View Current

Privacy and Information Access Policy

This is the current version of this document. You can provide feedback on this policy to the enquiries contact - refer to the Status and Details on the document's navigation bar.

Section 1 - Audience

(1) This policy applies to University staff, contractors, controlled entities, conjoints, volunteers, affiliates, students and the general public.

Top of Page

Section 2 - Purpose

(2) The purpose of this policy is to meet the University's obligations under the:-

  1. Government Information (Public Access) Act 2009 NSW ('GIPAA');
  2. Health Records and Information Protection Act 2002 NSW ('HRIPA'); and
  3. Privacy and Personal Information Protection Act 1998 NSW ('PPIPA').

(3) These Acts are overseen by the NSW Information and Privacy Commissioner. This Policy outlines the University's approach to ensuring compliance with its obligations under the legislation.

Top of Page

Section 3 - Principles

Privacy

(4) The University maintains a Privacy Management Plan (Plan) which supports processes for the management and maintenance of personal information and health information held by the University. The Plan has been developed in accordance with the PPIPA and to support compliance with relevant sections of PPIPA and HRIPA.

Agency Information Guide

(5) The University maintains an Agency Information Guide (Guide) which provides the University's processes for information access. The University will release information it holds in accordance with GIPAA unless it considers that there is an overriding public interest against doing so.

Open Access Information

(6) The University proactively releases a wide range of information on the University website and through public access facilities. This includes:relevant University's policy documents, as contained in the University's Policy Library;

  1. Annual Reports;
  2. the Agency Information Guide;
  3. a disclosure log to detail information on disclosures made as a result of a formal GIPA application that the University considers to be in the broader public interest; 
  4. a register of government contracts entered into by the University in which the value of the contact is (or is likely to be) $150,000 or more; and
  5. where applicable, a list of open access information that is not made publicly available on the basis of an overriding public interest disclosure.

Proactive Release of Information

(7) Wherever possible, the University provides information informally without the need of a formal application. The University may impose reasonable conditions prior to the release of information.

Informal Release of Information

(8) The GIPAA allows an individual to access information unless there is considered to be an overriding public interest against disclosure. The considerations that may be taken into account in whether there is an overriding public interest against disclosure are set out in the GIPAA. A formal application to access information is required where the information is not readily available and cannot be provided informally.

Concerns and Complaints

(9) Individuals may raise concerns and complaints about the way in which the University manages information access and privacy. The Privacy Management Plan and the Agency Information Guide provide information on the relevant pathways. In addition, PPIPA, HRIPA and GIPAA stipulate review pathways.

Top of Page

Section 4 - Roles and Responsibilities

(10) All staff, representatives, conjoints, volunteers and contractors are responsible for:-

  1. Personal information and health information: the use, disclosure, storage and retention of personal information in accordance with the relevant legislation and this Policy. Individuals granted access to University systems have an obligation to ensure they only access information that is reasonably required for, and consistent with, the performance of their role.
  2. Access to information: complying with requests to locate and provide relevant information held in their respective areas in response to a request for information from the Right to Information Officer or the Privacy Officer.

(11) The Director, Assurance Services is the University's Privacy Officer and a Right to Information Officer. The Director is responsible for the:-

  1. oversight of the implementation and review of this Policy, the Privacy Management Plan and the Guide;
  2. management of systems and processes relating to information access applications, privacy complaints and privacy internal reviews;
  3. training and awareness activities.

(12) The Vice-Chancellor as Principal Officer has overall responsibility for ensuring the promotion of the objectives of, and compliance by the University with HRIPA, PPIPA and GIPAA.

(13) The University Council receives management reports which enables it to have oversight of compliance with HRIPA, PPIPA  and GIPAA.

(14) Controlled entities may be requested to respond to requests from the University for information access. Controlled entities may be required to comply with other privacy related legislation in their own right.

(15) Students have responsibilities when acting as a representative of the University in accordance with any special requirements of that function. In line with the Student Conduct Rule, students must respect the privacy and confidentiality of other students, staff and other members of the University community.