• Section 1 - Purpose
• Background
• Scope
• Section 2 - Policy
• Privacy Management Plan
• Controlled Entities
• Dealings Between the University and Controlled Entities
• Concurrent Operation of Acts for Controlled Entities
• Privacy Principles
• Section 3 - Procedures
• Section 4 - Guidelines
• Section 5 - Definitions

Section 1 - Purpose

(1) Macquarie University is committed to protecting the privacy of its students, employees and others who interact with it while undertaking its learning and teaching, research, engagement, and associated administrative activities and support services. All staff and functional units of the University have an obligation to be aware of and implement the privacy principles and practices established by legislation and articulated in this and other related policies.

(2) This Policy provides guidance on the University’s approach to its information handling practices and that of its Controlled Entities in relation to the information collected from its students, employees and others who interact with it.

Background

(3) As a NSW public sector agency, the University is required to comply with the NSW Privacy and Personal Information Protection Act 1998 (PPIPA) and the NSW Health Records and Information Privacy Act 2002 (HRIPA), in respect of Personal and Health Information which it collects and uses. The University aligns its practices and activities with the Information Protection Principles (IPPs), and the Health Privacy Principles (HPPs) contained in those Acts as outlined in the University’s Privacy Management Plan.

(4) The University also follows any public interest directions and statutory guidelines issued by the Information and Privacy Commission NSW (or its equivalent) in relation to Personal and Health Information. The University’s Privacy Management Plan provides more information on how the University implements its obligations under the PPIPA and HRIPA, and how these Acts apply to the University’s operations.

(5) The University’s Controlled Entities considered an “organisation” under the Privacy Act 1988 (Cth) (Commonwealth Privacy Act) must also comply with the Commonwealth Privacy Act 1988 and the Australian Privacy Principles (APPs) in addition to the PPIPA and the HRIPA when dealing with Personal and Health Information.

(6) Whilst the University is not bound to comply with the Commonwealth Privacy Act 1988 (other than as a tax file number recipient), it strives to apply the APPs to its own practices to achieve consistency in protecting the privacy of individuals across University entities.

(7) The University has established the following information Privacy Framework to communicate the applicable privacy laws to staff, students and others who interact with the University:

1. this Policy;
2. Privacy Management Plan;
3. privacy policies for Controlled Entities;
4. privacy collection notices / statements and consents; and
5. related policies, procedures, and guidelines on the management of information.   

Scope

(8) This Policy applies to:

1. all employees of the University and its Controlled Entities;
2. all students of the University including former students;
3. all University researchers and HDR candidates; and
4. any person who handles Personal or Health Information for or on behalf of the University or its Controlled Entities, including contractors, agents, visitors, honorary, clinical or adjunct appointees and consultants of the University.

Section 2 - Policy

(9) The University ensures those covered by the scope of this Policy are made aware of their responsibilities under the PPIPA, HRIPA, and the Commonwealth Privacy Act 1988 and provides appropriate information and training opportunities.

Privacy Management Plan

(10) The University has implemented a Privacy Management Plan setting out how its obligations under PPIPA and HRIPA apply to the University’s operations.

Controlled Entities

(11) Each Controlled Entity of the University, considered as an “organisation” under the Commonwealth Privacy Act 1988, is required to have its own separate Privacy Policy.

(12) The Privacy Policy explains the types of Personal and Sensitive (including Health) Information it collects and holds, how it does so, the purposes for that collection, to whom it discloses that Information, how that Information may be accessed or corrected, how a privacy complaint may be lodged and how it will be actioned, whether Information is likely to be sent overseas and to which countries if applicable.

Dealings Between the University and Controlled Entities

(13) The University must ensure that any Information provided by the University to a Controlled Entity is protected in accordance with the same standards that the University applies to the Information it holds.

(14) Therefore in any dealings between the University and its Controlled Entities regarding Personal and Health Information, the standards applicable to the University (i.e. under PPIPA and HRIPA) must be applied in addition to the requirements under the Commonwealth Privacy Act 1988.

Concurrent Operation of Acts for Controlled Entities

(15) The Commonwealth Privacy Act 1988 contemplates that an entity, such as a Controlled Entity of the University, may have duties under both Commonwealth and State privacy legislation.

(16) To the extent that there are inconsistencies between the Commonwealth Privacy Act 1988 and the NSW privacy acts which apply to a Controlled Entity, the Commonwealth Privacy Act 1988 will prevail.

