The Information Privacy Act 2009 applies to all Queensland Government agencies and public authorities including Universities. The Act has two parts. Firstly, it has an access and amendment scheme which allows people to access their personal information and amend it where it is inaccurate, incomplete or out of date. This scheme replaces the now repealed Freedom of Information Act 1992.
The second scheme is an information protection scheme which has, as its objective, the protection of personal information in the possession of the University from unauthorised access, use, modification and disclosure.
The University can be subject to significant penalties if it does not comply with the IP Act, including the payment of compensation for any loss or damage caused by breaches of privacy.
One of the primary objectives of the Information Privacy Act 2009 (IPA) is to protect personal information held by the University. Personal information is defined as information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. In conducting its business, the University holds a wide range of personal information including:
To determine whether information is "personal information", ask yourself these questions:
The IPPs are a set of eleven rules which regulate the way in which personal information is to be managed by the University throughout its lifecycle from initial collection to eventual disposal. The Information Privacy Principles cover the following functional activities:
The IPA requires all employees and contractors of the University to comply with the IPPs in dealing with personal information. Failure to comply with the IPPs may not only expose the University to a privacy breach, but could also constitute misconduct under the University's Code of Conduct.
Collection refers to any process by which the University obtains personal information. It can include:
Personal information can be collected directly from the person concerned (e.g. a student) or it can be obtained indirectly from a third party (e.g. another educational institution). The collection of personal information is regulated by IPPs 1-3. The rules are:
Before collecting personal information, ask yourself these questions:
The IPA requires that the University take reasonable steps to protect personal information from unauthorised access, use, modification, disclosure or any other misuse.
Some of the things which you can do to protect personal information include:
Under IPPs 6 and 7, JCU is required to inform persons what kind of information is held about them, how they can access this information, and how they can correct this information if it is inaccurate, out of date or misleading. JCU has a number of administrative schemes whereby persons can access and amend their personal information. In addition, the University is subject to the Right to Information Act 2009 and the access scheme in the Information Privacy Act 2009.
'Use' means any action taken with respect to the information within the University. This includes
The use of personal information is regulated by IPPs 8-10. The rules are:
When information is collected for a particular purpose, it cannot ordinarily be used for another purpose without authorisation. If the University wants to use the information for another purpose, then one of the following exceptions must apply:
Before using personal information, ask yourself these questions:
Disclosure of personal information occurs when information is released to a person or an organisation outside of the University. The IPA states that, subject to limited exceptions, personal information must not be disclosed to persons outside the University other than to the person concerned.
The University has in place a number of processes for the orderly disclosure of personal information. Bear in mind that releasing information outside of these processes may constitute misconduct under the University's Code of Conduct. Disclosure may be deliberate or inadvertent. Wrongful deliberate disclosure is rarely malicious and often occurs with the best of intentions (e.g. providing student information to a concerned parent). Nevertheless, wrongful disclosure, even with the best of intentions, is still wrongful disclosure.
So, before disclosing personal information to someone other than the person concerned, ask yourself - what is the authority for this disclosure? The IPA outlines a number of circumstances in which it is lawful to pass on information to third parties. These include:
Enquires about whether disclosure of personal information is authorised may be directed to the University's Right to Information and Privacy Coordinator.
Inadvertent disclosure often occurs simply because a staff member is not fully aware of the privacy risks of their environment (e.g. reading a file on the train, or discussing a sensitive personal matter in a corridor where other people can overhear). The following steps can be taken to reduce the risk of accidental or inadvertent disclosure:
A Person who believes that their privacy has been breached can complain to the University. If they are dissatisfied with the University's response, they can take their complaint forward to the Office of the Information Commissioner and the Queensland Civil and Administration Tribunal (QCAT). If QCAT is satisfied that a privacy breach has taken place, it can make various orders, including an order for the award of compensation.
If a staff member believes they may have inadvertently disclosed an individual’s private information they should contact the University’s Right to Information and Privacy Contact Officer as per below.
For more information on how the University deals with privacy, contact the University's Right to Information and Privacy Contact Officer Mr Ian Troup, phone 4781 412 or email firstname.lastname@example.org.