Policy Corporate Governance Information Privacy Policy

Information Privacy Policy

Print Friendly and PDFPrint Friendly


JCU’s functions require the collection, creation, use and in some circumstances the disclosure of personal information about students, staff and other clients. The University is committed to protecting personal privacy and recognises that staff and students have a reasonable expectation that the University will protect and appropriately manage the personal information it holds about them.

JCU must comply with the requirements of the Information Privacy Act 2009 (Qld) (IP Act) which provides for the fair collection, management and handling of personal information. This Policy specifies the right of access to, and amendment of, personal information collected by the University as further detailed in JCU’s Information Privacy Statement and Collection Notice.

JCU must also comply with the European Union’s (EU) General Data Protection Regulation (GDPR) to the extent that we collect the personal information of individuals resident in the EU or European Economic Area (EEA). The University is a data controller for the purposes of the GDPR.

The University is not covered by the Privacy Act 1998 (Cth) (Privacy Act) except when the University has legislative and/or contractual obligations to the Commonwealth Government in circumstances as set out under section 1.3 of this policy.


This policy applies to all University staff, affiliates, students, contractors and any other third party who collects or manages personal information on behalf of the University.


Except as otherwise specified in this policy, the meaning of terms used in this policy are as per the Policy Glossary

Administrative release

Refers to a discretionary process that allows access to information, in full or in part, in certain types of administrative or operational records. Such records are generally released as a matter of course, in response to a request, without the need for a formal application under legislative authority such as the Right to Information Act (Qld) 2009 and Information Privacy Act (Qld) 2009.

Asset Owner

Has the same meaning as the Cybersecurity Policy.

Authorised Users

Has the same meaning as the ICT Acceptable Use Policy.


For the purposes of the GDPR consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Data Controller

For the purposes of the GDPR a data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal information.

Data Processing

For the purposes of the GDPR, data processing refers to any operation, or set of operations, which are performed on personal data, or sets of personal data, whether or not by automated means.

Data Processor

For the purposes of the GDPR, data processor means a natural or legal person, public authority, agency or other body which "processes" personal data on behalf of a data controller, and in accordance with the data controller's instructions.

Data Subject

For the purposes of the GDPR, a data subject is an individual who is physically located in the EU or EEA at the time that their personal information is collected by the University. A person does not need to be a citizen of a European country in order to be considered a data subject.

Deliberate Misuse

The wrong or improper use of Personal Information, done consciously and intentionally (on purpose). This includes un-authorised modification.


The Queensland Right to Information Act 2009 (RTI Act) defines a document as "a document, other than a document to which the RTI Act does not apply, in the possession, or under the control, of the University whether brought into existence or received in the University, and includes a document –

a.  to which the University is entitled to access; and

b.  in the possession, or under the control, of an officer   of the University in the officer’s official capacity."

Documents may be in hard copy or electronic format and include files, reports, emails, correspondence, computer printouts, maps, plans, photographs, and audio and video recordings.

General Data Protection Regulation   (GDPR)

The General Data Protection Regulation (GDPR) is the new privacy law of the European Union (EU) that took effect from 25 May 2018 and applies to all EU and European Economic Area (EEA) member states.

The GDPR covers the personal data of all natural persons within the EU or EEA ("EU/EEA data subjects"). The GDPR makes no distinctions based on an individual’s permanent place of residence or nationality. The GDPR applies to all such individuals' personal data.

The GDPR also applies to the processing of personal data by data controllers or data processors who are not based in the EU/EEA, where they process personal data of individuals in the EU/EEA in the connection with the offering of goods/services (irrespective of whether payment is required) or the monitoring of the behaviour of such individuals in the EU/EEA.

The GDPR only applies to JCU in specific circumstances. Examples of University activities that are affected may include:

  • the recruitment of students based in the EU/EEA and ongoing engagement with these students, including after graduation;
  • the offering of short non-award courses to participants   based in the EU/EEA;
  • data analytics in relation to JCU students, where they are located in the EU/EEA; and
  • research projects that involve the monitoring of the behaviour of individuals in the   EU/EEA.

Inappropriate Use

Inappropriate use means access to (and use of) personal information which is not appropriate to the individual’s role or function at the time, for example, viewing the health records of an individual out of interest.

Information and Records

Information in electronic or hard copy form including databases.

