Compliance Framework
Compliance Driver
Privacy and Personal Information Protection Act 1998 (NSW)
Classification
Level 1
University-wide concern. Impacts on reputation and funding.
Associated Legislation
Associated Standards
None
Associated Codes
None
Associated Information
Return to Top
Administrative Information
Administrative Body
Information and Privacy Commission (NSW)
Administrative Name
Ms Samantha Gavel, Privacy Commissioner
Administrative Address
Physical Address
Level 17
201 Elizabeth Street
Sydney NSW
Australia, 2000
Mailing Address
GPO Box 7011
Sydney NSW
Australia, 2001
Administrative Phone
1800 472 679
Administrative Email
ipcinfo@ipc.nsw.gov.au
Administrative Website
http://www.ipc.nsw.gov.au/
Return to Top
General Introduction
VC Compliance Delegate
Kate McNarn, Director Governance and University Secretary
Compliance Coordinator
Alicia Zikan, Head Records Policy and Governance
Business Units Impacted
Overview
As a NSW public sector agency responsible for the holding of personal information, the University must comply with the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW). In addition, the University must comply with the Privacy Act 1988 (Cth) in relation to:
a. Personal information the University collects and holds regarding student assistance provided by the Commonwealth (which is an obligation under Section 19-60 of the Higher Education Support Act 2003 (Cth)); and
b. Tax file number information (in accordance with the Tax File Number Guidelines, a legislative instrument under the Privacy Act, 1988(Cth))Compliance Obligations
Return to Top
Comply with legislation
Description
Compliance with the Privacy Management Principles and the Privacy Management Rule will assist with compliance with the legislative obligations.
The University's Privacy Management Principles are a combination of the:
- Information Protection Principles (IPPs) under the Personal Information Protection Act 1998 (NSW),
- Health Privacy Principles (HPPs) under Health Records and Information Privacy Act 2002 (NSW), and
- the Federal Australian Privacy Principles (APPs) under the Privacy Act 1988.
The University's Privacy Management Principles are:
1. That collection of information is lawful, direct, relevant, open and transparent;
2. That information is stored securely, not kept any longer than necessary and disposed of appropriately;
3. That information is accurate and accessible to the person to whom it relates; and
4. That information collected for a particular purpose, is not used or disclosed for another purpose.
Impacts
1. Fines for non-compliance
2. Negative impact on reputation
Under the Federal APPs, the Privacy Commissioner has the power to apply to the Federal Court for a civil penalty order of up to $1.7 million for serious or repeated breaches.
In addition, under s308H of the Crimes Act 1900 (NSW) unauthorised access to or modification of restricted data held in a computer is an offence with a maximum penalty of imprisonment for 2 years.
Responsible Manager
Alicia Zikan, Head Records Policy and Governance
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
None
Management Tools
Rule
Privacy Management Rule
Policy
None
Procedure
None
Guideline
None
Other Websites
Return to Top
Personal Information
Description
Personal information is defined in the Privacy and Personal Information Protection Act 1998 (the Act) as "information or an opinion" "about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion".
Examples:
- The Office of the Australian Information Commissioner provides the following as common examples of personal information - "individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person."
- Section 4(2) of the Act specifically includes "an individual's fingerprints, retina prints, body samples or genetic characteristics" as personal information, whilst section 4(3) lists exclusions from the definition of personal information.
Context - It is important to consider contextual factors when determining if information is personal information and therefore subject to the Act. This is particularly relevant in determining whether an individual's identity is reasonably ascertainable - the Office of the Privacy Commissioner NSW, provides a fact sheet which "offers interpretation and guidance on the meaning of 'reasonably ascertainable identity' - this fact sheet can be accessed via the associated information link below.
Impacts
Under section 70 of the Act "Proceedings for an offence against this Act are to be dealt with summarily before the Local Court."
Responsible Manager
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
Management Tools
Rule
Privacy Management Rule
Policy
None
Procedure
None
Guideline
None
Other Websites
Return to Top
Personal Information/restricted data held in a computer
Description
Under section 308h of the NSW Crimes Act 1900:
"A person:
(a) who causes any unauthorised access to or modification of restricted data held in a computer, and
(b) who knows that the access or modification is unauthorised, and
(c) who intends to cause that access or modification,
is guilty of an offence."
In this section " "restricted data" means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer."
Impacts
Under s308h an "offence against this section is a summary offence" and carries a maximum penalty of imprisonment for 2 years.
