Manual of Policies and Procedures

F/6.2 Information privacy

Policy Owner

Director, Governance and Performance

Approval Date

14/10/2022

Approval Authority

Vice-Chancellor and President

Date of Next Review

01/10/2027

6.2.1 Purpose
6.2.2 Application
6.2.3 Roles and responsibilities
6.2.4 Collection and use of personal information
6.2.5 Access and security of personal information
6.2.6 Prohibition on disclosure of personal information
6.2.7 Register of graduates
6.2.8 Requests for access to and amendment of personal information under Information Privacy Act
6.2.9 Privacy complaints
6.2.10 Privacy breach management
6.2.11 Implementation of privacy obligations
6.2.12 Privacy impact assessment
6.2.13 Definitions
6.2.14 Delegations
Related Documents
Modification History

6.2.1 Purpose

QUT's functions require the collection, storage, use and disclosure of personal information about students, staff, alumni, donors, partners and other clients. QUT is committed to protecting personal privacy and recognises that individuals have a reasonable expectation that the university will protect and appropriately manage the personal information it holds about them.

QUT must comply with the requirements of the Information Privacy Act 2009 (Qld) (IP Act) which provides for the fair collection and handling of personal information by Queensland public agencies. QUT may be required to comply with other privacy regulations in other jurisdictions to the extent that they apply to its activities, including circumstances where:
  • QUT has agreed to be contractually bound to manage personal information according to another privacy law, for example the Australian Privacy Principles (APPs) when under contact to the Australian Government or another APP entity, or
  • a privacy or other law applies to the type of personal information involved, for example tax file number information; or
  • QUT processes the personal data of an individual who is located in a particular jurisdiction and the law of that jurisdiction applies to the individual's information, for example the European Union General Data Protection Regulation (GDPR).

Top

6.2.2 Application

This policy applies to the collection, use, disclosure, storage, transfer, handling, right of access, and amendment of personal information at QUT.

It does not apply to:

  • routine personal work information of staff
  • personal information which is maintained on a public register
  • information recorded in a de-identified way which cannot be linked (or re-linked) to a known individual
  • personal information which is already available in a publication or other publicly available document; or
  • information which is generally available.

Top

6.2.3 Roles and responsibilities

Position
Responsibility
Vice-Chancellor and President
  • as the 'principal officer' under the Information Privacy Act (IP Act), is responsible for QUT's obligations under the Act
Vice-President (Administration) and University Registrar
  • as chief administrative officer, oversees implementation of privacy management across the university, and approves privacy protocols, guidelines and mandatory training arrangements
Governance Manager (Governance and Performance)
  • acts as QUT Privacy Officer, and administers the Information Privacy Act (IP Act) on behalf of the Vice-President (Administration) and University Registrar, including:
    • making initial decisions on access and amendment applications under the IP Act
    • training staff in the university's privacy obligations
    • providing advice on privacy issues
    • coordination of the university's investigation and response to privacy complaints and breaches
Heads of organisational units
  • manage privacy risk in the organisational unit and implement business processes consistent with the Information Privacy Act (IP Act)
Data custodians
  • implement adequate security measures to protect privacy of personal information in information systems
  • determine user access levels which must be consistent with privacy requirements
  • implement appropriate mechanisms to revoke access to systems containing personal information, when access is no longer appropriate, for instance, in the case of a change in position or formal responsibilities, or termination of employment

(The Corporate information asset management policy (F/1.9) provides further details.)
All staff
  • undertake required privacy training
  • comply with the requirements of the Information Privacy Act (IP Act), this policy and all procedures and privacy protocols issued under the policy

Top

6.2.4 Collection and use of personal information

Collection

Personal information must be collected only where necessary and relevant to QUT's functions and activities and in a reasonable and transparent way. Personal information should not be collected unless there is a specific and immediate use for it. An appropriate privacy notice must be provided when collecting information directly from an individual. Privacy collection notices must include the following information:

  • the purposes for collecting the information
  • any law or court order that authorises the collection, the title of the law or details of the court order; and
  • to whom QUT normally discloses the information and, if known, anyone they in turn will disclose it to.

