Printer-friendly version

1. Purpose and Objectives

These procedures set out how the University intends to comply with its obligations under the Information Privacy Act 2009.

2. Definitions, Terms, Acronyms

Privacy complaint - a complaint by an individual about an act or practice of the University in relation to the individual's personal information that is a breach of the University's obligations under the Information Privacy Act 2009.

Personal information - any information which identifies an individual or which allows his or her identity to be reasonably ascertained. In the University context, examples of personal information include home address, home telephone number, date of birth, marital status, next of kin; salaries and wages of University staff; all information concerning students, their enrolment, academic performance and their personal welfare (such as medical matters) and records of an individual student's library borrowings; information concerning persons who apply to the University for appointment or admission; information collected from or concerning human research subjects. It may include visual information, such as photographs of people.

Subsidiary companies - companies which are subsidiary to the University or otherwise connected to the University.

3. Procedures Scope/Coverage

As a public authority established by the University of Queensland Act 1998, the University of Queensland is subject to the Information Privacy Act 2009. The procedures do not apply to:

  • independent organisations that are not regarded as part of the University;
  • subsidiary companies, which may be subject to the Commonwealth Privacy Act 1988.

Parts of the Information Privacy Act 2009 do not apply to generally available publications such as magazines or to documents kept in libraries, museums or art galleries for the propose of reference, study or exhibition.

4. Procedures Statement

Personal information will be collected, stored, used and disclosed according to the principles set out below.

4.1. Collection of personal information

The University collects personal information from individuals and third parties to discharge its functions, including teaching and research, and student and staff administration.

Only personal information which is necessary for a lawful function or activity of the University is to be collected. For instance, it is rare that information concerning a student’s marital status or religious beliefs is required for normal administrative functions associated with enrolment or study. If the information is not required, then it should not be collected.

Personal information is to be collected in a way which is lawful, fair and not unreasonably intrusive to the privacy of the individual concerned. When collecting the information, the University will take reasonable steps to ensure that the information is up to date, accurate and complete.

Where it is reasonable and practicable to do so, personal information is to be collected directly from the individual concerned rather than from a third party. This ensures that the information will be up to date and accurate and the person to whom the information relates is aware of the collection.

When collecting information from the individual, the University will take reasonable steps to inform the person:

  • why the information is being collected and how it is intended to be used;
  • the University’s authority to collect the information; and
  • any third parties to whom the University routinely gives the kind of information requested.

If a person decides not to provide requested information, it may not be possible for the University to provide the person with the services. In this circumstance, the person may be informed of the consequences of the information not being provided.

4.2 Security of personal information

Personal information in the possession or under the control of the University will be held securely, and will be protected from unauthorised access, use, modification and disclosure by such security mechanism as are appropriate in the circumstances.

In determining the most appropriate security mechanisms, regard will be had to the following considerations:

  • the sensitivity of the information;
  • the vulnerability of the information to misuse;
  • the form of the information (e.g hardcopy, electronic, photographic images);
  • the possible consequences for the person to whom the information relates of misuse of the information;
  • the availability of processes and mechanisms within the University for the protection of the information; and
  • University policies and guidelines (e.g. PPL 6.30.01 ICT Security).

Access to personal information is to be restricted to those persons who have a legitimate need to know the information. Appropriate arrangements should be put in place at the business unit level to ensure that access to computerised records is granted only to staff requiring such access in the course of their duties. Where a staff member leaves a business unit or no longer requires access to particular records, his or her access to those records should be immediately terminated.

The University will control access to University premises where personal information is stored to exclude unauthorised persons. To facilitate this control, it is University policy that staff members wear and display their security passes when engaged in University activities.

Staff members are to take reasonable precautions to ensure that personal information obtained during the course of their duties is not disclosed, either deliberately or inadvertently, to persons who do not have a legitimate need to know the information. Paper-based records should not be left where they may be accessed by unauthorised persons. To facilitate this protection, the University supports a clean desk policy.

Records containing personal information should be filed securely in appropriately classified files.

4.3 Use of personal information

The University uses personal information concerning staff, students and third parties in conducting its business activities. Only that personal information which is relevant to the proposed activity or function will be used. Before using the information, reasonable steps will be taken to ensure that the information is up to date, accurate and complete.

Subject to the Information Privacy Act 2009, personal information about an individual collected for a particular purpose is not to be used for another purpose. The exceptions are where:

  • the individual consents to the information being used for the other purpose;
  • the proposed use is necessary to prevent or lessen a serious threat to life, health, safety or welfare of the individual or the public generally;
  • the proposed use is authorised or required by law;
  • the proposed use is necessary for the enforcement of the law;
  • the purpose for which the information is to be used is directly related to the original purpose for which the information was collected; or
  • the proposed use is necessary for research in the public interest, the information is to be deidentified before publication,and it is not practicable to seek the consent of the individual concerned.

