Policy Corporate Governance Requests for Access or Amendment to Personal Information Procedure

Requests for Access or Amendment to Personal Information Procedure

Print Friendly and PDFPrint Friendly


JCU’s functions require the collection, creation and use of personal information about students, staff and other clients. The University is committed to protecting personal privacy and recognises that staff and students have a reasonable expectation that the University will protect and appropriately manage the personal information it holds about them.

This Procedure outlines the right of access to, and process for accessing or amending personal information collected by the University.


This policy applies to all University staff, affiliates, students, contractors and any other third party who collects or manages personal information on behalf of the University.


Except as otherwise specified in this procedure, the meaning of terms used in this policy are as per the Policy Glossary and the governing Information Privacy Policy.


1.   Application process

1.1   An IP Act request by a person, for access to their own personal information, must be made using the appropriate form. An applicant should obtain an application form from the Information Privacy webpage and post or deliver the application to:

Deputy University Secretary (Privacy and Data Protection Officer)
James Cook University
Townsville QLD 4811

Via email: secretariat@jcu.edu.au

2.   Release of personal information

2.1   The personal information of staff and students will not be released without their written consent except in the following instances:

2.1.1 where it is a matter of public record, (eg awards conferred – the University will only confirm whether you have an award to prospective employers);

2.1.2 where requisite information is made available to professional regulatory bodies as part of the registration requirements of those bodies (eg state medical boards, teaching regulatory bodies);

2.1.3 where a request is made in accordance with a legislative or statutory provision (eg requests by Centrelink, made under an Act or Statute, for details regarding the enrolment status of students);

2.1.4 where there is appropriate documentary evidence that the individual has agreed to disclosure;

2.1.5 where a privacy notice given at the point of collection advises the individual about the usual practices for disclosure;

2.1.6 where disclosure is required or authorised by law (for example, court order or subpoena, legislative obligation to disclose)

2.1.7 where disclosure is necessary to manage or lessen a serious threat to a person’s life, health, safety, or welfare, or to public health, safety or welfare

2.1.8 where disclosure is necessary for investigation or enforcement of criminal matters or other law enforcement matters.

2.2   A record of all personal information released will be kept. Under the Information Privacy Act, an individual has the right of access to documents held by the University which contain that individual’s personal information, and has the right to amend that information, if it is inaccurate, misleading, incomplete or out of date.

2.3  The Act provides that access to certain documents or to certain information contained in documents may be refused in order to protect public interests or the private or business affairs of others. A request to obtain access to documents which contain information about the private affairs of others will usually be refused.

2.4  The University may also refuse access to documents on the grounds that there would be a substantial and unreasonable workload in identifying, locating and collating the volume of documents in question.

3.   Access and Amendment of Personal Information

3.1   The University will deal with requests for access or amendment, by an individual, of their personal information held by University, in accordance with this procedure.

3.2   All requests must be made in writing and specify the personal information in question for access or amendment.

3.3   On receipt of a request, and within a reasonable timeframe, the University will take reasonable steps to inform the individual who made the request:

3.3.1 what personal information the University holds in relation to that individual;

3.3.2 why the personal information is held;

3.3.3 how the University collects (or collected), holds (or held), uses (or used) and discloses (or disclosed) the personal information.

3.4   The University will confirm with the individual whether they wish to have access to the personal information in question and / or make an amendment.

3.5   The University will ordinarily give an individual access to their personal information unless an exception applies as set out in sections 2.3 and 2,4.

3.6   If a request for access or amendment is refused by the University it will, within a reasonable time frame, provide the individual who made the request with specific written reasons for the decision and advise the applicant of their rights to appeal against the decision.

3.7   The University is obliged under the Information Privacy Principles, without an individual's request for amendment, to amend inaccurate, out-of-date, incomplete, irrelevant or misleading personal information if the University is satisfied that, having regard to the purpose for which the personal information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. If this occurs, the University must take all reasonable steps to amend that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.

3.8   If an individual is of the view that their personal information requires amendment, they should contact the Privacy and Data Protection Officer listed under section 1.1 above.

4.   Response to requests for access

4.1  The University is required to acknowledge receipt of the request within ten (10) business days, to consult with the applicant regarding any difficulties in dealing with the request, and either grant access to the documents or provide specific written reasons for refusing access within twenty-five (25) business days. This may be extended by a further ten (10) business days if consultation with a third party is required.

