View Current

Privacy Management Plan

This is not a current document. To view the current version, click the link in the document's navigation bar.

(1) The University of Newcastle (“University”, “we,” “us” or “our”) is a great place to learn, work and engage.  Our purpose is to deliver an exceptional student experience, preparing graduates for life in an increasingly interconnected society and to serve our regions by taking research that matters to the world and bringing our global expertise home.

Section 1 - Audience

(2) This Privacy Management Plan (Plan) should be read and understood by our staff, students, contractors, controlled entities, volunteers, affiliates, and the public.

Top of Page

Section 2 - Scope

(3) This Privacy Management Plan (Plan) applies to personal information and health information collected by us.

Top of Page

Section 3 - Introduction

(4) This Plan details how we manage the personal and health information of staff, students, and the public in their dealings with us and is a supporting document to the Privacy Policy. The Privacy Policy establishes the Privacy and Right to Information Officer function within the University.

(5) Section 33 of the Privacy and Personal Information Protection Act 1998 (PPIP Act) requires agencies like us to have a privacy management plan.  More importantly, we want to help you understand our commitment to respecting your privacy rights. 

(6) We are committed to compliance with the Privacy and Personal Information Protection Act 1998 (PPIP Act), Health Record and Information Privacy Act 2002 (HRIP Act), Privacy Act 1988 (Privacy Act), Privacy (Tax File Number) Rule 2015 (TFN Rule) issued under s 17 of the Privacy Act 1988 and Healthcare Identifiers Act 2010 (HI Act) Act by:

  1. informing you of how your personal information will be handled by us;
  2. informing you of your rights under the legislation;
  3. establishing and maintaining a culture of privacy awareness; and
  4. considering the Information Protection Principles, Health Privacy Principles, Privacy Act, TFN Rule and HI Act where relevant, in the design and/or review of processes, systems and projects undertaken or implemented by us.
Top of Page

Section 4 - Public Registers maintained by the University

(7) We maintain Public Registers as part of our commitment to open government.  

Graduation Book

(8) We publish graduation books which include the name of each graduate and the degree conferred upon them. You may opt out of inclusion in such graduation books by contacting graduation@newcastle.edu.au

Contracts Register

(9) We maintain and publish a Contracts Register as required by the Government Information (Public Access) Act 2009 (NSW) (GIPA Act). It is unlikely the register will include personal or health information. 

(10) If you have any concerns about information published as it relates to a person’s personal or health information, please let us know at Complaints.

Top of Page

Section 5 - Definitions 

(11) In the context of this document the following definitions apply.

(12) “Personal Information” means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information can also include things like your fingerprints, retina prints, body samples or genetic characteristics.

(13) “Sensitive information” means personal information about your ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities, or trade union membership.

(14) “Health information” means:

  1. personal information that is information or an opinion about:
    1. the physical or mental health or a disability (at any time) of an individual; or
    2. an individual’s express wishes about the future provision of health services to them; or
    3. a health service provided, or to be provided, to an individual; or
    4. other personal information collected to provide, or in providing, a health service; or
  2. other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances; or
  3. other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual; or
  4. healthcare identifiers, but does not include health information, or a class of health information or health information contained in a class of documents, that is prescribed as exempt health information for the purposes of the HRIP Act generally or for the purposes of specified provisions of the HRIP Act.

(15) “NSW privacy laws” means Privacy and Personal Information Protection Act 1998 (PPIP Act) and Health Record and Information Privacy Act 2002 (HRIP Act).

(16) “Commonwealth privacy laws” means the Privacy Act 1988 (Privacy Act), the Privacy (Tax File Number) Rule 2015 (TFN Rule) issued under S17 of the Privacy Act, and the Healthcare Identifiers Act 2010 (HI Act) Act.

(17) “Tax File Number information” (TFN Information) means information that connects a TFN with the identity of a particular individual (for example, a database record that links a person’s name and date of birth with the person’s TFN).