Note: Summary offences are matters that are be tried by a judge alone. If you are charged with a summary offence you do not have the right to have a trial by jury.
Responsible Manager
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
None
Management Tools
Rule
Privacy Management Rule
Policy
Code of Conduct
Procedure
None
Guideline
None
Other Websites
Return to Top
Privacy - Tax File Numbers - Staff
Description
The University, as a Tax file number (TFN) recipient, must comply with the TFN Rules issued under section 17 of the Federal Privacy Act 1988. The TFN Rule protects the TFN information of individuals by regulating “the collection, storage, use, disclosure, security and disposal of individuals’ tax file number (TFN) information.”
TFNs are unique identifiers and the University “must only request or collect TFN information from individuals and other TFN recipients for a purpose authorised by taxation law, personal assistance law or superannuation law” (clause 8(1) of the TFN Rule). As an employer the University may collect TFN information in relation to:
1. The pay as you go (PAYG) withholding regime under Part 2-5 of Schedule 1 to the Taxation Administration Act 1953. Under Division 3 of Part VA of the Income Tax Assessment Act 1936 employers collect tax file numbers from their employees via a tax file number declaration as part of their PAYG obligations. The TFNs are recorded in the payroll system and used to prepare employees' payment summaries under the PAYG withholding system. Disclosure is permitted to the Australian Taxation Office/Commissioner of Taxation.
2. its employees under the Superannuation Industry (Supervision) Act 1993 and in connection with the operation of that Act. The purpose of the collection is to pass the tax file number to the superannuation fund to which they contribute on the employee's behalf. Disclosure is permitted to the trustee of a nominated superannuation fund to which the University contributes on behalf of the employee.
It should be noted that no law exists in Australia making the quotation of a TFN a requirement, although the quotation of a TFN is a condition for the receipt of personal assistance payments, and non-quotation under the PAYG regime will result in a higher % being withheld.
Impacts
It is an offence under sections 8WA and 8WB of the Taxation Administration Act 1953 to request, record, use or disclose tax file numbers, other than as permitted by these sections. The maximum penalty that applies to offenders is an $18,000 fine (100 penalty units) or two years imprisonment or both."
Responsible Manager
Kirsten Clayton, Director People and Culture
Coordinating Officer
Kirsten Clayton, Director People and Culture
Coordinating Unit
People and Culture
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
None
Management Tools
Rule
Privacy Management Rule
Policy
None
Procedure
None
Guideline
None
Other Websites
OAIC Information
Return to Top
Privacy Complaint Management
Description
The University’s Privacy Officer must be informed of all privacy concerns and complaints, including potential breaches of privacy associated with the University and its controlled entities in the management of its operations and obligations. All privacy concerns and complaints will be addressed in accordance with the relevant legislation and the University's Privacy Management Rule.
Complaints may be addressed in one of two ways:
a. Informally, via the UNE Privacy Officer; or
b. Formally, but only in relation to the applicant's own personal or health information (in accordance with Section 53) via an internal review request to privacy@une.edu.au.
FORMAL COMPLAINTS
Formal complaints are addressed by lodging an internal review request form within six months of the affected individual becoming aware of the conduct in question, and must be processed by the University within 60 days of receipt [the form can be accessed via the Associated Information section below]. The University is required to inform the NSW Privacy Commissioner of any applications for internal review, and to provide the Commissioner with a copy of:
a. The internal review application;
b. A draft review report
c. Final review report.
If the internal review is not completed within 60 days, or if the applicant is unhappy with the results of the internal review, they have 28 days to ask the NSW Civil and Administrative Tribunal (NCAT) to review the conduct or decision complained about. NCAT will assess whether or not the University complied with its privacy obligations. [Further information and the form to lodge an Administrative Review Application can be found via the links in Associated Information below].
Impacts
Where a person has applied to NCAT (NSW Civil & Administrative Tribunal) for a review, NCAT may:
1. Decide not to take any action.
2. Award compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, due to the conduct of the University.
3. Require the University to stop any conduct or action which contravenes an information protection principle or a health privacy principle.
4. Require the performance of an information protection principle or a health privacy principle correcting personal information that has been disclosed.
Responsible Manager
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
Management Tools
Rule
Privacy Management Rule
Policy
Code of Conduct
Procedure
None
Guideline
None
Other Websites
Return to Top
Privacy Management Plan
Description
Under s33 of PPIPA the University must have and implement a privacy management plan. A copy of the plan must be provided to the Privacy Commissioner whenever the plan is amended. The University's Privacy Management Rule is the University's privacy management plan for the purposes of s33.