Notifiable Breach

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), also referred to as the Notifiable Data Breaches (NDB) Scheme amends the Privacy Act 1988 (Cth) (the Commonwealth Privacy Act), and in the instances where the NDB Scheme applies to JCU, there is a mandatory requirement for JCU to notify the Commonwealth Privacy Commissioner and affected individuals of ‘eligible data breaches’. An eligible data breach occurs if:

a.  there is unauthorised   access to, unauthorised disclosure of, or loss of, personal information held   by an entity;

b.  the access, disclosure or loss   is likely to result in serious harm to any of the individuals to whom the   information relates; and

c.  the entity has not been able to prevent the   likely risk of serious harm with remedial action.

Personal information

Is as defined by the Information Privacy Act (Qld) 2009 (IP Act) as information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Personal information includes usernames, passwords and unique identifiers such as staff and student numbers. It can be recorded in any format including hard copy documents, electronic documents, databases, administrative systems, photographs and other images, and staff/student identity cards.

Personal data

As defined under the GDPR - means any information relating to an identified or identifiable natural person residing in the EU/EEA. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Information (PI) Custodian

A PI Custodian is a University staff member who has responsibilities for the collection and management of Personal Information within the University. This may include records managers, student support and client services staff, HR staff and system administrators.

Privacy breach

Occurs when there is a failure to comply with the information privacy policy or the IP Act’s 11 information privacy principles (IPPs). Usually this will result in unauthorised disclosure of or unauthorised access to personal information.

Privacy complaint

Is a complaint about an act or practice of JCU in relation to an individual’s personal information that is a breach of this policy or the IP Act or Privacy Act.


Automated processing of personal data to evaluate certain personal aspects relating to a person, in particular to analyse or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, reliability, behaviour or movements.

Reasonably Practicable

Has the same meaning as the JCU Cybersecurity Policy.

Routine employment information

Is information that is solely and wholly related to the routine work duties and responsibilities of a staff member. This includes information such as a staff member's position title, JCU email address, work phone number, professional opinion given in professional capacity, authorship of documents, incidental appearances of a staff members name in work documents, information about qualifications held, or any information which is publicly available on the JCU website.

Sensitive Information

Sensitive information is personal information relating to an individual's:

  • racial or ethnic origin, including country of birth;
  • political opinions;
  • membership of a political association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • membership of a professional or trade association;
  • membership of a trade union;
  • sexual orientation or practices;
  • criminal record; and
  • child related employment screening reports.

Sensitive information also includes information relating to:

  • health;
  • genetics; and
  • biometrics.

Sensitive information may also be referred to as "special category data" for the purposes of the GDPR.

Supervisory Authority

For the purposes of the GDPR, supervisory authority means the public body established by the EU or EEA country for the monitoring of compliance with the regulation of the privacy of personal data.

Third Party

Organisation, person or other body, other than the data subject, controller or processor.

Unauthorised Access

Means obtaining and exercising access to personal Information, for which they are not authorised (by role or function) to access.

Unique identifiers

Unique identifiers including student and staff numbers are used as the basis for recording a large amount of personal information. Other unique identifiers include payroll numbers, tax file numbers, credit card numbers and bank account details.


1.    Application

1.1   The Information Privacy Act (Qld) 2009 (IP Act) provides individuals with a legally enforceable right of access to, and amendment of, their own personal information held by the University, unless this would, on balance, be contrary to the public interest. James Cook University is defined as a public authority under the IP Act and is therefore subject to the requirements of the Act.

1.2   Requests for non-personal information or for the personal information of others are dealt with under the terms of the Queensland Right to Information Act 2009, as outlined in the University's Right to Information Policy.

1.3   JCU is also subject to the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth), also referred to as the Notifiable Data Breaches (NDB) Scheme which amends the Commonwealth’s Privacy Act 1988, in the following circumstances:

1.3.1 where JCU receives and otherwise handles tax file numbers of staff, students or any other person;

1.3.2 where JCU enters into agreements with the Commonwealth Government and the terms of those agreements require JCU to be bound by the Commonwealth Privacy Act (e.g. research agreements, funding agreements);

1.3.3 where JCU retains data under the Telecommunications (Interception and Access) Act 1979, as this data is personal information for the purposes of the Commonwealth Privacy Act; and

1.3.4 where JCU handles personal information of a student under the Higher Education Support Act 2003 (Cth), as this data is personal information for the purposes of the Commonwealth Privacy Act.

