POLICY NO: M-1
1. To:
(a) set out the principles applying to the handling of personal information collected, used, stored and disclosed by the University; and
(b) outline the University’s adoption of the requirements of Australian Privacy Principles (APP) (schedule to the Privacy Act 1988 (Cth)) and the European Union General Data Protection Regulation (GDPR).
2. This policy applies to all Council members, employees, contractors, volunteers, adjuncts, visitors and students of the University.
3. If there is an inconsistency between requirements applying to the University under a law of an Australian jurisdiction and under a law of a foreign jurisdiction, then the University will comply with the law of the Australian jurisdiction.
4. No exclusion
5. The Vice Chancellor has oversight of this policy.
6. Unit Directors / Executive Deans are responsible for ensuring that the personal information collected, used and stored by their respective unit is handled according to this policy.
7. The Privacy Officer will fulfil the role of the privacy officer under the APP (as applied by this policy) and the data protection officer under the GDPR.
8. Any Council member, employee, contractor, volunteer, adjunct, visitor or student who collects, uses, stores or transmits personal information for, or on behalf of, the University must comply with this policy.
9. The University is committed to protecting personal information which it collects.
10. The University adopts the requirements of the APP as reflected in this policy.
11. The University will only collect:
(a) personal information (including sensitive information):
(i) by lawful and fair means; and
(ii) from the individual to whom the information relates, unless the University is required or authorised by law to collect the information from another person;
(b) personal information (other than sensitive personal information) if:
(i) the information is reasonably necessary for, or directly related to, one or more of the University’s functions or activities; or
(ii) the University is required to collect the information by, or is provided with, the personal information under, an Australian law; and
(c) sensitive personal information with the consent of the relevant individual or where the collection of the information is required or authorised by an Australian law.
12. The University will store personal information securely. The University will take reasonable steps to protect personal information from misuse, interference, loss or unauthorised access, modification or disclosure.
13. Access to personal information will only be provided to University Council members, employees, contractors, volunteers, adjuncts, visitors and students who require access to the information to undertake their role at the University.
14. The University may collect, use, store or disclose personal information:
(a) as required or authorised by law;
(b) for the particular purpose for which the information was collected (primary purpose); or
(c) for another purpose (secondary purpose) if:
(i) the relevant individual would reasonably expect the University to use or disclose the information for the secondary purpose; and
(ii) the other purpose is, in the case of sensitive personal information, directly related to the primary purpose or, in relation to other personal information, is related to the primary purpose.
15. The University may use personal information for direct marketing in accordance with the Australian Privacy Principles.
16. The University may disclose personal information to third parties in Australia or overseas in accordance with this policy.
17. The University will not adopt a government related identifier of an individual as its own identifier of an individual or use or disclose a government related identifier, unless authorised by law.
18. The University will take reasonable steps to destroy or de-identify personal information once it is no longer required for a primary or secondary purpose, unless the University is required to retain the information by law.
19. The University will comply with the legal obligations on the University under the Privacy Act or GDPR (as relevant) If there is unauthorised access to, unauthorised disclosure of, or loss of:
(a) tax file numbers held by the University; or
(b) personal information of a citizen or resident of an European Union country,
and the access, disclosure or loss is likely to result in serious harm to the individual to whom the information relates.
1. Definitions
1.1 Personal information or an opinion about the identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
1.2 Sensitive Information is particular type of personal information which includes:
(a) information or an opinion about an individual's:
(i) racial or ethnic origin;
(ii) political opinions;
(iii) membership of a political association;
(iv) religious beliefs or affiliations:
(v) philosophical beliefs:
(vi) membership of a professional or trade association;
(vii) membership of a trade union;
(viii) sexual orientation or practices; or
(ix) criminal record,
that is also personal information;
(b) health information about an individual;
(c) genetic information about an individual that is not otherwise health information;
(d) biometric information that is to be used for the purpose of the automated biometric verification or biometric identification; or
(e) biometric templates
2. Collection of personal information
2.1 Purposes for collecting personal information: The University collects personal information for the conduct of the University’s activities, including information about:
(a) students, including name, contact details, social media addresses, photographs, tax file numbers and other government related identifiers, grades and awards, prior studies, placements and information resulting from the University processes involving a student (e.g. investigation for academic misconduct, academic appeals);
(b) individuals related to, or associated with, students (e.g. emergency contacts, medical practitioners), including name and contact details;
(c) alumni, including name, contact details and academic awards;
(d) donor details, including name, contact details and details of gift;
(e) employees, contractors, volunteers, visitors and adjuncts including name, contact details, photographs, bank account details, tax file numbers, information resulting from the University processes involving these persons (e.g. terms of engagement, investigation for misconduct);
(f) prospective students including name, contact details, grades and awards, prior studies and information resulting from the University processes involving the prospective student (e.g. recognition of prior learning);
(g) job applicants, including name, contact details, qualifications and experience, referees and information resulting from the University processes (e.g. assessment of applicant, record of communication with referees);
(h) individuals accessing University services (e.g. the University Sport and the University Health) including name and contact details and health information;
(i) individuals accessing the University’s website, including details of website use, webpages browsed, enquiries regarding products and services and social media platforms used;
(j) individuals accessing the University facilities and events (e.g. conferences, exhibitions), including name and contact details;
(k) individuals participating in research being undertaken by the University, including name, contact details and, in some cases, health information; and
(l) individuals registering to attend events at the University, including name and contact details.
