Compliance Overview

Compliance Framework
Compliance Driver Privacy and Personal Information Protection Act 1998 (NSW)
Classification Level 1
University-wide concern. Impacts on reputation and funding.
Associated Legislation
Associated Standards None
Associated Codes None
Associated Information
Return to Top Administrative Information
Administrative Body Information and Privacy Commission (NSW)
Administrative Name Ms Elizabeth Tydd, Privacy Commissioner
Administrative Address Physical Address
Level 17
201 Elizabeth Street
Sydney NSW
Australia, 2000
Mailing Address
GPO Box 7011
Sydney NSW
Australia, 2001
Administrative Phone 1800 472 679
Administrative Email ipcinfo@ipc.nsw.gov.au
Administrative Website http://www.ipc.nsw.gov.au/
Return to Top General Introduction
VC Compliance Delegate Brendan Peet, Chief Legal and Governance Officer
Compliance Coordinator Leanne Nisbet, Senior Governance Officer
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • Corporate Planning and Analytics
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Medical Centre
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Overview As a NSW public sector agency responsible for the holding of personal information, the University must comply with the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW). In addition, the University must comply with the Privacy Act 1988 (Cth) in relation to:
a. Personal information the University collects and holds regarding student assistance provided by the Commonwealth (which is an obligation under Section 19-60 of the Higher Education Support Act 2003 (Cth)); and
b. Tax file number information (in accordance with the Tax File Number Guidelines, a legislative instrument under the Privacy Act, 1988(Cth))

Compliance Obligations

Return to Top Comply with legislation
Description Compliance with the Privacy Management Principles and the Privacy Management Rule will assist with compliance with the legislative obligations.

The University's Privacy Management Principles are a combination of the:
- Information Protection Principles (IPPs) under the Personal Information Protection Act 1998 (NSW),
- Health Privacy Principles (HPPs) under Health Records and Information Privacy Act 2002 (NSW), and
- the Federal Australian Privacy Principles (APPs) under the Privacy Act 1988.

The University's Privacy Management Principles are:
1. That collection of information is lawful, direct, relevant, open and transparent;
2. That information is stored securely, not kept any longer than necessary and disposed of appropriately;
3. That information is accurate and accessible to the person to whom it relates; and
4. That information collected for a particular purpose, is not used or disclosed for another purpose.
Impacts 1. Fines for non-compliance
2. Negative impact on reputation

Under the Federal APPs, the Privacy Commissioner has the power to apply to the Federal Court for a civil penalty order of up to $1.7 million for serious or repeated breaches.

In addition, under s308H of the Crimes Act 1900 (NSW) unauthorised access to or modification of restricted data held in a computer is an offence with a maximum penalty of imprisonment for 2 years.

Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Medical Centre
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information None
Management Tools
Rule Privacy Management Rule
Policy Code of Conduct
Protocol None
Procedure None
Guideline None
Other Websites
 
Return to Top Personal Information
Description Personal information is defined in the Privacy and Personal Information Protection Act 1998 (the Act) as "information or an opinion" "about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion".

Examples:
- The Office of the Australian Information Commissioner provides the following as common examples of personal information - "individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and commentary or opinion about a person."
- Section 4(2) of the Act specifically includes "an individual's fingerprints, retina prints, body samples or genetic characteristics" as personal information, whilst section 4(3) lists exclusions from the definition of personal information.

Context - It is important to consider contextual factors when determining if information is personal information and therefore subject to the Act. This is particularly relevant in determining whether an individual's identity is reasonably ascertainable - the Office of the Privacy Commissioner NSW, provides a fact sheet which "offers interpretation and guidance on the meaning of 'reasonably ascertainable identity' - this fact sheet can be accessed via the associated information link below.
Impacts Under section 70 of the Act "Proceedings for an offence against this Act are to be dealt with summarily before the Local Court."
Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • Corporate Planning and Analytics
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Medical Centre
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information
Management Tools
Rule Privacy Management Rule
Policy None
Protocol None
Procedure None
Guideline None
Other Websites
 
Return to Top Personal Information/restricted data held in a computer
Description Under section 308h of the NSW Crimes Act 1900:

"A person:
(a) who causes any unauthorised access to or modification of restricted data held in a computer, and
(b) who knows that the access or modification is unauthorised, and
(c) who intends to cause that access or modification,
is guilty of an offence."