Impacts
Responsible Manager
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
None
Management Tools
Rule
Privacy Management Rule
Policy
Code of Conduct
Procedure
None
Guideline
None
Other Websites
Return to Top
Privacy and Data Breach Management - TFN related
Description
The Privacy Amendment (Notifiable Data Breaches) Act 2017 will take effect from February 2018, amending the Federal Privacy Act 1988 (the Act).
This amendment will impact on the University, as under section 11 of the Privacy Act 1988, the University is “A person who is (whether lawfully or unlawfully) in possession or control of a record that contains tax file number information shall be regarded, for the purposes of this Act, as a file number recipient.” The new PART IIIC - Notification of Eligible Data Breaches applies to an “entity includes a person who is a file number recipient.” (Note: if notification is required under section 75 of the My Health Records Act 2012, this Part does not apply in relation to the access, disclosure or loss).
The University receives and stores Tax File Numbers (TFNs) of:
o Employees (Ascender Pay); and
o Students (Callista) - note, the University will only hold a TFN where the student has completed a form for Commonwealth assistance.
The University will need to notify the Office of the Australian Information Commissioner where an eligible data breach has occurred that involves TFN information. Under section 26WG(2) “For the purposes of this Act, if:
(a) both of the following conditions are satisfied:
(i) there is unauthorised access to, or unauthorised disclosure of, the information;
(ii) a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
(b) the information is lost in circumstances where:
(i) unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
(ii) assuming that unauthorised access to, or unauthorised disclosure of the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;
then:
(c) the access or disclosure covered by paragraph (a), or the loss 1 covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
(d) an individual covered by subparagraph (a)(ii) or (b)(ii) is at risk from the eligible data breach.”
Under s26WH an assessment of a suspected data breach must be carried out within 30 days of becoming aware.
Exceptions:
s26WF - where remedial action taken before serious harm to individuals
s26WJ - eligible data breaches of other entities
Impacts
Responsible Manager
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
Management Tools
Rule
Privacy Management Rule
Policy
None
Procedure
None
Guideline
None
Other Websites
OAIC Information
Return to Top
Privacy and Photography
Description
"Photographs, images, video or audio footage" are considered to be personal information by the Information and Privacy Commission New South Wales (http://www.ipc.nsw.gov.au/guide-privacy-laws-nsw), and may include sensitive information. When considering personal information within this context, the University must ensure that:
a. collection of information is lawful, direct, relevant, open and transparent;
b. information is stored securely, not kept any longer than necessary and disposed of appropriately;
c. information is accurate and accessible to the person to whom it relates; and
d. information collected for a particular purpose, is not used or disclosed for another purpose. (see clause (11) of the Privacy Management Rule)
CHILDREN
Children are considered to be vulnerable people, and as such there is great vigilance required around the collection and use of their personal information. Where children are involved, it is imperative to obtain permission from their parent/guardian for photographs to be taken. Any permission slip filled out by parents/guardians for children to attend an event where
photographs/videos may be taken, should include a checkbox and statement (or similar) to ensure that :
(i) parents/guardians are aware of the possibility that their child’s photo may be taken,
(ii) that they understand why and where the photograph may appear, and
(iii) that they provide their permission for this to occur.
ADULTS
Taking photographs of adults may not require their formal written permission, although as a matter of course, reasonable steps are to be taken to ensure individuals are aware of and provide their consent for their photograph to be taken - this is especially so if their image is going to appear on a website (see the information from the Office of the Australian Information Commissioner (OAIC) in the 'Associated Information' below).
Impacts
Responsible Manager
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
Management Tools
Rule
Privacy Management Rule
Records Management Rule
Policy
None
Procedure
None
Guideline
None
Other Websites
Return to Top
Privacy and Residential Colleges
Description
To ensure compliance with the University's Privacy Management Rule, where a student resides in one of the University's residential colleges, the student's progress/results may be disclosed to the University's Director of Residential Services, or their delegate - and only in accordance with the Course Progression Rule and Procedures.
Under no circumstances is it acceptable for this personal information about a student to be shared between third parties without the consent of the student. For example, between staff members/Residential Leaders of a University Residential College and staff members of a University School or business unit.
Impacts
This is reiterated on an annual basis to Heads of College and to all new staff within the Residential System to ensure student's progress/results are not shared with any other staff members and/or student leaders without consent. Impacts includes loss of trust with student, potential student complaint against a staff member.