Where information is used for a purpose for which it was not collected, a notation is to be made on the relevant record of this use.

4.4 Disclosure of personal information

The University discloses information if it communicates that information to a third party outside the University in circumstances where the University cannot control what that third party does with the information. Subject to the Information Privacy Act 2009, information not publicly known concerning staff and students should be treated as confidential, and should be disclosed only to University staff who have a demonstrated need for this information to carry out their duties.

The following exceptions apply:

4.4.1 Disclosure to the staff member or student to whom the personal information relates

Information privacy principles in general entitle those about whom information is held to access that information. This enables them to ensure that information about them is accurate, relevant, up-to-date, complete and not misleading. Thus, a staff member or a student would be entitled to request access to their personal file or to view information held in computerised formats about them. This general entitlement is given effect by the Right to Information Act 2009 (Qld) and the Information Privacy Act 2009 (Qld), and is subject to their detailed provisions.

In most cases where access is requested, it will be possible for access to be obtained without the need to make a formal application under the Right to Information Act 2009 (Qld) or Information Privacy Act 2009 (Qld). For further advice on dealing with requests, refer to the Right to Information and Privacy Office.

Sometimes, persons supply original documents to the University, such as birth certificates, or certified academic records of study undertaken elsewhere. Where it is practicable to do so, original documents supplied by a person may be returned to them, and should be returned upon request. If this occurs, University records relevant to the transaction should include an annotation indicating that original documents have been sighted and returned.

4.4.2 Disclosure to third parties only with the consent of the student or staff member concerned

Personal information may be disclosed to third parties with the consent of the student or staff member concerned. Such consent cannot be assumed, and should be given expressly and in writing. It cannot be assumed, for instance, that the University has implied consent to routinely supply student details to professional associations, potential employers or parents.

Except in the special cases mentioned below (see items 4.4.4 and 4.4.5), the fact that the enquirer may hold an official position, for example, as an officer of a government department, or in some other way may claim a special or even official right to obtain information, is irrelevant. Nor does it matter whether the enquiry is made informally or by means of a formal written document.

Details of a student's academic record should not be given to third parties even though the results may have been published at the time of release in the normal way. If an enquiry concerning a student's record is made by a person or body clearly having a valid reason for seeking the information, e.g. another university or a prospective employer forwarding details of the record as furnished to the enquirer by the student, the enquiry should be referred to the Academic Registrar, who will, if appropriate, verify the record so furnished.

Heads of organisational units and the Human Resources Division may from time to time receive enquiries, often by telephone, from credit providers, in connection with applications by staff for credit facilities, and from real estate agents, in connection with rental of premises by staff. The enquirer usually asks for confirmation of employment and salary. The University is willing to assist the staff member in these cases and will provide confirmation of employment and salary level. This should only be done however where the staff member in question has advised the head of school in advance that an enquiry may be made by a credit provider or real estate agent and the staff member consents to the release of the information sought.

Where no prior advice has been received from the staff member concerning the possibility of an inquiry by the credit provider or other enquirer, the enquirer should be advised to make a request in writing. Such a request should include written evidence that release of this information has the staff member's consent or be checked with the staff member before any information is given.

Occasionally, persons undertaking research or those seeking genealogical information may make enquiries for access to personal information concerning former staff or students. Such enquiries may also be made by persons needing details for honours, obituaries and the like. These enquiries must be referred to the University Archivist for assistance (telephone 3365 6205).

4.4.3 Disclosure of matters of public record

Additionally, there is a limited amount of apparently personal information held by the University which in fact amounts to a matter of public record. A notable example is the status of a person as a graduate of The University of Queensland. Where members of the public enquire about the status of persons as graduates of the University, they may be encouraged to use the publicly available sources such as the Online Verification of Qualifications ( or the University Library (bound volumes entitled "Programs for Conferral of Degrees", Library Call No LG711.5.C4 Fryer Per). Alternatively, they may be advised to write to the Academic Registrar. Where the association with the University is more than 20 years ago, enquiries should be directed to the University Archivist. The University's official graduation records are held in central administration.

The fact that a student is enrolled at the University is not treated as a matter of public record. Consequently, such information should be disclosed only in the circumstances outlined in this procedure.

It should not automatically be assumed that divulging apparently innocuous information, such as staff lists, is acceptable. This is because of the opportunities which exist for using sophisticated software technologies to consolidate that information with other publicly available information and produce selected mailing list, for example, for the direct marketing industry. Such requests should be referred to the Human Resources Division or the Chief Operating Officer.

