Queensland University of Technology Brisbane Australia Skip bannerSkip to content A university for the real world - Manual of Policies and Procedures
QUT Home
Contact us
MOPP Home Protocol for MOPP Policy Recent Updates

F/9.1 Privacy policy
Chapters
A - Governance/Organisation
B - Human Resources
C - Teaching/Learning
D - Research/Development
E - Student Administration
F - Information Management
G - Financial Management
H - Physical Facilities
I - International/Community
MOPP Appendices
- - - - -
MOPP Protocol
MOPP Updates

[Print-friendly version]

Contact Officer

Privacy Contact Officer, Governance Services

Approval Date

07/06/2007

Approval Authority

Vice-Chancellor

Date of Next Review

01/07/2010

9.1.1 Policy statement
9.1.2 Definition of personal information
9.1.3 Roles and responsibilities for privacy
9.1.4 Collection of personal information
9.1.5 Access and security for personal information records
9.1.6 Use of personal information records
9.1.7 Prohibition on disclosure of personal information
9.1.8 Exceptions relating to disclosure of personal information
9.1.9 Register of graduates
9.1.10 Student numbers and other unique identifiers
9.1.11 Access to and amendment of an individual's own record
9.1.12 Privacy complaints
9.1.13 Contracts involving personal information
Related Documents
Modification History

Top

9.1.1 Policy statement

QUT's functions necessitate the collection, creation and use of personal information about students, staff and other clients. QUT is strongly committed to protecting personal privacy by complying with 11 information privacy principles which govern how and when personal information may be collected, stored, used and disclosed. QUT recognises that staff and students, both past and present, and other clients and individuals having links to QUT, have a legitimate expectation that the University will protect and appropriately manage the personal information it collects and holds about them.

This policy is derived from obligations under the Queensland Government's Information Standard No 42 - Information Privacy ( IS42 ), which applies to statutory authorities such as QUT. This policy also supports QUT's obligations to comply with information security requirements (see F/1.2 ).

Top

9.1.2 Definition of personal information

This policy applies to "personal information". This is defined in IS42 as any information or opinion, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Personal information can be in any format and, for the purposes of this definition, includes photographs and images, usernames and passwords. Unique identifiers such as student/staff/payroll numbers, tax file numbers, credit card numbers and bank account details are also personal information. Personal information may be recorded in a variety of formats including, but not limited to, hard copy records, databases, administrative systems and staff/student identity cards.

Where data is recorded in a way which cannot be linked to a known individual, then the privacy principles do not apply.

Top

9.1.3 Roles and responsibilities for privacy

All staff

It is the responsibility of all staff to respect personal privacy in so far as they collect, access or use personal information about others in the course of their duties, and to comply with the specific requirements of this policy.

Privacy must also be appropriately respected in the human research context, and all staff and students undertaking research must comply with the University's policies and procedures for research involving personal information, including the requirement to obtain ethical approval where applicable. Refer to Office of Research ( Research Ethics Office ) for further details.

Data custodians

The nominated data custodian of major datasets used to support QUT functions must comply with specific responsibilities described in this policy and in QUT's policy on provision and use of information resources and services ( F/1.1.3 ) and in the information security policy ( F/1.2 ), all of which support QUT privacy obligations.

Heads of organisational units

As the functions of many organisational units within the University require the collection or management of personal information, responsibility for assessing privacy risk and for implementing business processes which are consistent with privacy principles rests with the head of each organisational unit. Specific, ongoing responsibilities include:

  • implementation and regular review of appropriate data collection practices (see section 9.1.4 below);
  • ensuring personal information is used and managed appropriately by staff within the organisational unit;
  • implementing adequate security requirements for access to and storage of personal information in all formats within the organisational unit; and
  • ensuring that privacy training and awareness is embedded in practices and procedures of the organisational unit as appropriate.

Privacy Contact Officer

The Registrar, as chief administrative officer, has general responsibility for privacy management, and has designated a Privacy Contact Officer in Governance Services to facilitate the implementation of IS42 at QUT. Specific responsibilities of the Privacy Contact Officer include:

  • maintenance of QUT's privacy plan;
  • training and advisory services, including the development of a strategy for regular training of staff on their responsibilities in areas of high privacy risk;
  • provision of assistance for the development of privacy notices; and
  • receipt of privacy complaints (see section 9.1.12 below).

Top

9.1.4 Collection of personal information

Personal information must be collected only where necessary and relevant to QUT’s functions and activities and in accordance with other privacy collection principles. The head of an organisational unit responsible for functions or activities requiring the collection of personal information must:

  • regularly review data collection activities to exclude collection of personal information which is irrelevant to the business process or where there is no specific and immediate use for the information collected;
  • develop appropriate privacy notices when collecting information directly from the person concerned, irrespective of the means by which personal information is collected;
  • ensure that collection methods adopted meet requirements for fairness, and are non-intrusive (in particular, in the context of logging network or IT activities);
  • determine whether recording names or other identifying details is necessary to perform the function or activity.