Responsible Manager
Leah Cook, Director UNE Residential System
Coordinating Officer
Leah Cook, Director UNE Residential System
Coordinating Unit
Residential System
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
None
Management Tools
Rule
Student Support Policy
Policy
Course and Unit Coordinator Policy
Privacy Management Rule
Student (Related) Grievance Handling Policy
Procedure
Course Coordinator Procedures
Staff Recruitment Procedures
Student (Related) Grievance Handling Procedures
Student Support Procedures
Guideline
None
Other Websites
Return to Top
Privacy and Special Needs
Description
Before any information is sought or released by the Special Needs Office in relation to a student registering/registered with that office to another area of the University or a third party, it is a requirement that the student is informed of the purpose for which the information is sought/to be released and their consent obtained unless:
a. The 'use of the information for that other purpose is required or authorised by/or under law’, or
b. It is believed, on reasonable grounds that 'use of the information (disclosure) … is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person’.
Impacts
Responsible Manager
Richard Dobek, Executive Principal Student Experience
Coordinating Officer
Richard Dobek, Executive Principal Student Experience
Coordinating Unit
Student Experience
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
None
Associated Standard
None
Associated Code
None
Associated Information
None
Management Tools
Rule
Privacy Management Rule
Policy
None
Procedure
None
Guideline
None
Other Websites
Return to Top
Public Register vs publicly available publication
Description
Under section 4 of the Act, a public register "means a register of personal information that is required by law to be, or is made, publicly available or open to public inspection". Further information is contained in Part 6 which requires that the "personal information kept in the register" must not be disclosed "unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept." Examples of a public register include the Radiation Control Act public register (containing licensee information); the Service NSW Charitable fundraising Register (listing organisations authorised to fund raise for charitable purposes); and the NSW electoral roll.
Under section 4(3)(b) of the Act, personal information does not include "information about an individual that is contained in a publicly available publication". In University of NSW v PC [2008] NSWADTAP 26, para 23 it was stated that "A publication can not, I consider, be publicly available if there is a restriction on access to the publication (other than possibly the requirement for a reasonable payment)." Examples of a publicly available publication include newspapers and journals published and distributed for public consumption.
Impacts
Under section 70 of the Act "Proceedings for an offence against this Act are to be dealt with summarily before the Local Court."
Responsible Manager
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
None
Management Tools
Rule
Privacy Management Rule
Policy
None
Procedure
None
Guideline
None
Other Websites
Public Registers
University of New South Wales v PC (GD) [2008] NSWADTAP 26
Return to Top
Transborder Disclosure and Cloud Computing
Description
Under the special restrictions on disclosure of personal information in section 19 (2) "A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:
(a) the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or
(b) the individual expressly consents to the disclosure, or
(c) the disclosure is necessary for the performance of a contract between the individual and the public sector agency, or for the implementation of pre-contractual measures taken in response to the individual’s request, or
(d) the disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the public sector agency and a third party, or
(e) all of the following apply:
(i) the disclosure is for the benefit of the individual,
(ii) it is impracticable to obtain the consent of the individual to that disclosure,
(iii) if it were practicable to obtain such consent, the individual would be likely to give it, or
(f) the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person, or
(g) the public sector agency has taken reasonable steps to ensure that the information that it has disclosed will not be held, used or disclosed by the recipient of the information inconsistently with the information protection principles, or
(h) the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law."
In support of this privacy requirement the NSW Government Cloud Policy, which the University as a statutory body must adhere to, states " Where the use of cloud computing requires the transmission or storage of personal information, including health information, agencies must ensure that their arrangements comply with relevant privacy and disclosure requirements."
Impacts
Where a person has applied to NCAT (NSW Civil & Administrative Tribunal) for a review, NCAT may:
1. Decide not to take any action.
2. Award compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, due to the conduct of the University.
3. Require the University to stop any conduct or action which contravenes an information protection principle or a health privacy principle.
4. Require the performance of an information protection principle or a health privacy principle correcting personal information that has been disclosed.
Responsible Manager
Alicia Zikan, Head Records Policy and Governance
Coordinating Officer
Alicia Zikan, Advisor (Privacy and Compliance)
Coordinating Unit
Records, Policy and Governance Unit
Oversight Committee/Group
None
Business Units Impacted
Obligation Framework
Associated Legislation
Associated Standard
None
Associated Code
None
Associated Information
Management Tools
Rule
Privacy Management Rule
Policy
Code of Conduct
Procedure
None
Guideline
None
Other Websites
Compliance Overview