4.4.4 Disclosure of personal information under statutory or other legal authority

In some cases, legislation has conferred upon certain public officers the right to demand and receive information, even though it would otherwise be regarded as confidential. A typical example is the Income Tax Assessment Act 1937 (Cth) under which the Commissioner can authorise officers of the Australian Taxation Office to require any person to answer any question or to produce any document for inspection. The Departments of Education and Training, Immigration and Border Protection, or Social Services may also have powers to obtain access to personal information in specific circumstances.

Under Information Privacy Principle 11, although generally personal information should not be disclosed, it may be if the disclosure is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of public revenue.

In cases where enquiries are received from public officials, the relevant statutory authority to obtain access to such information should be requested. Statutory authority should be detailed in writing, as should written verification of appointment as a person entitled to require the information. When this authority is produced, the enquiry should be referred to the University Legal Officer for confirmation, or where the Legal Officer is unavailable, to the Chief Operating Officer.

Until such confirmation is obtained, inspection of University documents is not permitted, no personal information should be released verbally and copies of documents should not be provided.

Similarly, where disclosure is sought in the course of legal proceedings, e.g. by service of a subpoena or notice of third party disclosure, this must at all times be referred promptly to the University Legal Office for action.

4.4.5 Disclosure in instances of wrongdoing associated with university activities

Staff in Faculty offices and in various sections of Central Administration often obtain transcripts of the academic record of persons seeking admission to a particular course of study, or who apply for a position on the University staff or for various forms of financial assistance. Occasionally, such staff may become aware that such records appear to have been falsified in order to obtain admission or appointment. These are examples of a wider class of instances where wrongdoing in connection with University affairs is suspected.

Where staff suspect that some form of record falsification or other wrongdoing has occurred, any reporting of the issue should be to their supervisor in the first instance and then to the Chief Operating Officer. At no time should staff disclose such information directly to entities outside the University.

Occasionally, police officers involved in investigations of offences associated with University activities or the misuse of University property, will make enquiries for personal information about staff or students to assist with their enquiries. In exceptional circumstances, the University may consider release of such information. All such enquiries must be referred to the University Legal Office.

4.4.6 Requests associated with bona fide research activities

The University is willing to assist bona fide researchers undertaking studies, for example, by the distribution of questionnaires within the University community. Any assistance must be approved by the Chief Operating Officer.

Material to which such requests relate and which will be forwarded to staff/students must contain a clear statement of purpose, and responses must be entirely voluntary and made directly to the researcher.

Usually, the University will either distribute the material within the University internal mail system, provide name/address labels or email lists under stringent conditions associated with the preservation of individual privacy. Costs will normally be recovered from the researcher. The University will provide no other follow-up or forwarding services.

5. Access and Amendment of Personal Information

The University of Queensland will, on request from a staff member or student, disclose documents it holds about that staff member or student. The disclosure will be in accordance with the Right to Information Act 2009, the Information Privacy Act 2009 and the University Right to Information policy and procedure.

The University will, on request from a staff member or student, amend personal information about the person to ensure that the information is up to date, accurate and complete.

6. Transborder Data Flows

In certain circumstances, it may be necessary for the University to transfer personal information interstate or overseas. For example, details of student enrolment may be provided to an educational institution overseas for the purpose of an international exchange. In transferring personal information outside of Queensland, the University will comply with those provisions of the Information Privacy Act 2009 relating to transborder data flows.

7. Contractors

The University regularly enters into contracts for the receipt or supply of goods and services. In entering into a contract for the supply by a third party of goods or services, the University will take reasonable steps to contractually bind the third party to comply with the Information Privacy Principles in the Information Privacy Act 2009.

8. Privacy Complaints

Privacy issues can be discussed with the Right to Information and Privacy Office, if necessary, on a confidential basis. If an individual believes that their privacy has been breached, a complaint may be made in writing to the Right to Information and Privacy Office. In order to enable such a complaint to be properly investigated, it should identify the person whose privacy appears to have been breached. Anonymous complaints will not be dealt with.

An investigation will be conducted in consultation with the relevant Head of the organisational unit. The Chief Operating Officer will have final responsibility for resolving the complaint.

If the complaint is not resolved to the individual's satisfaction, and more than 45 business days has passed since the complaint was made to the University, the individual may lodge a complaint with the Office of the Information Commissioner.

9. Privacy Breaches

The Head of the relevant organisational unit must report any breaches of this policy to the Right to Information and Privacy Office as soon as practicable after the breach has been identified. Following notification, the Right to Information and Privacy Office will:

  • For minor breaches of the policy – liaise with the relevant head on the necessary actions required to prevent a similar breach from occurring; or
  • For major breaches of the policy – instigate an investigation into the breach.

The Chief Operating Officer must be informed of breaches of this policy or procedure and any actions arising out of any investigations.

A breach of this policy or procedure may, depending on the circumstances, constitute a breach of the University Code of Conduct.

Chief Operating Officer Mr Greg Pringle