1.4   JCU is also subject to the General Data Protection Regulation (GDPR), which applies when the University is processing the data of individuals resident in the European Union (EU) or the European Economic Area (EEA). Data subjects may also have a right to:

1.4.1 rectify any Personal Information that is inaccurate;

1.4.2 restrict or limit the ways in which Personal Information is used;

1.4.3 object to the way Personal Information is processed e.g. automatic processing;

1.4.4 request that their Personal Information be deleted (erasure); and

1.4.5 obtain a copy of their Personal Information in an easily accessible format.

Residents of the EU or EEA seeking to request any of the above may do so in accordance with the General Data Protection Regulation (GDPR) Procedure.

2.   Collection and Management of Personal Information

2.1   This policy applies to the collection, use, storage, transfer, handling, right of access, and amendment of personal information at JCU.

2.2   It does not apply to:

2.2.1 routine employment information of staff;

2.2.2 personal information which is maintained on a public register;

2.2.3 information recorded in a de-identified way which cannot be linked (or re-linked) to a known individual;

2.2.4 personal information which is already available in a publication or other publicly available document; or

2.2.5 information which is generally available.

2.3   JCU collects personal information to enable it to function effectively. Any personal information collected by the University is managed in accordance with the eleven Information Privacy Principles (IPPs) as set out in the IP Act.

2.4   JCU is committed to an open environment which enables the general public, students and staff to access University documents that contain their own personal information without the need to make a formal IP Act request. In certain circumstances the University will release information administratively.

2.5   JCU collects many types of personal information including student and employment records and as detailed in JCU’s Information Privacy Statement and Collection Notice available on the website which may change from time-to-time according to University requirements.

2.6   Day-to-day access to the personal information of others is restricted to staff in the organisational unit that requires access e.g. Human Resources staff have access to employment records (role based access).

2.7   Personal information will also be used to assist in the provision of activities and services including education and research and as set out in JCU’s Information Privacy Statement and Collection Notice available on the website.

2.8   JCU may in certain circumstances transfer personal information interstate or overseas e.g. information may be transferred off-shore for storage by contracted IT service providers. Where JCU transfers personal information interstate or overseas it will:

2.8.1 comply with those provisions of the IP Act and/or Privacy Act (where applicable) that relate to transborder data flows; and

2.8.2 take all reasonable steps to ensure that third party service providers do not use or disclose transferred personal information for a purpose other than that for which it was collected by JCU. JCU will do this primarily by entering into legally binding contracts with service providers which require compliance with the Information Privacy Principles contained in the IP Act and/or Privacy Act (where applicable).

2.9   An individual has the right to refuse to provide personal information to the University. However, if an individual exercises this right of refusal, you may not have access to all (or any) of the University’s services, and we might not be able to provide you all (or any) of the services and it may affect the University's ability to meet its obligations to that individual or to a third-party, such as a government agency.

3.   Collection and Processing of Sensitive Information (Special Category Data)

3.1   The University will only solicit and collect sensitive information if:

3.1.1 it is required to do so by law; or

3.1.2 it has the explicit consent of the individual to whom the information relates, and it is reasonably necessary for the University to collect the sensitive information to enable it to carry out a relevant function or activity; or

3.1.3 processing is necessary to protect the vital interests of the individual or of another person (being those essential to sustaining their life) where the individual is physically or legally incapable of giving consent; or

3.1.4 processing relates to personal data which is in the public domain; or

3.1.5 processing is necessary for the establishment, exercise or defence of legal claims; or

3.1.6 processing is necessary for public interest reasons in the area of public health.

3.2   The University will collect sensitive information where the information is necessary for a relevant function or activity. Examples of a relevant function or activity include (are but not limited to):

3.2.1 to provide a health service to the individual, including psychological and counselling services; or

3.2.2 qualification for scholarships, financial or other assistance which may be allocated by reference to matters which constitute sensitive information, such as cultural background; or

3.2.3 it is necessary employee information related to an individual’s employment at the University.

4.   Notification of the Collection of Personal Information

4.1   At or before the time the University collects personal information, the University will take all reasonable steps to:

4.1.1 notify the individual of the matters referred to below: or

4.1.2 otherwise ensure that the individual is aware of the matters below.

4.2   The matters which the University must notify to the individual include, subject to any relevant laws:

4.2.1 the identity and contact details of the University;

4.2.2 if the University will collect personal information from someone other than the individual;

4.2.3 the fact that JCU collects, or has collected, the information and the circumstances of that collection;

4.2.4 that the personal information will be retained for a period as set out in the University Sector Retention and Disposal Schedule, as approved by the Queensland State Archivist

4.2.5 if the collection of personal information is required or authorised by law;

4.2.6 the purpose or reason why the University needs to collect the personal information;

4.2.7 the main consequences, if any, for the individual if all or some of the personal information is not collected by the University; and

4.2.8 any other third-party to which JCU usually discloses personal information of the kind collected by the University.

