Right to Information and Privacy

Right to Information and Privacy

Right to Information and Privacy

James Cook University (JCU) takes its obligations under the Queensland Right to Information Act 2009 ('RTI Act') and the Queensland Information Privacy Act 2009 ('IP Act') seriously.

The RTI Act provides the public with a legally enforceable right to seek access to information and documents containing non-personal information held by JCU unless access would, on balance, be contrary to the public interest.

The IP Act provides individuals with a legally enforceable right of access to, and amendment of, their own personal information held by JCU, unless this would, on balance, be contrary to the public interest.

JCU has a developed a number of resources in relation to these Acts, the links below will take you to the relevant pages:

Information Privacy Statement

Collection, use and disclosure of personal information

Purpose

JCU is committed to protecting personal privacy and recognises that staff and students have a reasonable expectation that the University will protect and appropriately manage the personal information it holds about them. The Information Privacy Principles contained in the IP Act set the standard for the use and management of personal information collected by or provided to JCU.

This collection, use and disclosure statement explains how and why JCU collects, uses and discloses personal information. It should be read with the JCU Information Privacy Policy and its associated procedures. The statement provides examples of the types of personal information collected, how it used and when JCU will disclose such personal information. Not every example of the collection, use and disclosure of personal information may be contained in this statement.

Why JCU collects personal information

JCU collects personal information, including sensitive information, about prospective and current students; parents, guardians and care-providers; next of kin; staff; alumni; volunteers; and contractors. The overall purposes of collecting this information are to:

  • Enable JCU to deliver education, research and other services;
  • Meet the wider functional needs of the University, including financial management, legal accountability and national reporting requirements; and
  • Meet the requirements of legislation or external government agencies.

How JCU collects personal information

JCU takes all reasonable steps to ensure that the personal information collected is:

  • Necessary and lawful for the University’s purposes;
  • Relevant to the purpose of collection;
  • Collected in a fair way, without unreasonable intrusion; and
  • As up-to-date, complete and as secure as possible.

JCU's preferred source of personal information is the individual concerned. However, there are other important sources of personal information, which may include the following:

Information about students

  • Schools, Queensland Tertiary Admissions Centre (QTAC), its successors and equivalent interstate and overseas bodies;
  • Other tertiary institutions; and
  • Information technology records.

Information about staff

  • Previous employers and referees nominated by prospective and current staff members;
  • Academic assessors;
  • External and internal medical and rehabilitation documentation;
  • Promotion and performance review assessments;
  • Information technology records; and
  • Student and staff feedback.

Where JCU collects personal information about an individual from a third party, it will take all reasonable steps to ensure that the individual has been made aware of the collection.

Use and disclosure of your personal information

JCU will take all reasonable steps to ensure that personal information is protected against loss, unauthorised access, modification or disclosure, and other misuse and will destroy or permanently de-identify personal information if it is no longer needed.

Personal information collected and held by JCU will only be accessed and used by people employed or engaged by the University as required in the fulfilment of their duties and in a manner consistent with the original purpose.

Information may be used or disclosed to organisations outside the University where permitted by the IP Act. It may also be used or disclosed for secondary purposes in certain circumstances but only if:

  • The secondary purpose is directly related to the primary purpose of collection and the individual would reasonably expect the use or disclosure of the information for the secondary purpose; or
  • The University reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual's life, health or safety or a serious threat to public health or public safety; or
  • The University has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons, authorities or agencies; or
  • The use or disclosure is required or specifically authorised by law.

Personal information, including sensitive information and health information, may be used for the following purposes:

Student personal information

Students' personal information is collected for the purpose of providing education and ancillary services, in accordance with legislative governmental requirements under the Migration Act, Taxation Acts, Queensland Education Acts and Commonwealth Education Acts.

Personal information gathered from potential students is recorded for marketing and recruitment activities. The University also collects, links and analyses student enrolment, performance and systems activity and usage data, for the purpose of predictive analytics to improve our understanding of student needs, and to support students.