(18) “Individual Healthcare Identifier” (IHI information) information means a unique number used to identify an individual for health care purposes. It helps ensure health professionals are confident that the right information is associated with the right individual at the point of care. You already have an IHI if any of the following apply:

  1. you have a Medicare card;
  2. you have a DVA card; or
  3. you are enrolled in Medicare.

(19) “Government-related Identifier” (GRI information) means an identifier that has been assigned by an agency, a State or Territory authority, an agent of an agency or authority, or a contracted service provider for a Commonwealth or State contract e.g. Centrelink Customer Reference Number (CRN), Medicare number, driver’s license number or passport number.

Top of Page

Section 6 - Information Protection Principles and Health Privacy Principles

(20) There are 12 Information Protection Principles (IPPs) that apply under the PPIP Act and 15 Health Protection Principles (HPPs) that apply under the HRIP Act. The IPPs are obligations that we must abide by when we collect, store, use or disclose personal information. We are governed by New South Wales privacy legislation but may have obligations under other legislation such as the Privacy Act 1988 (Cth), the General Data Protection Regulation (EU2016/679) and other global privacy regimes.

(21) At the start of each point below, we will provide a snapshot of the IPPs and HPPs. Where appropriate, this will be followed by more detailed information about how we apply those principles to the functions of the University

Collection of information

IPP 1 and HPP 1 – Lawful

SNAPSHOT:  We must only collect your personal information or health information for a lawful purpose, which is directly related to our functions or activities and necessary for that purpose.

(22) We may collect your personal or health information for the following purposes:

  1. providing courses of study (including all associated administrative processes);
  2. conferring degrees and other awards;
  3. research and administration of higher degree by research candidature;
  4. exercising commercial functions;
  5. fundraising;
  6. promoting events and students;
  7. surveys and competitions;
  8. news and updates;
  9. selection, appraisal, remuneration of staff and associated administrative processes;
  10. employment and managing staff and students;
  11. providing and administering accommodation for students;
  12. providing support services such as counselling, disability services, medical services, or advocacy services;
  13. managing complaints or disputes;
  14. providing taxation assistance;
  15. providing legal assistance;
  16. managing or facilitating scholarships; and/or
  17. managing requests for academic consideration.

IPP 2 and HPP 3 – Direct Collection

SNAPSHOT:  We must only collect your personal information or health information directly from you, unless you have authorised collection from someone else, or you are under 16 and the information has been provided by your parent or guardian or for health information, or it is unreasonable or impracticable to do so.

(23) Where we collect personal or health information from another person, agency or party about you consent may be obtained from you by:

  1. accepting terms and conditions
  2. entering into a contract, or
  3. providing valid and express consent. 

(24) Another party may manage the consent and authorisation for the provision of personal or health information prior to the information being provided to us, for example where a student authorises another tertiary institution to provide information to us.

(25) We may collect personal or health information indirectly where:

  1. the information is collected in connection with actual or anticipated proceedings before any court or tribunal;
  2. we are investigating a complaint which has or may be referred to, or made to or from an investigative agency;
  3. direct collection of the personal or health information would prejudice the interests of the individual to whom the information relates; or
  4. indirect collection is otherwise authorised or required.

IPP 3 and HPP 4 – Open

SNAPSHOT:  We must inform you, or the person you have authorised, why we are collecting your personal or health information, what we will do with it, and who else might see it. We will also tell you, or the person you have authorised, how they can view and correct the personal or health information, if the information is required by law or voluntary, and any consequences that may apply if you or they decide not to provide the information.

(26) At the time of collecting personal or health information, or as soon as possible afterwards, we must inform you about:

  1. why we are collecting the information;
  2. the use;
  3. who else might see it;
  4. how you can view and correct your personal or health information;
  5. whether the information is required by law or is voluntary; and
  6. any consequences if you decide not to provide the information.