4.3   If JCU collects personal data of an individual residing in the EU/EEA from third parties, the University will inform the individual to whom the data relates of the categories of personal data that have been collected, as well as all the matters referred to above. JCU will inform the individual of these matters within a reasonable time after collecting the personal data, but at the latest within the following periods:

4.3.1 within one month, having regard to the specific circumstances in which the personal data is processed;

4.3.2 if the personal data is to be used for communication with the individual, at the latest at the time of the first communication; or

4.3.3 if a disclosure to a third party is envisaged, at the latest when the personal data is first disclosed.

5.   Automatic processing of data, cookies, and similar technologies

5.1   The University may automatically process information including personal information and conduct automated decision-making and profiling (that is, automated processing of personal data to evaluate certain things about an individual).

5.2   The University may collect personal and other information using cookies. Cookies allow a website to store information on a machine or mobile device and retrieve it later. Some cookies are managed by JCU (first-party cookies), while others are managed by third parties the University does not control (third-party cookies), such as Google. You may choose not to accept cookies in connection with your use of the University websites and online services by deleting, blocking or disabling cookies via your browser settings

5.3   Personal information may also be collected or identified by other data collection or tracking technologies, such as web beacons, which embed graphic files into our websites and online services which can be used to identify when someone visits our websites or online services, or in the case of web beacons, when an email is read or forwarded.

6.   Release of Personal Information

6.1   The University has in place mechanisms and normal administrative practices to handle routine requests for access to information such as academic transcripts, or for alterations to information such as changes of address.

6.2   Individuals wishing to obtain access to, or amend, information about themselves, should contact the relevant officer in the area in which the information is held or the Privacy and Data Protection Officer, Secretariat, James Cook University, Townsville QLD 4811 using the form at the JCU website as per the Requests for Access to Personal Information Procedure.

6.3   The personal information of staff and students will not be released without their written consent except in certain circumstances detailed in the procedure.

6.4   The IP Act and/or Privacy Act provides that access to certain documents or to certain information contained in documents may be refused in order to protect public interests or the private or business affairs of others. A request to obtain access to documents which contain information about the private affairs of others will usually be refused.

6.5   The University may also refuse access to documents on the grounds that there would be a substantial and unreasonable workload in identifying, locating and collating the volume of documents in question.

6.6   If a request for access or amendment is refused, the University will give specific written reasons for the decision and advise the applicant of their rights to appeal against the decision.

7.   Additional Rights of EU/EEA Residents under the GDPR

7.1   In addition to the protections afforded under the Information Privacy Act and the Information Privacy Principles, EU or EEA residents, have a number of additional rights under the GDPR, including:

7.1.1 the right to obtain access to the personal data held;

7.1.2 the right to object on grounds relating to their particular situation to the way JCU processes their personal data where they feel they have a disproportionate impact on their interests and rights e.g. automatic processing;

7.1.3 if they believe that their personal data held is, or has become, incorrect or incomplete, they may request to review, revise, correct, or update any of their personal data;

7.1.4 the right to restrict or limit the way JCU processes their personal data and, where processing is based on their consent, they may withdraw that consent, without affecting the lawfulness of JCU’s processing based on consent before its withdrawal;

7.1.5 the right to request that JCU erase an individual’s personal data;

7.1.6 the right to have personal data, which they have voluntarily provided to JCU, produced in a structured, commonly used, and machine-readable format;

7.1.7 the right to request that JCU transmit this data directly to another data controller;

7.1.8 the right to request that JCU don’t send them any marketing communications.

7.2   The above individual rights are not absolute, and JCU may be entitled to refuse requests where certain exceptions apply.  If an individual has given consent and wish to withdraw it, please contact the Privacy and Data Protection Officer by email using the contact information provided In the GDPR Procedure.

7.3   An individual also has the right to withdraw consent to JCU processing of their personal data, if that processing is based solely on their consent. This may be through discontinuing use of the services, including by closing all of online accounts with JCU and requesting that personal data be erased in accordance with the GDPR Procedure. If an individual withdraws consent to the processing or sharing of their personal data they may not have access to all (or any) of the University’s services, and JCU might not be able to provide them all (or any) of the services.