JCU handles student information on admission, enrolment, progression, graduation and student access to academic and support services, and such information will be held in the Student Management System and eAcademic. In accordance with the ICT Acceptable Use Policy, the University may monitor students' use of information technology systems for the purpose of determining appropriate use. The University also uses records to keep in contact with former and potential students. Student records may include:

  • Personal details including date of birth, postal, term time and permanent home addresses, personal email address, home and mobile telephone numbers, signature, next of kin and emergency contact information;
  • Application, admission, enrolment, course administration, progression and assessment, credit transfer, appeal and attendance records;
  • Academic performance and placement experience (e.g. clinical and industrial placements), examination and assessment (including grades);
  • Academic integrity, misconduct, appeals, code of conduct matters, student complaints and grievances;
  • Applications for and award of prizes, study assistance, scholarships and grants including confirming attendance and performance with scholarship/grant bodies in Australia and overseas;
  • International education agents with whom the University has arrangements may be provided with the personal information to assist in the management and administration of their students;
  • Graduation records, professional accreditation including post-graduation outcomes;
  • Financial information in relation to fees, charges and debts, and/or HECS-HELP or FEE-HELP statements (including tax file numbers and bank account/credit and/or debit card details);
  • Qualifications and status for specific courses (e.g. possession of Blue Card, Immunisation records, fitness to practice, first aid);
  • Access and use of University services and facilities (e.g. Library, ICT, Halls of Residence);
  • Personal welfare records (e.g. health, disability, medical, counselling matters);
  • Careers advice records;
  • Equity information, socio-economic group and educational background;
  • Electoral rolls for student elections;
  • Membership on committees;
  • Photographic images, video and voice recordings to assist in the provision of services by the University e.g. photographs for ID cards, video and voice capture of lectures as an aid to student learning (provision of lectures via LearnJCU or MediaSite), CCTV images for the purpose of security and crime prevention;
  • On occasion photographs may be taken on campus for marketing and publication purposes. If you object to the use of your image, you should inform the photographer at the time, or if the image has already been published, contact the Privacy Officer; and
  • Other student related matters.

Student records are retained for various periods in accordance with the University Sector Retention and Disposal Schedule, as approved by the Queensland State Archivist.

Information held in student records may be disclosed outside the University, when required or authorised by law, for example:

  • Where it is a matter of public record (e.g. awards conferred – the University will confirm whether you have an award to prospective employers on an individual basis);
  • Where requisite information is made available to professional regulatory bodies as part of the registration requirements of those bodies (e.g. state medical boards, teaching regulatory bodies);
  • Where a request is made in accordance with a legislative or statutory provision (e.g. requests by Centrelink, the Australian Tax Office or other government agencies/department made under an Act or Statute);
  • Where there is appropriate documentary evidence that the individual has agreed to disclosure;
  • Where a privacy notice given at the point of collection advises the individual about the usual practices for disclosure;
  • Where disclosure is required or authorised by law (for example, court order or subpoena, legislative obligation to disclose);
  • Where disclosure is necessary to manage or lessen a serious threat to a person’s life, health, safety, or welfare, or to public health, safety or welfare;
  • Where disclosure is necessary for investigation or enforcement of criminal matters or other law enforcement matters;
  • The Queensland Tertiary Admissions Centre (QTAC) and equivalent interstate/overseas bodies including the exchange of information through the Automated Result Transmission Service (ARTs) for the purposes of application, admissions and enrolment;
  • Factual data (name, address, etc.) to the James Cook University Student Association and student bodies to enable them to manage their membership;
  • Academic progress information to another tertiary institution or related body as required in the course of a student’s transfer to a new institution;
  • Personal and enrolment information, including academic results, of students undertaking cross-institutional study to the relevant institution as required to confirm the student’s enrolment or qualification;
  • Personal information to relevant organisations engaged by the University to provide debt recovery services;
  • Statutory, statistical, questionnaire returns, personal and enrolment information within JCU or for other related stakeholders or government agencies for the purpose of research/studies after the admissions process has been completed or during the course of your studies or post-graduation;
  • Personal information to third parties providing services (e.g. hosted solutions or surveys) or acting on JCU’s behalf where there is a legally binding agreement or contract between JCU and the service provider which require compliance with the Information Privacy Principles contained in the IP Act;
  • Personal information (including photographic images) and enrolment information (including academic results) of students undertaking apprenticeship training to their employer;
  • Personal information (including photographic images) and enrolment information (including academic results) of students undertaking work, professional or clinical placements to the relevant organisation;
  • Various professional bodies where a course requires professional accreditation; and
  • Other agencies and bodies in accordance with legislative requirements.