Where a privacy law other than the Information Privacy Act (IP Act) applies to the personal information collected, a privacy notice may need to include some or all of the following information:

  • the lawful basis for processing personal information and, if applicable, the legitimate interests for the processing (GDPR)
  • the retention period for the personal information
  • the main consequences for the individual if all or some of the information is not collected
  • details of any transfer or storage of the information outside Australia and how privacy is protected in such circumstances
  • how individuals can request access to, or amendment of their personal information, or exercise their legal rights
  • the contact details of the university or the head of the organisational area, the QUT Privacy Officer and a link to this Information privacy policy
  • where personal information is collected from a third party, the source and the categories of personal information collected
  • the details of any automated decision-making or profiling where relevant.

Use

Before using personal information, staff have a responsibility to take reasonable steps to ensure that information is accurate, up-to-date and complete. Personal information must be used only when it is relevant and only for the purpose for which it has been collected or a directly related purpose.

Further guidance on use of personal information is detailed in the privacy protocols (QUT staff access only).

Top

6.2.5 Access and security of personal information

Access and security safeguards are important ways of protecting personal privacy. Access to personal information is granted to staff only where this is necessary for work purposes and staff must only access personal information if there is a work-related reason for this. Personal information must be protected against loss, unauthorised access or modification, disclosure or misuse. The university's Information security policy (F/1.2) provides further details on how to classify and protect personal information.

Top

6.2.6 Prohibition on disclosure of personal information

Staff must not disclose personal information to individuals or organisations outside the university. Disclosure refers to release of personal information to another entity (e.g. a body, agency or person separate from the university) where QUT will cease to have effective control of the information once it is released.

There are some limited circumstances in which personal information may be disclosed without breaching personal privacy. These circumstances include the following:

    • where there is appropriate documentary evidence that the individual has agreed to disclosure
    • where a privacy notice given at the point of collection advises the individual about the usual practices for disclosure
    • where disclosure is required or authorised by law (for example, court order or subpoena, legislative obligation to disclose)
    • where disclosure is necessary to manage or lessen a serious threat to a person’s life, health, safety, or welfare, or to public health, safety or welfare
    • where disclosure is necessary for investigation or enforcement of criminal matters or other law enforcement matters. 

Privacy protocols (QUT staff access only) which set out the considerations and procedures for disclosure of personal information in these circumstances are available and must be followed. Disclosing personal information in other situations must only occur following confirmation from the Privacy Officer that disclosure is necessary and acceptable under other limited provisions in the Information Privacy Act (IP Act).

Top

6.2.7 Register of graduates

QUT, including its predecessor institutions, maintains a public register of graduates. Information concerning a person's status as a graduate is a matter of public record and available to any member of the public, through the Verification of qualifications service. The only details confirmed through this service are the graduate's name (as recorded in QUT systems), the degree conferred or to be conferred and the date of conferral. QUT may charge a fee for this service.

Top

6.2.8 Requests for access to and amendment of personal information under Information Privacy Act

The Information Privacy Act (IP Act) also provides a right of access to, and amendment of, personal information (F/6.3). Details on how an individual can request access to or to amend their personal information in accordance with the IP Act can be found in the university's policy on Information access (F/6.3) and on the webpage Requesting access to and amendment of your personal information.

Top

6.2.9 Privacy complaints

If an individual believes that QUT has not dealt with their personal information in accordance with the Information Privacy Act (IP Act) or this policy, they may make a complaint to QUT. A complaint must be made in writing or by email to the Privacy Officer or referred to that officer if received by another area of the university.

Primary responsibility for investigating and responding to the complaint will rest with the head of the organisational unit concerned, with advice from the Privacy Officer as required. The university's main objective in responding to privacy complaints is to conciliate an outcome which is acceptable to the complainant and which addresses any broader or systemic privacy issues which may arise.

If a complainant does not agree with the university's response, an internal review process is available, or a complainant may refer the matter for independent mediation by the Office of the Information Commissioner.

Top

6.2.10 Privacy breach management

The head of the relevant organisational unit must report any breaches of this policy to the Privacy Officer as soon as practicable after the breach has been identified. Where the matter involves a breach of information security, the Privacy Officer will liaise with the Manager, Information Security (F/1.2.8) to assist with responding to and reporting on the complaint.

Management of a privacy breach will include steps to:

  • contain the breach
  • evaluate the associated risks
  • consider notifying the affected individuals; and
  • prevention of any further privacy breach.

The Vice-President (Administration) and University Registrar must be informed of serious breaches of this policy or related protocols and any actions arising out of any investigations.