7.4   In certain cases, JCU may continue to process personal data after an individual has withdrawn consent and requested that JCU erase the personal data, if JCU has a legal basis to do so.  For example, JCU may retain certain information if the University needs to do so to comply a legal obligation under Australian law, or if deleting the information would undermine the integrity of a research study in which the individual is enrolled.

7.5   EU or EEA residents, have the right to lodge a complaint with their national data protection authority (i.e. supervisory authority) if they are not satisfied with JCU’s privacy practices.

8.   Roles and Responsibilities

8.1   Vice Chancellor. The Vice Chancellor is the 'principal officer' under the Information Privacy Act (Qld) 2009, and has overall responsibility for JCU’s obligations under the Act.

8.2   Chief of Staff. The Chief of Staff oversees implementation of privacy management across the University, and approves privacy protocols, guidelines and mandatory training arrangements.

8.3   University Secretary. As the Internal Review Officer, the University Secretary is responsible for the internal review of decisions made by the Deputy University Secretary, if requested by the applicant (refer to Requests for Access to Personal Information Procedure).

8.4   Deputy University Secretary. The Vice Chancellor has delegated the responsibility for determining the outcome of IP Act applications to the Deputy University Secretary, acts as the JCU Privacy and Data Protection Officer and administers the IP Act on behalf of JCU including:

8.4.1 making initial decisions on access and amendment applications under the IP Act ;

8.4.2 liaise with both prospective applicants and University units regarding access to documents;

8.4.3 advising staff in the University's privacy obligations;

8.4.4 providing advice on privacy issues; and

8.4.5 coordination of the University's investigation and response to privacy complaints.

8.5   Heads of organisational units. Heads of organisational units are responsible for managing privacy risk in the organisational unit and implementing business processes consistent with the IP Act. They are also responsible for ensuring compliance with information requests by locating information held in their areas. If information cannot be located, a written explanation of what action was taken to locate the information is to be provided to the Deputy University Secretary.

8.6   Data custodians. Personal Information (PI) Custodian. PI Custodians are responsible for:

8.6.1 implementing reasonably practical security measures to protect privacy of personal information in information systems;

8.6.2 determining user access levels which must be consistent with privacy requirements; and

8.6.3 implementing appropriate mechanisms to revoke access to systems containing personal information, when access is no longer appropriate, for instance, in the case of a change in position or formal responsibilities, or termination of employment.

8.7   Privacy Information Users. Users are Authorised Users with access to Personal Information, and are responsible for following University instructions (including policies, procedures and guidelines) for the protection of Personal Information.

8.8   University Staff. Only access personal information where this is necessary for work purposes. Personal information must be protected against loss, unauthorised access or modification, disclosure or misuse and managed in accordance with University policy and procedures. If a staff member becomes aware of a suspected data breach, they are to contact the Information Privacy and Data Protection Officer as soon as possible with as much information as is available. All staff are to undertake required privacy training and comply with the requirements of the IP Act, this policy and all procedures and privacy protocols issued under the policy.

9.   Access and security of personal information

9.1   Access and security safeguards are important ways of protecting personal privacy. Access to personal information is granted to staff only where this is necessary for work purposes and staff must only access personal information if there is a work related reason for this. Personal information must be protected against loss, unauthorised access or modification, disclosure or misuse.

9.2   Deliberate Misuse, Unauthorised Access or Inappropriate Access by Privacy Information Users is prohibited.

10.  Prohibition on disclosure of personal information

10.1 Staff must not disclose personal information to individuals or organisations outside the University. Disclosure refers to release of personal information to another entity (e.g. a body, agency or person separate from the University) where JCU will cease to have effective control of the information once it is released.

10.2 There are some limited circumstances in which personal information may be disclosed without breaching personal privacy. These circumstances are set out in JCU’s Information Privacy Statement and Collection Notice available on the website.

10.3 Detailed Privacy guidelines are also available on the JCU website setting out the considerations and procedures for disclosure of personal information in these circumstances are available and must be followed. Disclosing personal information in other situations must only occur following confirmation from the Privacy and Data Protection Officer that disclosure is necessary and acceptable under other limited provisions in the IP Act.

11.  Privacy complaints

11.1 If an individual believes that JCU has not dealt with their personal information in accordance with the IP Act or this policy, they may make a complaint. A complaint must be made in writing or by email to the Privacy and Data Protection Officer or referred to that officer if received by another area of the University.