Staff Personal Information

JCU collects, stores and uses employee personal information to undertake human resource management functions and to enhance the quality of learning and teaching. The University is required to maintain employee personal information, e.g. institutional survey data, employment history, payroll and superannuation information relating to current and former, continuing and fixed-term contract (casual and temporary) employees.

Employee personal records may include:

  • Personal details including date of birth, postal, term time and permanent home addresses, personal email address, home and mobile telephone numbers, signature, next of kin and emergency contacts;
  • Employment records relating to recruitment, selection and appointment (e.g. applications, CVs, references), commencement and cessation records;
  • Financial and business records such as payroll and superannuation, including bank account details, tax file number, salary packaging and other benefits;
  • Leave, attendance and sickness records;
  • Visa, passport and residency documentation if required;
  • General employment administration such as performance management and appraisals, probation and promotions, temporary higher duties, re-deployment and secondment;
  • Provision of services to staff and general administration;
  • Information technology records, such as internal and external telephone, email and internet activity records;
  • Staff development and training records including travel and study support assistance;
  • Health and safety records including health and welfare matters;
  • Staff grievances, discipline, appeals and complaints;
  • Equity information;
  • Research outputs, publication records, research and participation in commercial consultancies;
  • Grants, funding awards, honours and recognitions;
  • Accidents and injury including compensation and rehabilitation arrangements
  • Use of and access to services like travel, university vehicles, health, library and information technology;
  • Electoral rolls for staff elections;
  • Membership of university committees; and
  • Photographic images, video and voice recordings to assist in the provision of services by the University e.g. photographs for ID cards, video and voice capture of lectures as an aid to student learning (provision of lectures via LearnJCU or MediaSite), CCTV images for the purpose of security and crime prevention;
  • Institutional survey data;
  • Other employee related matters.

Staff records are retained for various periods in accordance with the University Sector Retention and Disposal Schedule, as approved by the Queensland State Archivist.

In accordance with the ICT Acceptable Use Policy, the University may monitor staff use of information technology systems.

Third party personal information

JCU has connections with the local community, business, industry and professional organisations concerned with or supporting the core functions of the University (research, teaching and learning) or ancillary services or activities, such as:

  • Users of consultancy, health, facilities or library services;
  • Collaborators or subcontractors involved in research;
  • Research participant records;
  • Consultants or contractors;
  • Donors or scholarship providers;
  • Marketing records including those of participants in marketing campaigns;
  • External committee members, contact and personal details;
  • Alumni and Convocation members; and
  • Other third party related matters.

Third party records are retained for various periods in accordance with the University Sector Retention and Disposal Schedule, as approved by the Queensland State Archivist.

Research participants' personal information

The type of personal information collected for research projects will vary according to the subject matter of the research. Before collecting or using the personal information of others in research the researcher must have obtained approval from the JCU Human Research Ethics Committee through the Research Services Office.

It is the responsibility of the researcher and the relevant Division/College to ensure compliance with the information privacy principles in the IP Act. The personal information should be securely held and access to it should be limited to members of the research team, the funding body, if appropriate, and staff providing assistance to or supervising the research team. Researchers should seek the informed written consent of individuals who will provide personal information for research purposes and keep a record of that consent.

Research records are retained for various periods in accordance with the University Sector Retention and Disposal Schedule, as approved by the Queensland State Archivist and other requirements.

Electronic information

JCU’s information systems routinely hold, process and store significant amounts of personal and business related information. Such records may relate to former and present staff, students, and third parties. For administrative reporting purposes, the University collates specific statistical information from electronic traffic.