In this section " "restricted data" means data held in a computer, being data to which access is restricted by an access control system associated with a function of the computer."
Impacts Under s308h an "offence against this section is a summary offence" and carries a maximum penalty of imprisonment for 2 years.

Note: Summary offences are matters that are be tried by a judge alone. If you are charged with a summary offence you do not have the right to have a trial by jury.
Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information None
Management Tools
Rule Privacy Management Rule
Policy Code of Conduct
Protocol None
Procedure None
Guideline None
Other Websites
 
Return to Top Privacy - Tax File Numbers - Staff
Description The University, as a Tax file number (TFN) recipient, must comply with the TFN Rules issued under section 17 of the Federal Privacy Act 1988. The TFN Rule protects the TFN information of individuals by regulating “the collection, storage, use, disclosure, security and disposal of individuals’ tax file number (TFN) information.”

TFNs are unique identifiers and the University “must only request or collect TFN information from individuals and other TFN recipients for a purpose authorised by taxation law, personal assistance law or superannuation law” (clause 8(1) of the TFN Rule). As an employer the University may collect TFN information in relation to:
1. The pay as you go (PAYG) withholding regime under Part 2-5 of Schedule 1 to the Taxation Administration Act 1953. Under Division 3 of Part VA of the Income Tax Assessment Act 1936 employers collect tax file numbers from their employees via a tax file number declaration as part of their PAYG obligations. The TFNs are recorded in the payroll system and used to prepare employees' payment summaries under the PAYG withholding system. Disclosure is permitted to the Australian Taxation Office/Commissioner of Taxation.
2. its employees under the Superannuation Industry (Supervision) Act 1993 and in connection with the operation of that Act. The purpose of the collection is to pass the tax file number to the superannuation fund to which they contribute on the employee's behalf. Disclosure is permitted to the trustee of a nominated superannuation fund to which the University contributes on behalf of the employee.

It should be noted that no law exists in Australia making the quotation of a TFN a requirement, although the quotation of a TFN is a condition for the receipt of personal assistance payments, and non-quotation under the PAYG regime will result in a higher % being withheld.

Impacts It is an offence under sections 8WA and 8WB of the Taxation Administration Act 1953 to request, record, use or disclose tax file numbers, other than as permitted by these sections. The maximum penalty that applies to offenders is an $18,000 fine (100 penalty units) or two years imprisonment or both."


Responsible Manager David Thorsen, Director Human Resource Services
Coordinating Officer David Thorsen, Director Human Resource Services
Coordinating Unit Human Resource Services Directorate
Business Units Impacted
  • Financial Services Directorate
  • Human Resource Services Directorate
  • Office of the Chief Operating Officer
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information None
Management Tools
Rule Privacy Management Rule
Policy None
Protocol None
Procedure None
Guideline None
Other Websites OAIC Information
 
Return to Top Privacy Complaint Management
Description The University’s Privacy Officer must be informed of all privacy concerns and complaints, including potential breaches of privacy associated with the University and its controlled entities in the management of its operations and obligations. All privacy concerns and complaints will be addressed in accordance with the relevant legislation and the University's Privacy Management Rule.

Complaints may be addressed in one of two ways:
a. Informally, via the UNE Privacy Officer; or
b. Formally, but only in relation to the applicant's own personal or health information (in accordance with Section 53) via an internal review request to privacy@une.edu.au.

FORMAL COMPLAINTS
Formal complaints are addressed by lodging an internal review request form within six months of the affected individual becoming aware of the conduct in question, and must be processed by the University within 60 days of receipt [the form can be accessed via the Associated Information section below]. The University is required to inform the NSW Privacy Commissioner of any applications for internal review, and to provide the Commissioner with a copy of:
a. The internal review application;
b. A draft review report
c. Final review report.