(27) This advice may be provided to you by way of:

  1. terms and conditions;
  2. a collection notice on a form or agreement;
  3. a published privacy notice; or
  4. correspondence (i.e., email communication or file note).

IPP 4 and HPP 2– Relevant

SNAPSHOT:  We will ensure that the personal information and health information that we collect is relevant, accurate, complete, up-to-date, and not excessive and that the collection does not unreasonably intrude into your personal affairs.

(28) We aim to ensure that your personal information and health information is:

  1. relevant, accurate, complete, up to date, not excessive, and that collection does not unreasonably intrude into your personal affairs;
  2. not collected or unnecessarily duplicated and that databases and systems are maintained and reviewed to ensure the information is accurate;
  3. able to be updated or amended by you through processes that are easily identifiable; and
  4. is only sought where the information is required (this will depend on the purpose for which the information is collected (see IPP1 and HPP1).

Storage of information

IPP 5 and HPP 5– Secure

SNAPSHOT:  We will store your personal information and health information securely, keep it no longer than necessary and dispose of it appropriately.  It will be protected from unauthorised access, use, modification, or disclosure.

(29) We protect personal and health information by:

  1. identifying and classifying records and handling them accordingly;
  2. storing records in our approved systems (appropriate privacy and security measures are incorporated into agreements with external system providers or contractors);
  3. ensuring access to systems or databases containing personal or health information is only granted on a need-to-know basis and that these systems are password protected;
  4. ensuring that, whatever available, systems established to collect information are used effectively;
  5. ensuring information within systems is only accessed or viewed as required for our functions;
  6. ensuring information is only transferred between parties when it is necessary to fulfil our functions and that steps are taken to prevent accidental disclosure;
  7. storing paper records securely, for example, in locked offices or cabinets, as appropriate;
  8. ensuring information is authorised to be destroyed and destroyed securely, that is, paper records are shredded or placed in a confidential bin, and electronic systems are erased; and
  9. ensuring information is not kept for longer than necessary.

(30) We consist of a number of colleges, schools, divisions, and business units who each may hold information in electronic format, hard copy, or both depending on their individual practices and procedures. These practices and procedures will be subject to our overarching policies and procedures which determine how we will use, manage, secure, and dispose of information which may include personal or health information, including, but not limited to:

  1. this Plan;
  2. Privacy Policy;
  3. Records Governance Policy;
  4. Information Technology Conditions of Use Policy;
  5. Information Security Policy and its associated documents; and
  6. Research Data and Primary Materials Management Procedure.

Access and Accuracy of information

IPP 6 and HPP 6 – Transparent

SNAPSHOT:  We will explain to you what personal information and/or health information about you is being stored, why it is being used and any rights you have to access it.

(31) You may obtain details on:

  1. how your personal or health information is being stored
  2. why it is being used; and
  3. any rights you have to access it.

(32) This information will generally be available at the time of collection, via our website, or upon request as appropriate.

IPP 7 and HPP 7 – Accessible

SNAPSHOT:  We will allow you to access your personal or health information without excessive delay or expense.

(33) Personal or health information collected by us may be provided to the person to whom the information relates either informally, via an existing process, or on request. In some cases, an administrative fee may apply (for example, student transcripts are available for purchase).

(34) Staff and students may generally correct or amend their personal or health information automatically or routinely.  In cases where personal information or health information cannot be provided or corrected and amended electronically or by contacting the officer involved, assistance may be sought from:

  1. Human Resource Services for requests from staff; or
  2. Student Central for requests from students.

IPP 8 and HPP 8 – Correct

SNAPSHOT:  We will allow you to update, correct or amend your personal or health information where necessary.

(35) In response to a request, we may amend your personal or health information or make an annotation on the document to detail the request. If we consider that the personal or health information held is correct and does not require amendment, you will be provided with the reasons for this decision.