JCU's web proxy servers log student and staff usage and record the following information in relation to students and staff for statistical, learning support, monitoring of appropriate use and cost recovery purposes:

  • The login ID and IP address for the requesting student or staff member;
  • The date, time and duration of requests to the sites;
  • The URLs of sites visited by the student or staff member when browsing off campus; and
  • The URLs and sizes of pages and documents downloaded.

JCU's web servers log usage and record the following information in relation to external visitors for student recruitment, statistics and cost recovery purposes:

  • The IP address of the requesting external visitor;
  • The date and time of the visit;
  • The page/s accessed;
  • The status and size of the access;
  • The login ID for pages where authentication is required to access restricted information; and
  • The browser, version and operating system of the requesting external visitor.

JCU's mail servers log student and staff usage and record the following information for statistics and cost recovery:

  • The sender and receiver addresses; and
  • The size of the message received and the delay time to deliver.

JCU's phone systems log the following information regarding off-campus outgoing calls for statistics and cost recovery:

  • The student or staff member's phone number;
  • The call duration and dialled number; and
  • The date and the time of the call.

Information may also be recorded by JCU when you email us via our website or use an online form or other web based system.

JCU may monitor its websites for internal management purposes and use analytics (e.g. Google Analytics to gather statistics about how our websites are used. A web cookie is a small string of text sent from a website and placed on user’s hard drive by the user's web browser during data exchange that happens when a browser visits a website. Cookies allow a website to store information on your machine and retrieve it later. There may be cookies and tracking in some University sites and systems in order to:

  • Create anonymised user statistics and analytics for the site or system;
  • Manage transactions across multiple pages;
  • Authenticate you to systems and keeping you logged into those systems; and
  • Remember your preferences.

Google Analytics also uses cookies. The information generated by the cookie about your use of our website may be transmitted to and stored by Google on servers located outside of Australia. No personally identifiable information is recorded or provided to Google.

Some University web pages may also contain embedded content from non-University sites, those sites may also contain cookies. You should refer to those non-University sites for their privacy policies. The University website may also provide links to websites outside of the JCU web domain. The University website is not responsible for the content, cookies or privacy practices of such external websites.

JCU's financial system also holds, processes and stores personal information in support of the University’s normal business practices. In the main information relating to the financial management and business operations will only relate to financial transactions between the University and its customers, suppliers and contractors and will therefore only contain small quantities of personal information. The types of information stored in financial records includes:

  • Names, addresses and bank account details related to electronic payment of accounts;
  • Records of accounts payable or receivable, including the names of creditors and debtors;
  • Customer records relating to business operations or facilitates management, e.g. Halls of Residence;
  • Records of contractors and consultants;
  • Records relating to professional services provided to or by the University;
  • Tender information and documents; and
  • Information for the purpose of managing the performance of a contract including processing and accounting for expenditure, revenue, assets, liabilities, provisions, reserves, staff reimbursement and subsistence in accordance with the Financial Accountability Act 2009 and the Financial and Performance Management Standard 2009.

Financial records are retained for various periods in accordance with the University Sector Retention and Disposal Schedule, as approved by the Queensland State Archivist and other requirements such as the Financial and Performance Management Standard 2009.

The following staff/others have access to financial records:

  • The External auditors from the Queensland Audit Office;
  • JCU’s internal auditors; and
  • Executive and senior academic and administrative staff.

JCU takes every precaution to protect data from loss, misuse, unauthorised access or disclosure, alteration, or destruction. However, there are inherent risks associated with transmission of information via the Internet. Therefore students and staff members should make their own assessment of the potential risks to the security of their information when making a decision as to whether or not to transmit information to the University by electronic means. Further details may be obtained from the Privacy Officer, Secretariat by email to secretariat@jcu.edu.au

JCU may, from time to time, update its Information Privacy Policy and/or Collection, Use and Disclosure Statement to ensure they remain appropriate to changing laws, technology and the University environment.