Special considerations apply to data collection practices in the context of human research. In particular, the principle of informed and voluntary consent should form the basis of data collection practices in human research, and when properly applied, is consistent with privacy principles. For further details, refer to policy on research involving the participation of humans ( D/6.2 ) and supporting guidelines.

Top

9.1.5 Access and security for personal information records

The implementation of adequate security safeguards is a significant means of protecting personal privacy. Reasonable measures must be put in place to prevent unauthorised access, loss, disclosure or misuse of personal information. Detailed arrangements for management of information security generally are found in the information security policy ( F/1.2 ).

For personal data in information systems, the data custodian has formal responsibility for implementing adequate security measures to protect privacy (see F/1.1 ). Additionally, the data custodian determines user access levels for the dataset or system, though the decision to grant access to individual staff may be delegated. Access rights should be formally documented and reviewed periodically. The data custodian is also responsible for implementing appropriate mechanisms to revoke access to personal information data or records when access is no longer necessary or appropriate, for instance, in the case of a change in position or formal responsibilities, or termination of employment. In regard to local files and records, security procedures and management of access are the responsibility of the head of the organisational unit.

The head of the organisational unit is responsible for ensuring that personal information records held in physical or hard copy files and records is also secured. Physical security strategies may include restricting building and work area access, ensuring facilities (offices, filing cabinets or other storage facilities) are locked when not in use, and implementing “clean desk” procedures.

In addition, good records management practices for physical files, for instance recording file movements, undertaking file audits, placing appropriate security classifications on files, and managing records retention, are designed to safeguard against loss or unauthorised access. Care must be taken to ensure secure and confidential destruction of records containing personal information (which may only be undertaken in accordance with authorised disposal schedules). Refer to QUT's records management policy ( F/8.1 ) and supporting procedures.

Individual staff are entitled to access personal information records (irrespective of format) only where there is a legitimate need to do so, and only to the extent required to perform the staff member's duties (the "least privilege" principle). Additionally, individual users of QUT's personal information datasets and systems must take reasonable precautions to safeguard their access to these systems, such as the protection of passwords. Individual user responsibilities for security are outlined in QUT's Information Facilities Rules ( Appendix 1(c) ).

Top

9.1.6 Use of personal information records

Privacy obligations impose the following requirements in relation to the use by the University of personal information held in QUT records and datasets:

  • the requirement to take reasonable steps to ensure that information is accurate, up-to-date and complete before it is used, since it is important that decisions or actions by the University are based on accurate and complete facts. This responsibility rests with the relevant data custodian or head of the organisational unit in which the personal information is held;
  • the requirement to use information only in circumstances where it is relevant, and provided that it is used only for the purpose for which it has been collected or a directly related purpose. This is the responsibility of all staff.
There are several recognised but limited exceptions to the restrictions on use of personal information and further guidance on use of personal information for other purposes is available from the Privacy Contact Officer.

Top

9.1.7 Prohibition on disclosure of personal information

Staff must not disclose personal information to individuals or organisations outside the University. Disclosure refers to release of personal information out of the effective control of the University (that is, to a body, agency or person separate from the University).

Top

9.1.8 Exceptions relating to disclosure of personal information

In extremely limited circumstances, disclosure of personal information in the following circumstances may not be a breach of privacy.

(a) Consent

Personal information may be disclosed where the individual concerned has consented to that disclosure. Consent must be expressly given and it is expected that the consent will be in writing. In limited circumstances, verbal consent may be acceptable if it is verifiable and the disclosure is clearly in the best interests of the individual. Staff proposing to release information where the consent is not in writing must discuss the circumstances with the Privacy Contact Officer before disclosure occurs.

Implied consent must not generally be relied upon as a basis for disclosure. Where a person seeks personal information as a representative or agent of another, then documentation confirming the scope of the agent's authority should be obtained before release of any personal information held by the University.

(b) Previous provision of a privacy notice

Personal information may be disclosed where individuals have been informed of the usual practices for disclosure.

(c) Other situations

In rare circumstances, disclosure of personal information may also be permitted where:

  • disclosure is necessary to prevent or lessen an imminent and serious threat to a person's life or health;
  • disclosure is required by law (for example, if the University's records are subpoenaed, or if there are statutory requirements to provide information to a government department such as the Australian Taxation Office, Centrelink, or Department of Education, Science and Training);
  • disclosure is necessary for enforcement of criminal or other laws imposing penalties such as fines.

Any request or proposal to disclose personal information in these situations must only be undertaken in compliance with protocols issued by the Registrar, or following discussions with the Privacy Contact Officer confirming that disclosure is necessary and acceptable under privacy principles.