Privacy Principles

(17) In handling Personal and Health Information, the University and its Controlled Entities align their practices with the IPPs, HPPs and APPs as follows. Where there are additional requirements due to differences between the PPIPA and Commonwealth Privacy Act 1988, specifically the classification of Health Information as Sensitive Information by the Commonwealth Privacy Act 1988 these have also been articulated below.

Collection and Use

(18) The University and its Controlled Entities may collect and use Personal and Health Information only for lawful purposes that are directly related to a function or activity of the University or Controlled Entity, and where the Information is reasonably necessary for that purpose; for a directly related purpose that the individual would expect; or for a purpose for which the individual has given consent, unless an exemption applies. For Controlled Entities, consent is also required to be obtained for the collection of Health Information.

Disclosure

(19) The University may disclose Information held about an individual under various circumstances including the following:

1. if the disclosure is directly related to the purpose for which the Information was collected and the University has no reason to believe that the individual concerned would object to the disclosure; or
2. the individual concerned is reasonably likely to have been aware or is aware that Information of that kind is usually disclosed to that party; or
3. the University believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious or imminent threat to an individual’s life or health; or
4. consent has been given by the individual; or
5. disclosure is otherwise authorised, permitted, or required by law.

(20) The University cannot disclose an individual’s Sensitive Information without consent unless the disclosure is necessary to prevent a serious or imminent threat to the life or health of an individual. For Controlled Entities, this also includes Health Information.

Transborder Disclosure by University

(21) In addition to the normal disclosure rules, the University will not disclose (or transfer) Personal or Health Information of individuals to any person or body outside NSW or overseas unless an exemption applies.

(22) More specific information about the University’s disclosure obligations are available in the Privacy Management Plan.

Cross Border Disclosure by Controlled Entities

(23) Controlled Entities can only use and disclose Personal Information for a purpose for which it was collected (“primary purpose”) or for a secondary purpose if an exemption applies.

(24) Generally, the University’s Controlled Entities do not disclose Personal Information (including Sensitive Information) outside Australia.

(25) However, some service providers do operate overseas or use third party hosting arrangements that store Information outside Australia. If this occurs, the Controlled Entity is required to take reasonable steps to ensure the overseas recipients treat the Personal Information in accordance with the Australian Privacy Principles and make that overseas recipient accountable if the Information is mishandled.

Collection, Use and Disclosure for Research Purposes

(26) The University may collect, use and disclose Personal or Health Information for research purposes without obtaining an individual’s consent provided it complies with:

1. all the criteria set out in section 27B of the PPIPA for Personal Information (or HPP10(1)(f) and HPP11(1)(f) of HRIPA for Health Information);
2. any statutory guidelines issued by the Information and Privacy Commission NSW; and
3. obtains prior approval from the University’s Human Research Ethics Committee (Medical Sciences) or Human Research Ethics Committee (Human Sciences and Humanities).

(27) The University’s Controlled Entities must also comply with any guidelines issued under sections 95 and 95A of the Commonwealth Privacy Act 1988 in respect of collecting, using and disclosing Health Information for research purposes, or for compilation or analysis of statistics relevant to public health or public safety where individual consent is not obtained, and obtain prior approval of the University’s Human Research Ethics Committee (Medical Sciences) or Human Research Ethics Committee (Human Sciences and Humanities).

Retention, Security and Disposal

(28) The University and its Controlled Entities will retain Information for as long as necessary for the purpose for which it may lawfully be used, subject to the requirements of any other law.

(29) The University and its Controlled Entities will take reasonable measures to protect Information held against loss, misuse, interference and unauthorised access, modification or disclosure.

(30) The University and its Controlled Entities may need to retain records for a significant period of time to comply with their legal obligations. Information that is no longer required will be archived in accordance with the University’s retention obligations or securely destroyed in accordance with the University’s disposal procedures.

Access and Correction

(31) An individual may apply to the University or its Controlled Entities to access, correct or amend Personal Information held about them without excessive delay or expense, subject to any exceptions in relevant legislation.

(32) All requests for access should follow the Request for Information process as outlined in the Privacy Management Plan. Note that access to Information about a third party is not accessible under the PPIPA and Commonwealth Privacy Act 1988.

(33) Requests to correct Personal Information can be made informally or through a formal process as outlined in the Privacy Management Plan.

GIPA Access Requests for Information

(34) Any individual may also request access to University records and information held by the University (but not a Controlled Entity) under the Government Information (Public Access) Act 2009 (NSW) (GIPA request).