2.2 Unsolicited personal information: If the University receives unsolicited personal information, the University will assess whether or not the University could have collected that information under this policy. If the University could not have collected that information, the University will destroy or de-identify the information.
2.3 Privacy notification: The University will provide a privacy notification complying with APP 5 and Article 13 of the GDPR to an individual prior to, at the time of, or as soon as practicable after, collecting personal information from that individual.
3. Storage of personal information
Technical and organisational systems used by the University to protect personal information will be regularly assessed to ensure the security of personal information
4. Use
4.1 Direct marketing: The University may collect and use personal information (other than sensitive information) provided by an individual or accessed through the University’s website including by using tools such as cookies and pixels and use this information for marketing.
The University will provide individuals with a simple means to ‘opt out’ of receiving direct marketing communications. If an individual opts out of receiving direct marketing communications from the University, these communications will cease within a reasonable time of the request.
The University will only use sensitive information for direct marketing with the consent of the individual to whom the information relates.
5. Disclosure
5.1 Australian recipients: The University may disclose personal information to recipients located in Australia:
(a) with the consent of the relevant individual;
(b) as necessary for the primary purpose for which the information was collected;
(c) for a secondary purpose;
(d) if necessary to provide services or facilities to the individual to whom the information relates;
(e) as contemplated by this policy; or
(f) as required by law.
5.2. Overseas recipients: The University may disclose personal information to overseas recipients. Due to the scope of the University's operations it is not practicable to list each country to which disclosure may be made. Key countries to which disclosure may be made include the United States, the Netherlands, Singapore and Hong Kong. Personal information relating to an overseas student may be disclosed to recipients in the student's home country, including government authorities in those countries.
Prior to disclosing personal information to an overseas recipient (other than disclosure required or authorised by law or consent of the relevant individual), the University will get consent to the disclosure or will take reasonable steps to ensure that the overseas recipient does not breach the APP or that the recipient is subject to a law or binding scheme which protects the information in a substantially similar way to the APP.
5.3. Service providers: The University may disclose personal information to providers of services to the University (such as information technology providers and marketing service providers). These service providers may be located in Australia or overseas.
6. Rights of individuals
6.1. Access to personal information: An individual may request access to information held by the University about the individual by contacting the Privacy Officer. Access to personal information will be provided to the individual unless there is a basis under Australian law for the University not to provide that access.
6.2. Correction of personal information: An individual may request correction of personal information held by the University about that individual by contacting the Privacy Officer.
6.3. European Union citizens and residents: European Union citizens and residents also may:
(a) request a restriction on the processing of personal information;
(b) object to the processing of personal information;
(c) request the transfer of personal information; or
(d) request the destruction, de-identification or erasure of personal information,
by contacting the Privacy Officer.
7. Privacy Officer
7.1. Role: The Privacy Officer is the contact point for an individual in relation to the personal information which the University holds regarding that individual. An individual may contact the Privacy Officer about:
(a) correction of personal information held by the University;
(b) a question about the University’s collection, storage, use or disclosure of personal information;
(c) requests regarding the use, storage, access and disclosure of personal information;
(d) requests from a European Union citizen or resident relating to rights listed in item 6.3; and
(e) allegations of a breach of this policy or the GDPR.
7.2. Contact details: The Privacy Officer can be contacted at:
Privacy Officer
University of South Australia
GPO Box 2471
Adelaide SA, 5001
or: privacy.officer@unisa.edu.au
Legislation