privacy complaints will be managed.

2.4   Privacy Breaches

UQ takes its privacy and cyber-security obligations very seriously.

Upon becoming aware of an actual or suspected privacy breach, UQ staff must report it as soon as possible to UQ’s Right to Information and Privacy Office or Information Technology Services (ITS).  UQ will respond to actual or suspected privacy breaches in a timely fashion in accordance with its policies, procedures and processes.

UQ will notify privacy regulators and affected individuals of privacy breaches in accordance with its legislative obligations, and with due regard to applicable guidelines published by the relevant regulators.

3.0   Roles, Responsibilities and Accountabilities

3.1   UQ Staff

All UQ staff are responsible for:

  • handling personal information in accordance with this policy; and

  • notifying UQ’s Right to Information and Privacy Office or ITS of actual or suspected privacy breaches as soon as possible.

3.2   Managers of Organisational Units

In addition to the responsibilities set out in section 3.1, managers of UQ Organisational Units are responsible for:

  • reviewing the Unit’s personal information holdings and taking steps to ensure that any personal information held within the Organisational Unit is protected from unauthorised access, modification, use or disclosure; and

  • assisting and supporting the investigation of any privacy complaints and/or breaches of this policy.

3.3   Right to Information and Privacy Office

UQ’s Right to Information and Privacy Office is responsible for:

  • providing advice and leadership in relation to privacy compliance across UQ;

  • receiving, processing and responding to privacy complaints and requests to access or amend UQ documents containing an individual’s personal information;

  • where applicable, reporting privacy breaches to the relevant Information Commissioner or privacy regulator, and providing advice to business units on notifying individuals affected by privacy breaches; and

  • providing sufficient training opportunities and awareness-raising materials to enable UQ staff to meet their obligations under this policy.

4.0   Monitoring, Review and Assurance

UQ’s Right to Information and Privacy Office will monitor, review and provide assurance on the effectiveness of this policy and the operational procedures in place to implement its principles.

5.0   Recording and Reporting

UQ’s Right to Information and Privacy Office will oversee UQ’s reporting obligations to management and government authorities as required under the IP Act and other relevant privacy laws.

6.0   Appendix

6.1   Definitions

Affiliates - academic title-holders, visiting academics, emeritus professors, adjunct and honorary title-holders, industry fellows and conjoint appointments.

GDPR activity - any activity or function of UQ where the processing of personal data is:

  • undertaken in the context of the activities of a UQ establishment in the EU; or
  • connected with the offering of goods or services to individuals in the EU; or
  • connected with monitoring the behaviour of individuals in the EU.

Personal data (GDPR) - any information relating to an identified or identifiable natural person (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).

Personal information -

  • (for the purposes of the IP Act) information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion;
  • (for the purposes of the Privacy Act) information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not;
  • (for the purposes of the TIA Act) information kept under Part 5-1A of the TIA Act which relates to (a) an individual, or (b) to a communication to which an individual is party.

Privacy breach -

(a)  UQ’s breach of a relevant privacy law; or

(b)  loss or unauthorised disclosure of, or unauthorised access to, personal information or personal data where UQ has obligations or liabilities in relation to the loss, unauthorised disclosure or unauthorised access; or

(c)  UQ’s breach of, or liability arising under, a contract or other arrangement with a third party where the breach or liability relates to personal information or personal data; or

(d)  a person’s breach of a relevant privacy law where the breach relates to personal information or personal data connected with a contract or other arrangement between UQ and that and/or any other person(s); or

(e)  a third party’s breach of or liability arising under a contract or other arrangement with UQ where the breach or liability relates to personal information or personal data.

Privacy complaint - a complaint from an individual that UQ has not complied with its obligations under relevant privacy laws with respect to that individual’s personal information or personal data.

Processing of personal data - the “processing” of personal information/data means any operation/s performed on personal information/data, including (but not limited to) collection, storage and organisation, retrieval, use, disclosure, erasure and/or destruction.

Staff -

  • members of the UQ Senate;
  • all UQ employees, including continuing, fixed-term, research (contingent funded) and casual employees;
  • persons acting in an honorary or voluntary capacity for or at UQ, including work experience students; and
  • affiliates.
Custodians
Director, Governance and Risk Mr Robert Oldfield