A breach which involves misuse or inappropriate access to personal information by a staff member may be a breach of the QUT Staff Code of Conduct and managed under disciplinary or unsatisfactory performance processes (B/8.1.7). 

Top

6.2.11 Implementation of privacy obligations

Protection of personal information must be addressed as part of many university activities. These activities include:

  • ensuring commercial contracts with third parties have appropriate safeguards for protection of personal information, consistent with QUT's policy on Management of contracts, deeds and memoranda of understanding (A/1.6)
  • addressing requirements of the Information Privacy Act (IP Act) when transferring personal information outside of Australia
  • ensuring that unique identifiers are not published or made generally available.

Top

6.2.12 Privacy impact assessment

Privacy Impact Assessments (PIA) (QUT staff access only) assist project managers, data custodians and heads of organisational areas to appropriately consider and manage privacy. A PIA should be undertaken throughout the development and implementation of a project or new business process that collects, uses, or discloses personal information, or when making significant changes to existing systems or processes.

Top

6.2.13 Definitions

Australian Privacy Principles means the set of 13 principles in the Privacy Act 1988 (Cth) governing the collection, quality, use, disclosure, management and transfer of personal information.

General Data Protection Regulation (GDPR) means the legal framework governing the collection and processing of personal information of individuals located in the European Union (EU).

Information Privacy Principles means the set of 11 principles in the Information Privacy Act (IP Act) governing the collection, use, disclosure, management and transfer of personal information by organisations such as the university.

Personal data has the meaning given to it in Article 4 of the GDPR.

Personal information is as defined by the IP Act as information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Personal information includes usernames, passwords and unique identifiers such as staff and student numbers. It can be recorded in any format including hard copy documents, electronic documents, databases, administrative systems, photographs and other images, and staff/student identity cards.

A privacy breach occurs when there is a failure to comply with the information privacy policy or the IP Act's 11 privacy principles. Usually this will result in unauthorised disclosure of or unauthorised access to personal information.

A privacy complaint is a complaint about an act or practice of QUT in relation to an individual’s personal information that is a breach of this policy or the IP Act.

Unique identifiers including student and staff numbers are used as the basis for recording a large amount of personal information. Other unique identifiers include payroll numbers, tax file numbers, credit card numbers and bank account details.

Routine employment information of staff is any information which does not relate to the personal aspects of a staff member's employment at the university. This includes information such as a staff member's position title, QUT email address, work phone number or any information which is publicly available on the QUT website.

Top

6.2.14 Delegations

Refer to Register of Authorities and Delegations (VC004, VC005) (QUT staff access only).

Top

Related Documents

MOPP A/1.6 Management of contracts, deeds and memoranda of understanding

MOPP F/1.2 Information security policy

MOPP F/1.5 Email policy

MOPP F/6.3 Access to information

MOPP H/2.1 Security on campus

Access to information at QUT

Privacy protocols (QUT staff access only)

QUT Privacy Complaint

QUT Projects (QUT staff access only)

QUT Requesting access to and amendment of your personal information

Information Privacy Act 2009 (Qld)

Privacy Act 1988 (Cth)

Public Records Act 2002 (Qld)

European Union General Data Protection Regulation (GDPR) 2016

Top

Modification History

Date Sections Source Details
14.10.22 All Vice-Chancellor and President Revised policy to ensure compliance with the General Data Protection Regulations (GDPR)
18.06.20 All Director, Governance and Legal Services/Privacy Officer Periodic review – minor revisions only
04.04.17 All Vice-Chancellor Revised and simplified policy
29.10.15 F/6.2.6, F/6.2.11 Vice-Chancellor Policy revised to include information security
23.10.13 All Manager, Policy and Compliance (Privacy Officer) Periodic review - minor revisions only
07.10.10 All Vice-Chancellor Policy revised following enactment of Information Privacy Act 2009. Renumbered to F/6.2 (formerly F/9.1)
07.06.07 All Vice-Chancellor Policy revised and updated (endorsed by Vice-Chancellor's Advisory Committee 02.05.07)
20.02.04 All Vice-Chancellor Revised policy - replaces former F/9.1 Information access and privacy policy for students and staff at QUT (endorsed by Vice-Chancellor's Advisory Committee 12.02.04)
21.05.99 All Vice-Chancellor

New policy (replaces former policies on confidentiality of staff and student records) (endorsed by Vice-Chancellor's Advisory Committee 22.4.99)

 

Top