Requests for Access to Personal Information Procedure

Policy Procedures Requests for Access to Personal Information Procedure

Requests for Access to Personal Information Procedure


Print Friendly and PDFPrint Friendly

Intent

JCU’s functions require the collection, creation and use of personal information about students, staff and other clients. The University is committed to protecting personal privacy and recognises that staff and students have a reasonable expectation that the University will protect and appropriately manage the personal information it holds about them.

This Procedure outlines the right of access to, and process for accessing personal information collected by the University.

Scope

This policy applies to all University staff, affiliates, students, contractors and any other third party who collects or manages personal information on behalf of the University.

Definitions

Except as otherwise specified in this procedure, the meaning of terms used in this policy are as per the Policy Glossary and the governing Information Privacy Policy.

Procedure

  1. Application process
    1. An IP Act request by a person, for access to their own personal information, must be made using the appropriate form. An applicant should obtain an application form from the Information Privacy webpage and post or deliver the application to:

    Deputy University Secretary and Privacy Officer
    Secretariat
    James Cook University

    Townsville, QLD 4811

    Via email: secretariat@jcu.edu.au

  2. Release of personal information
    1. The personal information of staff and students will not be released without their written consent except in the following instances:
      1. where it is a matter of public record, (eg awards conferred);
      2. where requisite information is made available to professional regulatory bodies as part of the registration requirements of those bodies (eg state medical boards, teaching regulatory bodies);
      3. where a request is made in accordance with a legislative or statutory provision (eg requests by Centrelink, made under an Act or Statute, for details regarding the enrolment status of students);
      4. where there is appropriate documentary evidence that the individual has agreed to disclosure;
      5. where a privacy notice given at the point of collection advises the individual about the usual practices for disclosure;
      6. where disclosure is required or authorised by law (for example, court order or subpoena, legislative obligation to disclose)
      7. where disclosure is necessary to manage or lessen a serious threat to a person’s life, health, safety, or welfare, or to public health, safety or welfare
      8. where disclosure is necessary for investigation or enforcement of criminal matters or other law enforcement matters.
    2. A record of all personal information released will be kept. Under the Information Privacy Act, an individual has the right of access to documents held by the University which contain that individual’s personal information, and has the right to amend that information, if it is inaccurate, misleading, incomplete or out of date.
    3. The Act provides that access to certain documents or to certain information contained in documents may be refused in order to protect public interests or the private or business affairs of others. A request to obtain access to documents which contain information about the private affairs of others will usually be refused.
    4. The University may also refuse access to documents on the grounds that there would be a substantial and unreasonable workload in identifying, locating and collating the volume of documents in question.
  3. Response to requests for access
    1. The University is required to acknowledge receipt of the request within ten (10) business days, to consult with the applicant regarding any difficulties in dealing with the request, and either grant access to the documents or provide specific written reasons for refusing access within twenty-five (25) business days. This may be extended by a further ten (10) business days if consultation with a third party is required.
    2. If inspection only of documents has been requested the applicant will be provided with reading facilities. At the applicant's request, the University will provide a copy of the documents, where possible, in the format requested.
  4. Charges
    1. There is no charge for access to, or amendment of, personal information.
    2. There may be charges for copies of documents or other services. Where hardship can be demonstrated these fees may be waived.
  5. Appeal
    1. The IP Act gives members of the public a legally enforceable right to appeal against a refusal by the University to grant access to, or to amend, personal information.
  6. Internal Review
    1. If the decision on an IP Act request was made by a University officer other than the Vice-Chancellor, an applicant may request the University to reconsider its decision. An applicant may however apply directly for external review without first seeking internal review.
    2. An application for internal review must be lodged in writing within twenty (20) business days of notification of the decision stating reasons for seeking amendment of the decision or identifying particular aspects of the decision which are of concern, and must be lodged with: University Secretary and RTI Internal Review Officer, Secretariat and Records, James Cook University, Townsville QLD 4811. Via email: universitysecretary@jcu.edu.au
    3. A new decision will be made as soon as practicable (as if the reviewable decision had not been made), but no longer than twenty (20) business days after the application is received, by the RTI Internal Reviewer. Reasons will be given if the appeal against the original decision is not upheld. Applicants will also be advised of their rights to seek external review.  Where the Internal Review Officer fails to make a decision within the prescribed timeline, it will be deemed that they have made a decision re-affirming the original decision.
  7. External Review
    1. The Information Commissioner is an independent person responsible for reviewing the IP Act decisions of all agencies.
    2. An application to the Commissioner for external review may be made if:
      1. the request was decided originally by the Vice-Chancellor;
      2. an applicant is dissatisfied with the outcome of an internal review; or
      3. the Internal Review Officer fails to make a decision within the prescribed timeline.
    3. An application for external review must be made in writing within twenty (20) business days of the notification of the decision or outcome of internal review.
    4. Further information and contacts are available on the Information Privacy webpage.
  8. Third-Party Requests for Personal Information in Relation to Legal Processes
    1. From time to time, third parties, such as the Queensland Police, legal representatives and others submit requests for personal information in relation to legal processes.
    2. Information will only be provided to legal representatives where a subpoena or writ of non-party disclosure is provided, or where the individual to whom the request relates has provided written consent.
    3. Where law enforcement agencies (eg the Police) or third parties wish to request personal information regarding a student, then this request must be submitted in writing by an authorised officer, quoting the Act or Statute under which the request is made, and addressed to the Director, Student Services.
    4. Where law enforcement agencies (eg the Police) or third parties wish to request personal information regarding a member of staff, then this request must be submitted in writing by an authorised officer, quoting the Act or Statute under which the request is made, and addressed to the Director, Human Resources.
    5. All other legal requests will be dealt with by the University Legal Counsel.
  9. Alleged Breach of Privacy
    1. If individuals believe their personal information has not been dealt with in accordance with the Information Privacy Act 2009 or there has been an unauthorised release of their personal information, refer to the Personal Information Data Breach Procedure and the Information Privacy policy for making a complaint where appropriate (section 7).

Related policy instruments

Information Privacy Policy

Personal Information Data Breach Procedure

Information Communication Technology Acceptable Use Policy

Records Management Policy

Records Management Framework

Related documents and legislation

JCU’s Information Privacy Statement and Collection Notice

Privacy and Right to Information Guidelines

Fact Sheet Privacy and Right to Information

Information Privacy Act (Qld) 2009

Right to Information Act (Qld) 2009

Administration

Approval Details

Procedure sponsor:

Chief of Staff

Approval authority:

Vice Chancellor

Date for next review:

22/05/2021

Revision History

Version

Approval date

Implementation date

Details

Author

18-1

22/05/2018

22/05/2018

Procedure established

Chief of Staff

Keywords

Information, privacy, personal information, data breach