(35) Under PPIPA and HRIPA access to Information is provided only to the person to whom the Information relates.

(36) A GIPA request can be made to the University about any Information it holds by contacting the Right to Information Officer by email at gipa@mq.edu.au.  

Complaints

(37) Complaints about privacy breaches by the University are handled in accordance with the University’s Privacy Management Plan.

(38) Complaints about privacy breaches by the Controlled Entities are handled in accordance with the relevant Controlled Entity’s Privacy Policy.

(39) If an individual has a complaint about how their Personal or Health Information is collected, held, used, secured or disclosed they should contact the University’s Privacy Officer in the first instance as follows:

1. Email: privacyofficer@mq.edu.au;
2. Mail: University Privacy Officer, Macquarie University NSW 2109; or
3. Phone: 9850 7218.

Section 3 - Procedures

(40) Nil.

Section 4 - Guidelines

(41) Nil.

Section 5 - Definitions

(42) The following definitions apply for the purpose of this Policy:

1. Controlled Entity / Entities means a person, group of persons or body of which the University or the University Council has control within the meaning of Section 39 (IA) or 45A (IA) of the Government Sector Audit Act 1983 (NSW).
2. Information means personal, sensitive or health information (as defined by applicable legislation depending on context).
3. Health Information, as defined in Health Records and Information Privacy Act 2002, is:
   “(a) personal information that is information or an opinion about:
   the physical or mental health or a disability (at any time) of an individual; or
   an individual’s express wishes about the future provision of health services to him or her; or
   a health service provided or to be provided to an individual; or
   (b) other personal information collected to provide, or in providing a health service; or
   (c) other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances; or
   (d) other personal information that is genetic information about an individual arising from a health service provided to the individual that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual; or
   (e) healthcare identifiers.”   
4. Health Information (for Controlled Entities), as defined in the Commonwealth Privacy Act 1988, is:
   “(a)  information or an opinion about:
    (i)  the health, including an illness, disability or injury, (at any time) of an individual; or
    (ii)  an individual's expressed wishes about the future provision of health services to the individual; or
    (iii)  a health service provided, or to be provided, to an individual;
    that is also personal information;
    (b)  other personal information collected to provide, or in providing, a health service to an individual;
    (c)  other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances;
   (d)  genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.”
5. Personal Information, as defined in Privacy and Personal Information Protection Act 1998, is:
   “information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics.”
   
   It does not include (this list is not exhaustive):
   1. information about an individual who has been dead for more than thirty (30) years;
   2. information about an individual that is contained in a publicly available publication;
   3. information or an opinion about an individual’s suitability for appointment or employment as a public sector official; or
   4. information about an individual that is contained in a public interest disclosure, health information within the meaning of Health Records and Information Privacy Act 2002.
6. Personal Information (for Controlled Entities), as defined in the Commonwealth Privacy Act 1988, is:
   “information or an opinion about an identified individual, or an individual who is reasonably identifiable:
   (a)  whether the information or opinion is true or not; and
   (b)  whether the information or opinion is recorded in a material form or not.”
7. Personal Sensitive Information, as defined in Privacy and Personal Information Protection Act 1998), means an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership or sexual activities.
8. Privacy Framework means the suite of documents that inform individuals of the relevant privacy laws and how the University and its Controlled Entities collect, use, disclose and retain Personal and Health Information and how access and correction requests are handled.
9. Privacy Management Plan means the Plan developed and implemented by the University in accordance with its obligation under section 33 of Privacy and Personal Information Protection Act 1998.
10. Sensitive information (for Controlled Entities), as defined in the Commonwealth Privacy Act 1988, is:
    “(a) information or an opinion about an individual's:
    (i)  racial or ethnic origin; or
    (ii)  political opinions; or
    (iii)  membership of a political association; or
    (iv)  religious beliefs or affiliations; or
    (v)  philosophical beliefs; or
    (vi)  membership of a professional or trade association; or
    (vii)  membership of a trade union; or
    (viii)  sexual orientation or practices; or
    (ix)  criminal record;
    that is also personal information; or
    (b) health information about an individual; or
    (c) genetic information about an individual that is not otherwise health information; or
    (d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
    (e) biometric templates.”
11. University means Macquarie University including its employees, students, University researchers, HDR candidates, and any person who handles Personal or Health Information for or on behalf of the University.