Top

9.1.9 Register of graduates

Privacy principles do not apply to material which is maintained on a public register. Given that one of QUT's primary functions is to confer higher education degrees and awards, QUT maintains a register of its graduates (including of predecessor institutions) in the student management system. Information concerning a person's status as a graduate of the University is available to any member of the public upon formal request to the Student Business Services Department . The only details confirmed are the graduate's name (as recorded in QUT systems), the degree conferred or to be conferred and the date of conferral. QUT may charge a fee for this service.

No other personal information is regarded as being on a public register.

Top

9.1.10 Student numbers and other unique identifiers

Student numbers are unique identifiers and they are used as the basis for recording a large amount of student information. To protect student privacy and to secure student information from unauthorised use or disclosure, student number information must not be published or made generally available in a way which links the number to a student's name, for example, by being printed on mailing labels which are sent through the post.

Similar principles apply to other unique identifiers such as staff or payroll numbers.

Top

9.1.11 Access to and amendment of an individual's own record

Privacy principles entitle an individual to have access to the personal information which the University holds about them, and to amend it where it is inaccurate, incomplete, out-of-date or misleading. IS42 recognises that, in Queensland, these rights are dealt with in the Freedom of Information Act 1992 (FOI Act). QUT is however committed to providing, as far as practicable, an open environment which enables members of the QUT community to obtain access to their personal information without recourse to formal procedures contained in the FOI Act (see Freedom of Information policy - F/10.1 ). To achieve this, QUT has in place administrative procedures for information access by staff and students.

Top

9.1.12 Privacy complaints

If an individual believes that QUT has not dealt with their personal information in accordance with IS42 or this policy, they may make a complaint to QUT. A complaint must be made in writing within six months from the date when the breach of privacy was suspected to have occurred. Complaints should be sent to the Privacy Contact Officer or referred to that officer if received by another area of the University.

The Privacy Contact Officer will refer the matter to the most appropriate senior officer to resolve the complaint. In the case of complaints regarding a staff member’s conduct or actions, this will be the head of the organisational unit in which the staff member is employed. In other cases, the complaint may be referred to the head of the organisational unit having responsibility for the personal information to which the complaint relates.

Primary responsibility for investigating and responding to the complaint will rest with the senior officer, with advice from the Privacy Contact Officer as required. The University’s main objective in responding to privacy complaints is to conciliate an outcome which is acceptable to the complainant and which addresses any broader or systemic privacy issues which may arise.

If a complainant does not agree with the University’s response, an internal review process is available.

Monitoring of privacy complaints is undertaken via annual reporting as part of QUT’s compliance program. For full details of procedures to be followed in managing privacy complaints, refer to the QUT Privacy Plan.

Top

9.1.13 Contracts involving personal information

Contractual arrangements entered into by the University may involve access to or use of personal information owned or held by QUT. Typically these arrangements may outsource routine support functions, though some contractual arrangements may also relate to commercial research and consultancies.

Any contract which is entered into by the University must place appropriate safeguards on protection of personal privacy, since contractual arrangements do not alter or eliminate QUT's obligations for protection of personal information. It is the responsibility of the senior officer who has delegated authority to enter contracts and commercial arrangements, to ensure that privacy risks are adequately addressed and that QUT's privacy obligations are appropriately incorporated into the formal terms of the contract where necessary. For further information, refer to QUT's policy on management of contracts and MOUs ( G/6.1 ). Queries concerning appropriate contractual provisions covering QUT's privacy obligations may be directed to the Privacy Contact Officer or the Office of Commercial Services.

Top

Related Documents

QUT Privacy Plan

MOPP F/1.2 Information security policy

MOPP F/1.5 Email policy

MOPP G/6.1 Policy on management of contracts and MOUs

MOPP H/3.4.11 Closed circuit television policy

Privacy protocols issued by Registrar

Top

Modification History

Date Sections Source Details
07.06.07 All Vice-Chancellor Policy revised and updated (endorsed by Vice-Chancellor’s Advisory Committee 02.05.07)
20.02.04 All Vice-Chancellor Revised policy - replaces former F/9.1 Information access and privacy policy for students and staff at QUT (endorsed by Vice-Chancellor's Advisory Committee 12.02.04)
21.05.99 All Vice-Chancellor New policy (replaces former policies on confidentiality of staff and student records) (endorsed by Vice-Chancellor's Advisory Committee 22.4.99)

Top
Chapter A | Chapter B | Chapter C | Chapter D | Chapter E | Chapter F | Chapter G | Chapter H | Chapter I | Appendices | Protocol for MOPP Policy | Recent Updates
QUT Home | MOPP Home
CRICOS No. 00213J
Privacy | Copyright | Accessibility
Last modified 07-Jul-2008
Contact us | Feedback | Disclaimer