If the internal review is not completed within 60 days, or if the applicant is unhappy with the results of the internal review, they have 28 days to ask the NSW Civil and Administrative Tribunal (NCAT) to review the conduct or decision complained about. NCAT will assess whether or not the University complied with its privacy obligations. [Further information and the form to lodge an Administrative Review Application can be found via the links in Associated Information below].
Impacts Where a person has applied to NCAT (NSW Civil & Administrative Tribunal) for a review, NCAT may:
1. Decide not to take any action.
2. Award compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, due to the conduct of the University.
3. Require the University to stop any conduct or action which contravenes an information protection principle or a health privacy principle.
4. Require the performance of an information protection principle or a health privacy principle correcting personal information that has been disclosed.
Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information
Management Tools
Rule Privacy Management Rule
Policy Code of Conduct
Protocol None
Procedure None
Guideline None
Other Websites
 
Return to Top Privacy Management Plan
Description Under s33 of PPIPA the University must have and implement a privacy management plan. A copy of the plan must be provided to the Privacy Commissioner whenever the plan is amended. The University's Privacy Management Rule is the University's privacy management plan for the purposes of s33.
Impacts
Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information None
Management Tools
Rule Privacy Management Rule
Policy Code of Conduct
Protocol None
Procedure None
Guideline None
Other Websites
 
Return to Top Privacy and Data Breach Management - TFN related
Description The Privacy Amendment (Notifiable Data Breaches) Act 2017 will take effect from February 2018, amending the Federal Privacy Act 1988 (the Act).

This amendment will impact on the University, as under section 11 of the Privacy Act 1988, the University is “A person who is (whether lawfully or unlawfully) in possession or control of a record that contains tax file number information shall be regarded, for the purposes of this Act, as a file number recipient.” The new PART IIIC - Notification of Eligible Data Breaches applies to an “entity includes a person who is a file number recipient.” (Note: if notification is required under section 75 of the My Health Records Act 2012, this Part does not apply in relation to the access, disclosure or loss).
The University receives and stores Tax File Numbers (TFNs) of:
o Employees (Ascender Pay); and
o Students (Callista) - note, the University will only hold a TFN where the student has completed a form for Commonwealth assistance.

The University will need to notify the Office of the Australian Information Commissioner where an eligible data breach has occurred that involves TFN information. Under section 26WG(2) “For the purposes of this Act, if:
(a) both of the following conditions are satisfied:
(i) there is unauthorised access to, or unauthorised disclosure of, the information;
(ii) a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
(b) the information is lost in circumstances where:
(i) unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
(ii) assuming that unauthorised access to, or unauthorised disclosure of the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;
then:
(c) the access or disclosure covered by paragraph (a), or the loss 1 covered by paragraph (b), is an eligible data breach of the APP entity, credit reporting body, credit provider or file number recipient, as the case may be; and
(d) an individual covered by subparagraph (a)(ii) or (b)(ii) is at risk from the eligible data breach.”

Under s26WH an assessment of a suspected data breach must be carried out within 30 days of becoming aware.

Exceptions:
s26WF - where remedial action taken before serious harm to individuals
s26WJ - eligible data breaches of other entities

Impacts
Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • Corporate Planning and Analytics
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Medical Centre
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information
Management Tools
Rule Privacy Management Rule
Policy None
Protocol None
Procedure None
Guideline None
Other Websites OAIC Information
 
Return to Top Privacy and Photography
Description "Photographs, images, video or audio footage" are considered to be personal information by the Information and Privacy Commission New South Wales (http://www.ipc.nsw.gov.au/guide-privacy-laws-nsw), and may include sensitive information. When considering personal information within this context, the University must ensure that:
a. collection of information is lawful, direct, relevant, open and transparent;
b. information is stored securely, not kept any longer than necessary and disposed of appropriately;
c. information is accurate and accessible to the person to whom it relates; and
d. information collected for a particular purpose, is not used or disclosed for another purpose. (see clause (11) of the Privacy Management Rule)

CHILDREN
Children are considered to be vulnerable people, and as such there is great vigilance required around the collection and use of their personal information. Where children are involved, it is imperative to obtain permission from their parent/guardian for photographs to be taken. Any permission slip filled out by parents/guardians for children to attend an event where
photographs/videos may be taken, should include a checkbox and statement (or similar) to ensure that :
(i) parents/guardians are aware of the possibility that their child’s photo may be taken,
(ii) that they understand why and where the photograph may appear, and
(iii) that they provide their permission for this to occur.