11.2 Primary responsibility for investigating and responding to the complaint will rest with the head of the organisational unit concerned, with advice from the Privacy and Data Protection Officer as required. The University's main objective in responding to privacy complaints is to conciliate an outcome which is acceptable to the complainant and which addresses any broader or systemic privacy issues which may arise.

11.3 If a complainant does not agree with the University's response, an internal review process is available or a complainant may refer the matter for independent mediation by the Office of the Information Commissioner or relevant Supervisory Authority.

11.4 The timeframes for responding to Privacy complaints are at appendix 1.

12.  Privacy breach management

12.1  The head of the relevant organisational unit must report any privacy breaches to the Privacy and Data Protection Officer as soon as practicable after the breach has been identified.

12.2  Management of a privacy breach will include steps to:

12.2.1 contain the breach;

12.2.2 evaluate the associated risks;

12.2.3 consider notifying the affected individuals; and

12.2.4 prevention of any further privacy breach.

12.3  The Chief of Staff must be informed of serious breaches of this policy and any actions arising out of any investigations into a breach as per the Incident Management Policy and Procedures.

12.4  For a Notifiable Breach as per section 1.3, the University is obligated to inform the Australian Information Commissioner and particular individuals about eligible data breaches in accordance with the Personal Information – Data Breach Procedure.

12.5  A "personal data breach" for the purposes of the GDPR includes, but is not limited to, whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

13.  Contracts with Third Party Data Processors

13.1  In the event that JCU engages a data processor to process the personal data of European Residents on the University's behalf, it will only do so if that data processor has provided the University with sufficient guarantees that it will implement appropriate technical, contractual and organisational measures that ensure compliance with the GDPR, and the protection of the personal information of European Residents.

13.2  To the extent that JCU engages a third party data processor, it will ensure that it enters into a written agreement with that data processor, which sets out, as a minimum, terms which require the processor to:

13.2.1 only act on the written instructions of JCU as the data controller;

13.2.2 ensure that people processing the data are subject to a duty of confidence;

13.2.3 take appropriate measures to ensure the security of processing;

13.2.4 only engage sub-processors with the prior consent of JCU and under a written contract;

13.2.5 assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;

13.2.6 assist JCU in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;

13.2.7 delete or return all personal data to JCU as requested at the end of the contract; and

13.2.8 submit to audits and inspections, provide JCU with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the University immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

14.  Policy Breach

14.1  Policy breaches must be reported to the Privacy and Data Protection Officer as soon as practicable.

14.2  A Policy breach that alleges Deliberate Misuse, Unauthorised Access or Inappropriate Access to personal information by an University Staff Member may be grounds for misconduct/serious misconduct and may result in disciplinary action, as prescribed by the Enterprise Agreement as amended or replaced from time to time.

14.3  Unauthorised Access or Inappropriate Access to University personal information, attained from the result of  system testing (i.e. penetration testing) of system security controls is not considered a Policy Breach, providing that system testing is sanctioned by the Director, Information Communication and Technology or the Head of Organisational Unit with direct responsibility for the system storing the personal information.

Related policy instruments

Digital Technologies Acceptable Use Policy

Records Management Policy

Records Management Framework


Appendix 1 – Timeframes and process for dealing with Privacy Complaints

Requests for Access and Amendment to Personal Information Procedure

Personal Information Data Breach Procedure

General Data Protection Regulation (GDPR) Procedure

Related documents and legislation

Information Privacy Statement and Collection Notice

Privacy and Right to Information Guidelines

Fact Sheet Privacy and Right to Information

Information Privacy Act (Qld) 2009

Right to Information Act (Qld) 2009

Privacy Act 1988 (Cth)

European Union’s General Data Protection Regulation


NOTE: Printed copies of this policy are uncontrolled, and currency can only be assured at the time of printing.

Approval Details

Policy DomainCorporate Governance
Policy Sub-domainRisk, Assurance, Regulatory and Compliance

Policy Custodian

Vice Chancellor

Approval Authority


Date for next review


Revision History


Approval date

Implementation date






Major review to reflect EU General Data Protection regulations

Chief of Staff




Major review and amendments to reflect current legislation and separate procedural content.

Chief of Staff




Minor amendments – updated to reflect changes in job title (from Manager to Deputy Director) and the fact that Information Privacy is dealt with solely by the Governance Support Unit


11 - 1





Information, privacy, personal information, data breach, general data protection

Contact person Chief of Staff