4.2  If inspection only of documents has been requested the applicant will be provided with reading facilities. At the applicant's request, the University will provide a copy of the documents, where possible, in the format requested.

5.   Charges

5.1   There is no charge for access to, or amendment of, personal information.

5.2   There may be charges for copies of documents or other services. Where hardship can be demonstrated these fees may be waived.

6.   Appeal

6.1    The IP Act gives members of the public a legally enforceable right to appeal against a refusal by the University to grant access to, or to amend, personal information.

7.   Internal Review

7.1   If the decision on an IP Act request was made by a University officer other than the Vice Chancellor, an applicant may request the University to reconsider its decision. An applicant may however apply directly for external review without first seeking internal review.

7.2   An application for internal review must be lodged in writing within twenty (20) business days of notification of the decision stating reasons for seeking amendment of the decision or identifying particular aspects of the decision which are of concern, and must be lodged with:

University Secretary and RTI Internal Review Officer

Secretariat and Records

James Cook University,

Townsville, Qld 4811.

Via email: universitysecretary@jcu.edu.au

7.3   A new decision will be made as soon as practicable (as if the reviewable decision had not been made), but no longer than twenty (20) business days after the application is received, by the RTI Internal Reviewer. Reasons will be given if the appeal against the original decision is not upheld. Applicants will also be advised of their rights to seek external review.  Where the Internal Review Officer fails to make a decision within the prescribed timeline, it will be deemed that they have made a decision re-affirming the original decision.

8.   External Review

8.1   The Information Commissioner is an independent person responsible for reviewing the IP Act decisions of all agencies.

8.2   An application to the Commissioner for external review may be made if:

8.2.1 the request was decided originally by the Vice-Chancellor;

8.2.2 an applicant is dissatisfied with the outcome of an internal review; or

8.2.3 the Internal Review Officer fails to make a decision within the prescribed timeline.

8.3    An application for external review must be made in writing within twenty (20) business days of the notification of the decision or outcome of internal review.

8.4   Further information and contacts are available on the Information Privacy webpage.

9.   Third-Party Requests for Personal Information in Relation to Legal Processes

9.1   From time to time, third parties, such as the Queensland Police, legal representatives and others submit requests for personal information in relation to legal processes.

9.2   Information will only be provided to legal representatives where a subpoena or writ of non-party disclosure is provided, or where the individual to whom the request relates has provided written consent.

9.3   Where law enforcement agencies (eg the Police) or third parties wish to request personal information regarding a student, then this request must be submitted in writing by an authorised officer, quoting the Act or Statute under which the request is made, and addressed to the Director, Student Services.

9.4   Where law enforcement agencies (eg the Police) or third parties wish to request personal information regarding a member of staff, then this request must be submitted in writing by an authorised officer, quoting the Act or Statute under which the request is made, and addressed to the Director, Human Resources.

9.5   All other legal requests will be dealt with by the University Legal Counsel.

10.  Alleged Breach of Privacy

10.1  If individuals believe their personal information has not been dealt with in accordance with the Information Privacy Act 2009 or there has been an unauthorised release of their personal information, refer to the Personal Information Data Breach Procedure and the Information Privacy policy for making a complaint where appropriate (section 7).

Related policy instruments

Information Privacy Policy

Personal Information Data Breach Procedure

General Data Protection Regulation (GDPR) Procedure

Digital Technologies Acceptable Use Policy

Records Management Policy

Records Management Framework

Related documents and legislation

JCU’s Information Privacy Statement and Collection Notice

Privacy and Right to Information Guidelines

Fact Sheet Privacy and Right to Information

Information Privacy Act 2009 (Qld)

Right to Information Act (Qld) 2009

Privacy Act 1988 (Cth)

European Union’s General Data Protection Regulation


Approval Details

Policy Domain Corporate Governance
Policy Sub-domainRisk, Assurance, Regulatory and Compliance

Policy Custodian

Vice Chancellor

Approval Authority


Date for next Major Review


Revision History


Approval date

Implementation date



19-1 12/06/2019 25/07/2019 Revisions to incorporate EU GDPR obligations Chief of Staff




Procedure established

Chief of Staff


Information, privacy, personal information, data breach