ADULTS
Taking photographs of adults may not require their formal written permission, although as a matter of course, reasonable steps are to be taken to ensure individuals are aware of and provide their consent for their photograph to be taken - this is especially so if their image is going to appear on a website (see the information from the Office of the Australian Information Commissioner (OAIC) in the 'Associated Information' below).
Impacts
Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • Corporate Planning and Analytics
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Medical Centre
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information
Management Tools
Rule Privacy Management Rule
Records Management Rule
Policy None
Protocol None
Procedure None
Guideline None
Other Websites
 
Return to Top Privacy and Residential Colleges
Description To ensure compliance with the University's Privacy Management Rule, where a student resides in one of the University's residential colleges, the student's progress/results may be disclosed to the University's Director of Residential Services, or their delegate - and only in accordance with the Course Progression Rule and Procedures.

Under no circumstances is it acceptable for personal information about a student to be shared between third parties. For example, between staff members/Residential Fellows/Academic Mentors of a University Residential College and staff members of a University School or business unit.
Impacts
Responsible Manager Ashwin Bhutani, Director UNE Residential System
Coordinating Officer Ashwin Bhutani, Director UNE Residential System
Coordinating Unit UNE Residential System
Business Units Impacted
  • Legal Office
  • Office of the Chief Operating Officer
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Student Administration and Services
  • Teaching and Learning Support
  • UNE Business School
  • UNE Residential System
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information None
Management Tools
Rule Course Progression Rule
Privacy Management Rule
Policy Code of Conduct
Course Coordinator Policy
Protocol None
Procedure Course Coordinator Procedures
Course Progression Procedures
Guideline None
Other Websites
 
Return to Top Privacy and Special Needs
Description Before any information is sought or released by the Special Needs Office in relation to a student registering/registered with that office to another area of the University or a third party, it is a requirement that the student is informed of the purpose for which the information is sought/to be released and their consent obtained unless:
a. The 'use of the information for that other purpose is required or authorised by/or under law’, or
b. It is believed, on reasonable grounds that 'use of the information (disclosure) … is necessary to prevent or lessen a serious and imminent threat to the life or health of the individual concerned or another person’.
Impacts
Responsible Manager Barbara Shaw, Deputy Director - HRS
Coordinating Officer Julia Perryman, Senior Careers Officer, Student Support
Coordinating Unit Student Administration and Services
Business Units Impacted
  • English Language Centre
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Provost and Deputy Vice-Chancellor
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Student Administration and Services
  • UNE Business School
  • UNE International
  • UNE Residential System
Obligation Framework
Associated Legislation None
Associated Standard None
Associated Code None
Associated Information None
Management Tools
Rule Privacy Management Rule
Policy None
Protocol None
Procedure None
Guideline None
Other Websites
 
Return to Top Public Register vs publicly available publication
Description Under section 4 of the Act, a public register "means a register of personal information that is required by law to be, or is made, publicly available or open to public inspection". Further information is contained in Part 6 which requires that the "personal information kept in the register" must not be disclosed "unless the agency is satisfied that it is to be used for a purpose relating to the purpose of the register or the Act under which the register is kept." Examples of a public register include the Radiation Control Act public register (containing licensee information); the Service NSW Charitable fundraising Register (listing organisations authorised to fund raise for charitable purposes); and the NSW electoral roll.

Under section 4(3)(b) of the Act, personal information does not include "information about an individual that is contained in a publicly available publication". In University of NSW v PC [2008] NSWADTAP 26, para 23 it was stated that "A publication can not, I consider, be publicly available if there is a restriction on access to the publication (other than possibly the requirement for a reasonable payment)." Examples of a publicly available publication include newspapers and journals published and distributed for public consumption.
Impacts Under section 70 of the Act "Proceedings for an offence against this Act are to be dealt with summarily before the Local Court."
Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • Corporate Planning and Analytics
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Medical Centre
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information None
Management Tools
Rule Privacy Management Rule
Policy None
Protocol None
Procedure None
Guideline None
Other Websites Public Registers
University of New South Wales v PC (GD) [2008] NSWADTAP 26
 
Return to Top Transborder Disclosure and Cloud Computing
Description Under the special restrictions on disclosure of personal information in section 19 (2) "A public sector agency that holds personal information about an individual must not disclose the information to any person or body who is in a jurisdiction outside New South Wales or to a Commonwealth agency unless:

(a) the public sector agency reasonably believes that the recipient of the information is subject to a law, binding scheme or contract that effectively upholds principles for fair handling of the information that are substantially similar to the information protection principles, or
(b) the individual expressly consents to the disclosure, or
(c) the disclosure is necessary for the performance of a contract between the individual and the public sector agency, or for the implementation of pre-contractual measures taken in response to the individual’s request, or
(d) the disclosure is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the public sector agency and a third party, or
(e) all of the following apply:
(i) the disclosure is for the benefit of the individual,
(ii) it is impracticable to obtain the consent of the individual to that disclosure,
(iii) if it were practicable to obtain such consent, the individual would be likely to give it, or
(f) the disclosure is reasonably believed by the public sector agency to be necessary to lessen or prevent a serious and imminent threat to the life, health or safety of the individual or another person, or
(g) the public sector agency has taken reasonable steps to ensure that the information that it has disclosed will not be held, used or disclosed by the recipient of the information inconsistently with the information protection principles, or
(h) the disclosure is permitted or required by an Act (including an Act of the Commonwealth) or any other law."

In support of this privacy requirement the NSW Government Cloud Policy, which the University as a statutory body must adhere to, states " Where the use of cloud computing requires the transmission or storage of personal information, including health information, agencies must ensure that their arrangements comply with relevant privacy and disclosure requirements."
Impacts Where a person has applied to NCAT (NSW Civil & Administrative Tribunal) for a review, NCAT may:
1. Decide not to take any action.
2. Award compensation (damages) of up to $40,000 for any financial loss, or psychological or physical harm, due to the conduct of the University.
3. Require the University to stop any conduct or action which contravenes an information protection principle or a health privacy principle.
4. Require the performance of an information protection principle or a health privacy principle correcting personal information that has been disclosed.
Responsible Manager Brendan Peet, Chief Legal and Governance Officer
Coordinating Officer Leanne Nisbet, Senior Governance Officer
Coordinating Unit Policy and Governance Unit
Business Units Impacted
  • Academic Board
  • Academic Quality and Analytics
  • Animal Genetics and Breeding Unit
  • Audit and Risk Directorate
  • Australian Business Research Institute
  • Business Intelligence and Data Governance
  • Centre for Agriculture and Law
  • Centre for Applied Research in Social Science
  • Centre for Local Government
  • English Language Centre
  • Facilities Management Service Directorate
  • Financial Services Directorate
  • Heritage Centre
  • Heritage Futures Research Centre
  • Human Resource Services Directorate
  • Information Technology Directorate
  • Institute for Rural Futures
  • Legal Office
  • Marketing and Public Affairs
  • Office of Advancement
  • Office of the Chief Financial Officer
  • Office of the Chief Legal and Governance Officer
  • Office of the Chief Operating Officer
  • Office of the Pro Vice-Chancellor (Academic Innovation)
  • Office of the Pro Vice-Chancellor (External Relations)
  • Office of the Pro Vice-Chancellor (Research)
  • Office of the Provost and Deputy Vice-Chancellor
  • Office of the Vice-Chancellor and CEO
  • Oorala Aboriginal Centre
  • Policy and Governance Unit
  • Records Management Office
  • Research Services
  • Rural Properties
  • School of Arts
  • School of Behavioural Cognitive and Social Sciences
  • School of Education
  • School of Environmental and Rural Science
  • School of Health
  • School of Humanities
  • School of Law
  • School of Rural Medicine
  • School of Science and Technology
  • Strategic Procurement Directorate
  • Student Administration and Services
  • Student Grievance Unit
  • Teaching and Learning Support
  • The National Centre of Science, Information and Communication Technology, and Mathematics Education
  • UNE Business School
  • UNE Council
  • UNE Foundation charitable trust
  • UNE Foundation Limited
  • UNE FutureCampus
  • UNE International
  • UNE Life
  • UNE Partnerships Pty Ltd
  • UNE Residential System
  • University Library
  • University Secretariat
  • Yarm Gwanga
Obligation Framework
Associated Legislation
Associated Standard None
Associated Code None
Associated Information
Management Tools
Rule Privacy Management Rule
Policy Code of Conduct
Protocol None
Procedure None
Guideline None
Other Websites