(36) Requests for correction or amendment of personal or health information may also be sent to the Privacy and Right to Information Officer for advice or action as appropriate. In some cases, requests may be referred for action under the Government Information (Public Access) Act application process.  Such cases include where the information:

  1. contains personal or health information about another individual;
  2. may require further consideration and advice; or
  3. is held across several different units of the University.

Use of information

IPP 9 and HPP 9 – Accurate

SNAPSHOT:  We will make sure that your personal information and health information is relevant, accurate, up to date and complete before using it.

(37) We take reasonable steps to verify the accuracy of your personal or health information, especially where the use of the information could lead to negative consequences for you.

IPP 10 and HPP 10 – Limited

SNAPSHOT:  We will only use your personal information or health information for the purpose it was collected unless you have given us your consent, or the purpose of its use is directly related to the purpose for which it was collected, or to prevent or lessen a serious imminent threat to any person’s health or safety. 

(38) We must not use information we hold for a purpose other than for which it was collected, unless:

  1. you or a person you have authorised have consented to the use of the personal information or health information for another purpose;
  2. the other purpose for which the information is to be used is directly related to the purpose for which the personal or health information was originally collected; or
  3. the use of the personal information or health information is necessary to lessen or prevent a serious and imminent threat to the life or health of any person.

(39) Where personal or health information is to be used for a purpose that is directly related to the original purpose, our staff should take reasonable steps to identify and document, as appropriate, why they have considered the use is directly related to the original purpose.

(40) In considering whether a purpose is directly related to the original purpose, our staff may consider the reasonable expectations of the person whose information they are dealing with.

Disclosure of information

IPP 11 and HPP 11 – Restricted and Limited Disclosure

SNAPSHOT:  We  will only disclose your personal information or health information with your consent, or consent from an authorised person; or, if you were told at the time that it would be disclosed. We will also disclose your personal information or health information if the disclosure is directly related to the purpose for which the information was collected, and there is no reason to believe you would object; or if you have been made aware that information of that kind is usually disclosed. We will also disclose your personal information or health information if it is necessary to prevent a serious and imminent threat to any person’s health or safety.
 

(41) Disclosure primarily refers to sharing information that is held by us with another agency or individual outside of the University.

(42) We must undertake reasonable actions to ensure that personal or health information is not disclosed, either routinely or on a single occasion, without consent, unless:

  1. you are reasonably likely to have been aware, or have been made aware at collection, that personal information or health information of that kind is usually disclosed to another person or body;
  2. the disclosure is directly related to the purpose for which the personal or health information was collected, and we have no reason to believe that you would object to the disclosure;
  3. the disclosure of the personal or health information is necessary, on reasonable grounds, to prevent or lessen a serious and imminent threat to the life or health of any person; or
  4. an exemption applies under the PIPP Act 1998 or HRIP Act 2002.

(43) People would likely be considered to have knowledge of a disclosure if:

  1. there is documentation to indicate the individual provided valid consent;
  2. they were made aware that the information may be disclosed on collection; or
  3. there is a clear policy or process indicating that information of that type is usually disclosed.

(44) We must not use or disclose health information for another purpose (secondary purpose) other than the original purpose for which it was collected unless:

  1. an exception at law applies;
  2. the individual has provided consent;
  3. the secondary purpose is directly related to the original purpose and within the expectations of the individual; or
  4. there is reasonable belief that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to the life or health of the individual concerned or another person, or a serious threat to public health and safety.

IPP 12 – Safeguarded

SNAPSHOT:  We cannot disclose your sensitive information  without your consent, for example, information about your ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities, or trade union membership.  We can only disclose your sensitive information without consent to deal with a serious and imminent threat to any person’s health or safety.

(45) We must undertake reasonable actions to ensure that any sensitive information (such as information about ethnic or racial origin; political opinions; religious or philosophical beliefs; sexual activities or trade union membership) is not disclosed without an individual's consent.

