Privacy and right to information guidelines
The Information Privacy Act 2009
The Information Privacy Act 2009 applies to all Queensland Government agencies and public authorities including Universities. The Act has two parts. Firstly, it has an access and amendment scheme which allows people to access their personal information and amend it where it is inaccurate, incomplete or out of date. This scheme replaces the now repealed Freedom of Information Act 1992.
The second scheme is an information protection scheme which has, as its objective, the protection of personal information in the possession of the University from unauthorised access, use, modification and disclosure.
The University can be subject to significant penalties if it does not comply with the IP Act, including the payment of compensation for any loss or damage caused by breaches of privacy.
One of the primary objectives of the Information Privacy Act 2009 (IPA) is to protect personal information held by the University. Personal information is defined as information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. In conducting its business, the University holds a wide range of personal information including:
- Human Resources information;
- student enrolment and attendance information;
- community participation records including Alumni and users of University facilities;
- research data involving human participants;
- information technology records; and
- business and financial records;
To determine whether information is "personal information", ask yourself these questions:
- does the information tell you something about someone?
- does the information identify a person directly?
- could someone find out, through reasonable steps, to whom the information refers?
The IPPs are a set of eleven rules which regulate the way in which personal information is to be managed by the University throughout its lifecycle from initial collection to eventual disposal. The Information Privacy Principles cover the following functional activities:
- collection of personal information;
- storage and security;
- access and amendment;
- use within the University of personal information;
The IPA requires all employees and contractors of the University to comply with the IPPs in dealing with personal information. Failure to comply with the IPPs may not only expose the University to a privacy breach, but could also constitute misconduct under the University's Code of Conduct.
Collection refers to any process by which the University obtains personal information. It can include:
- Asking a person to fill in a form;
- Obtaining information over the telephone and making a file note;
- Closed circuit television monitoring.
Personal information can be collected directly from the person concerned (e.g. a student) or it can be obtained indirectly from a third party (e.g. another educational institution). The collection of personal information is regulated by IPPs 1-3. The rules are:
- only collect personal information for a lawful purpose that is directly related to a function or activity of the University;
- collect only the information that you need;
- collection must be fair and lawful ; and
- when collecting information directly from the person concerned (ie a student or staff member), the person from whom information is collected must be informed why the information is needed, how it will be used, and those persons or organizations outside the University to which it is the usual practice to disclose information of this kind.
Before collecting personal information, ask yourself these questions:
- Do I really need to collect personal information to perform this university related function?
- If yes, what information do I actually need (rather than want)?
- How should I collect this information to make sure the collection is lawful and fair?
- If I am collecting the information directly from the person concerned, what do I need to tell them?
The IPA requires that the University take reasonable steps to protect personal information from unauthorised access, use, modification, disclosure or any other misuse.
Some of the things which you can do to protect personal information include:
- Institute a 'clean' policy for desks, fax machines, printers and photocopiers.
- Lock away files at the end of the workday and ensure that documents are not left on fax machines, printers and photocopiers;
- Use lockable filing cabinets and receptacles to store personal information when it is not needed;
- Ensure that physical files are appropriately classified and marked;
- Properly dispose of records in accordance with the University's Retention and Disposal Schedules;
- Limit access to databases and systems to those persons with a legitimate work-related need to know.
- Remove access from those persons who now longer need it; * Wear your JCU identification tag whenever at work;
- Log-off your computer when you are not in your office;
- Don't share your JCU password;
- Before sending personal information by email over the internet, consider whether this is the most appropriate form of communication, given the sensitivity of the information.
Under IPPs 6 and 7, JCU is required to inform persons what kind of information is held about them, how they can access this information, and how they can correct this information if it is inaccurate, out of date or misleading. JCU has a number of administrative schemes whereby persons can access and amend their personal information. In addition, the University is subject to the Right to Information Act 2009 and the access scheme in the Information Privacy Act 2009.
'Use' means any action taken with respect to the information within the University. This includes
- searching records;
- using personal information in a record to make a decision
- passing a record from one part of the University to another part with a different function; and
- publishing information within the University.
The use of personal information is regulated by IPPs 8-10. The rules are:
- subject to limited exceptions such as consent, personal information is only to be used for the purpose for which it was collected;
- only use that personal information which is relevant to the task you want to perform; and
- before using personal information, take reasonable steps to ensure that it is up to date and accurate.
When information is collected for a particular purpose, it cannot ordinarily be used for another purpose without authorisation. If the University wants to use the information for another purpose, then one of the following exceptions must apply:
- the person concerned consents to the other use;
- the other use is authorised or required by legislation;
- the other use is necessary to reduce a risk of harm to the individual or the public safety;
- the other use is necessary for a law enforcement purpose;
- the other use is necessary for research purposes and it is not practicable to obtain the consent of the person concerned.
Before using personal information, ask yourself these questions:
- for what legitimate university-related purpose am I going to use the personal information?
- do I actually need personal information to achieve that purpose?
- of all the personal information I have, what specific pieces do I need to use?
- is it likely that this information is up to date, accurate and complete for the purpose I want to use it?
Disclosure of personal information occurs when information is released to a person or an organisation outside of the University. The IPA states that, subject to limited exceptions, personal information must not be disclosed to persons outside the University other than to the person concerned.
The University has in place a number of processes for the orderly disclosure of personal information. Bear in mind that releasing information outside of these processes may constitute misconduct under the University's Code of Conduct. Disclosure may be deliberate or inadvertent. Wrongful deliberate disclosure is rarely malicious and often occurs with the best of intentions (e.g. providing student information to a concerned parent). Nevertheless, wrongful disclosure, even with the best of intentions, is still wrongful disclosure.
So, before disclosing personal information to someone other than the person concerned, ask yourself - what is the authority for this disclosure? The IPA outlines a number of circumstances in which it is lawful to pass on information to third parties. These include:
- Where the person was aware that the information would be disclosure (e.g. they were told at the time of collection that this would happen);
- Where the person consents to the disclosure;
- Where the disclosure is authorised or required by law;
- Where the disclosure is necessary to reduce the risk of harm to the individual or to public safety;
- Where the disclosure is reasonably necessary for law enforcement purposes;
- Where the disclosure is reasonably necessary for research purposes and it is not practicable to obtain the consent of the person concerned.
Enquires about whether disclosure of personal information is authorised may be directed to the University's Right to Information and Privacy Coordinator.
Inadvertent disclosure often occurs simply because a staff member is not fully aware of the privacy risks of their environment (e.g. reading a file on the train, or discussing a sensitive personal matter in a corridor where other people can overhear). The following steps can be taken to reduce the risk of accidental or inadvertent disclosure:
- make sure that technology which contains personal information (e.g. USBs, laptops, hard drives etc) are properly secured;
- guard against indiscreet comments concerning staff or students;
- avoid discussing personal information about staff or students in areas which are, or in close proximity to, public access areas (e.g. counters, corridors, cafeterias and coffee shops);
- where possible, don't send sensitive personal information over the internet.
Suspected breach of privacy
A Person who believes that their privacy has been breached can complain to the University. If they are dissatisfied with the University's response, they can take their complaint forward to the Office of the Information Commissioner and the Queensland Civil and Administration Tribunal (QCAT). If QCAT is satisfied that a privacy breach has taken place, it can make various orders, including an order for the award of compensation.
If a staff member believes they may have inadvertently disclosed an individual’s private information they should contact the University’s Right to Information and Privacy Contact Officer as per below.
For more information on how the University deals with privacy, contact the University's Right to Information and Privacy Contact Officer Mr Ian Troupe, phone 4781 4124 or email [email protected].