HPP 12 – Information Identifiers and Anonymity

SNAPSHOT:  You may be identified by using unique identifiers if it is reasonably necessary to carry out our functions efficiently.

HPP 13 – Anonymity

SNAPSHOT:  Services may be provided anonymously, where it is lawful and practicable. We will generally require information about you to deliver a service to you, however, anonymity may be allowed wherever possible.

HPP 14 – Information Transferrals and Linkages

SNAPSHOT:  We will only transfer health information outside of New South Wales in accordance with HPP 14.

(46) Health information and personal information (where relevant) may be transferred outside New South Wales if:

  1. we reasonably believe that the recipient is subject to a law, binding scheme, or contract in relation to privacy principles that are substantially similar to those detailed in the PPIP Act;
  2. you consent to the transfer;
  3. the transfer is necessary for the performance of a contract (either between you and us or in the interests of you if the contract is between us and a third party);
  4. the information is required to prevent or lessen a serious or imminent threat;
  5. the use is authorised or required by another law;
  6. the transfer is for your benefit, and it is impracticable to obtain your consent to that transfer, and you would otherwise be likely to give consent; or
  7. we have taken reasonable steps to ensure that the transferred health or personal information will not be held, used, or disclosed by the recipient inconsistently with the Information Protection Principles or Health Privacy Principles.

(47) Where we seek to use or disclose health or personal information for research purposes without your consent, the research proposal must be submitted and approved by the Human Research Ethics Committee prior to the use or disclosure of information.

HPP 15 – Authorised

SNAPSHOT:  We will only use health records linkage systems if you have provided or expressed your consent. For example, My Health Record.
Top of Page

Section 7 - Privacy Act 1988 (Cth)

(48) While we are predominantly regulated by NSW privacy laws, however, there are areas of our functions where Commonwealth privacy laws govern our actions. 

(49) Three examples of when the Commonwealth privacy laws apply are, when we collect:

  1. TFN Information;
  2. Individual Health Identifiers; or
  3. Government-related Identifiers.
Top of Page

Section 8 - Law Enforcement Agencies

(50) We will only disclose personal information or health information to law enforcement agencies in circumstances where it is required or permitted to do so by law. Some examples where we will be required to disclose personal information are where a law enforcement agency issues us a warrant, notice to produce, or subpoena; or, we are seeking to report a serious indictable offence. We may, at our discretion, disclose personal information or health information to law enforcement agencies if we are permitted to do so under law, such as where we have reason to believe that an offence has been committed and the law enforcement agency has requested that we disclose personal information that is reasonably necessary for them to investigate the offence.

(51) In accordance with the clause above, the discretion to disclose personal or health information to law enforcement agencies as permitted by law may be exercised by:

  1. the Vice-Chancellor;
  2. the General Counsel;
  3. the Deputy Vice-Chancellor (Academic) and Vice President where the information relates to a student or former student; or
  4. the Chief People and Culture Officer, where the information relates to a staff member or former staff member.
Top of Page

Section 9 - System Design and Review 

(52) All staff should adopt a privacy by design approach by considering the obligations of the IPPs and HPPs and the Privacy Act when implementing or reviewing a project, process, service, or system to identify privacy issues, and implement strategies to address those issues and ensure ongoing compliance. When appropriate, for example where high-risk information is being shared with a third party, a Privacy Impact Assessment should be conducted and the Privacy and Right to Information Officer can help you with this.

Top of Page

Section 10 - Training and Awareness

(53) The University offers privacy training sessions for new and continuing staff in the staff learning and development portal ‘Discover.’ You may also enquire about privacy training sessions, both general and tailored to a specific area, by contacting the Privacy and Right to Information Officer. 

Top of Page

Section 11 - Complaints and Reviews

(54) We are committed to protecting your privacy. If you believe that we have not handled your personal or health information well, we ask that you give us the first opportunity to address your concerns. This will often be the more timely, efficient, and informal way of addressing your complaint. 

(55) You can raise concerns and complaints about the way in which we have handled your personal or health information in one of the following ways:

  1. submitting a complaint under the University's complaint handling processes at Complaints;
  2. applying for an internal review (see below); 
  3. contacting the Privacy Commissioner (see below).

(56) A request for an internal review can only be made where it is alleged that our conduct has:

  1. breached any of the IPPs in PPIP Act or any of the HPPs in HRIP Act;
  2. breached a privacy code of practice that applies to us; or
  3. disclosed personal information in a public register.

(57) We can only accept an application for internal review if it meets the thresholds specified in Part 5 of PPIP Act. This includes that the application should:

  1. be in writing;
  2. be addressed to the University;
  3. specify a return address in Australia; and
  4. be lodged with the Privacy Office within 6 months of the date the applicant first became aware of the alleged conduct. 

(58) We may exercise our discretion to accept an application which may be received after the end of the 6-month period.

(59) The request for an internal review should be mailed to the below address, or made online at Complaints:

Privacy and Rights to Information Officer
University of Newcastle
University Drive
Callaghan NSW 2308

(60) The internal review, as far as practicable, will be conducted by the Privacy and Right to Information Officer, or an appropriately qualified employee, who does not have a conflict of interest (Reviewing Officer).

(61) The Reviewing Officer will assess the request for internal review in accordance with Part 5 of PPIP Act and:

  1. will complete the internal review within 60 calendar days of the day the application was received; and
  2. notify you of the outcome within 14 calendar days of the completion of the internal review.

(62) As a result of the outcome of an internal review we may do any of the following:

  1. take no further action on the matter;
  2. make a formal apology to you;
  3. take remedial action as appropriate;
  4. provide undertakings that the conduct will not occur again; and/or
  5. implement administrative measures to ensure that the conduct will not occur again.

(63) If you are still unhappy with how we have addressed your concerns, you may lodge a complaint with the Information and Privacy Commission New South Wales or seek an external review with the NSW Civil and Administrative Tribunal at:

NSW Information Privacy Commission   NSW Civil and Administrative Tribunal
Level 15, McKell Building   PO Box K1026
2-24 Rawson Place   Haymarket NSW 1240
Haymarket NSW 2000   Phone: 1300 006 228
Free call:  1800 472 679    
Fax (02) 6446 9518    
ipcinfo@ipc.nsw.gov.au    
Top of Page

Section 12 - Breach of a Principle

(64) Where we become aware of a breach of the IPPs or HPPs or the Privacy Act, we will take appropriate steps to identify and address the breach. Reports of breaches or potential breaches should be sent to the Privacy and Right to Information Officer at privacy@newcastle.edu.au.

(65) A breach of the Privacy Management Plan, the Privacy Policy, and any associated policy and procedure by a member of our staff may constitute misconduct.

(66) It is an offence under PPIP Act, HRIP Act or Privacy Act for a staff member, as a part of their employment, to:

  1. intentionally disclose or use personal or health information that the staff member has accessed, unless it is for a lawful or authorised purpose; and/or
  2. supply, by way of a bribe or other similar corrupt conduct, any personal or health information about an individual to another individual.
Top of Page

Section 13 - Controlled Entities

(67) Controlled entities must manage personal and health information in accordance with this Plan. Controlled entities must determine if they have other requirements under the Australian Privacy Principles and/or other legislation and develop appropriate policies and systems to comply with these requirements.

(68) If a complaint or internal review is received by us about the conduct of a controlled entity, we may conduct a review.

Top of Page

Section 14 - Administration

(69) An issues register is maintained by the Privacy and Right to Information Officer to support the review process. Issues or feedback may be e-mailed to privacy@newcastle.edu.au

Top of Page

Section 15 - Privacy Information available in other languages

(70) The Information Privacy Commissioner has Fact Sheets available “A guide to privacy laws in NSW available in other languages”.