(1) This policy applies to the University of Newcastle (“ (2) The purpose of this policy is to assist you to understand how we meet our obligations under the: (3) The PPIP Act and the HRIP Act are regulated by the NSW Information and Privacy Commissioner (IPC). The Privacy Act and HI Act are regulated by the Federal Office of the Australian Information Commissioner (“OAIC”). This Policy outlines our approach to ensuring compliance with our obligations under the legislation. (4) In the context of this document the following definitions apply. (5) “Personal Information” means information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information can also include things like your fingerprints, retina prints, body samples or genetic characteristics. (6) “Sensitive informaiton” means personal information about your ethnic or racial origin, political opinions, religous or philosophical beliefs, sexual activities, trade union membership and biometric data. (7) “Health information” means: (8) “NSW Privacy Laws” means Privacy and Personal Information Protection Act 1998 (PPIP Act), and the Health Record and Information Privacy Act 2002 (HRIP Act). (9) “Commonwealth Privacy Laws” means the Privacy Act 1998 (Privacy Act), the Privacy (Tax File Number) Rule 2015 (TFN Rule) issued under S17 of the Privacy Act, and the Healthcare Identifiers Act (HI Act) Act. (10) “Tax File Number information” (TFN Information) means information that connects a tax file number (TFN) with the identity of a particular individual (for example, a database record that links a person’s name and date of birth with the person’s TFN). (11) “Individual Health Care Identifier information” (IHI information) means a unique number used to identify an individual for health care purposes. It helps ensure health professionals are confident that the right information is associated with the right individual at the point of care. You already have an IHI if any of the following apply: (12) “Government-related Identifier information” (GRI Information) means an identifier that has ben assigned by an agency, a State or Territory authority, an agent of an agency or authority, or a contracted service provier for a Commonwealth or State contract e.g., Centrelink Customer Reference Number (CRN), Medicare number, driver’s license number or passport number. (13) “Data breach” means a breach of a privacy obligation where there is a failure that has the potential to cause unauthorised access to our data. Whilst first thoughts that come to mind when envisage a data breach are a cyber-attack, ransomware, phishing or malware, a data breach can also include the accidental loss of a paper file, a USB stick, or a laptop. (14) We maintain a Privacy Management Plan which explains our processes for the management and maintenance of personal information, health information, TFN Information, IHI Information and GRI Information held by us. The Privacy Management Plan has been developed in accordance with relevant sections of PPIP Act and HRIP Act, Privacy Act, and HI Act. (15) There are 12 Information Protection Principles (IPPs) that apply under the PPIP Act and 15 Health Protection Principles (HPPs) that apply under the HRIP Act. The IPPs are obligations that we must abide by when we collect, store, use or disclose personal information. We are governed by NSW Privacy Laws but may have obligations under other legislation such as the Privacy Act 1988 (Cth), the General Data Protection Regulation (EU2016/679) and other global privacy regimes. (16) Below you will find a description of the IPPs and HPPs. A detailed explanation of how we apply each of the principles to our functions can be found in the Privacy Management Plan. (17) We must only collect your personal information for a lawful purpose, which is directly related to our functions or activities and necessary for that purpose. (18) We must only collect your personal information directly from you, unless you have authorised collection from someone else, or you are under 16 and the information has been provided by your parent or guardian, or for health information, it is unreasonable or impracticable to do so. (19) We must inform you, or the person you have authorised, why we are collecting it, what we will do with it, and who else might see it. We will also tell you, or the person you have authorised, how they can view and correct the personal information, if the information is required by law or voluntary, and any consequences that may apply if you or they decide not to provide the information. (20) We will ensure that the personal information is relevant, accurate, complete, up-to-date, and not excessive and that the collection does not unreasonably intrude into your personal affairs. (21) We will store your personal information securely, keep it no longer than necessary and dispose of it appropriately. It will be protected from unauthorised access, use, modification, or disclosure. (22) We will explain to you what personal information about you is being stored, why it is being used and any rights you have to access it. (23) We will explain to you what personal information about you is being stored, why it is being used and any rights you have to access it. (24) We will allow you to update, correct or amend your personal information where necessary. (25) We will make sure that your personal information is relevant, accurate, up to date and complete before using it. (26) We will only use your personal information for the purpose it was collected unless you have given us your consent, or the purpose of use is directly related to the purpose for which it was collected, or to prevent or lessen a serious imminent threat to any person’s health or safety. (27) We will only disclose your personal information with your consent, or consent from the person you have authorised; or if you were told at the time that it would be disclosed;, if disclosure is directly related to the purpose for which the information was collected and there is no reason to believe you would object;, or you have been made aware that information of that kind is usually disclosed;, or if disclosure is necessary to prevent a serious and imminent threat to any person’s health or safety. (28) We cannot disclose your sensitive information without your consent, for example, information about your ethnic or racial origin, political opinions, religious or philosophical beliefs, sexual activities, or trade union membership. We can only disclose your sensitive information without consent in order to deal with a serious and imminent threat to any person’s health or safety. (29) You may be identified by using unique identifiers if it is reasonably necessary to carry out our functions efficiently. (30) Services may be provided anonymously, where it is lawful and practicable. (31) We will only transfer health information outside of NSW in accordance with HPP 14. (32) We will only use health records linkage systems if you have provided or expressed your consent. For example, My Health Record. (33) While we are predominantly regulated by NSW privacy laws, there are areas of our functions where Commonwealth privacy laws govern our actions. (34) Three examples of when the Commonwealth privacy laws apply are, when we collect: (35) We will only disclose personal information or health information to law enforcement agencies in circumstances where it is required or permitted to do so by law. Some examples where we will be required to disclose personal information are, where a law enforcement agency issues us a warrant, notice to produce, or subpoena, or we are seeking to report a serious indictable offence. We may, at our discretion, disclose personal information or health information to law enforcement agencies if we are permitted to do so under law, such as where we have reason to believe that an offence has been committed and the law enforcement agency has requested that we disclose personal information that is reasonably necessary for them to investigate the offence. (36) In accordance with the clause above, the discretion to disclose personal or health information to law enforcement agencies as permitted by law may be exercised by: (37) All (38) The (39) We are very committed to protecting your privacy, so if you believe that we have not handled your personal or health information well, we ask that you give us the first opportunity to address your concerns (link here to complaints handling). This will often be the more timely, efficient, and informal way of addressing your complaint, as opposed to a request for an internal review or contacting the Privacy Commissioner. (40) You can raise concerns and complaints about the way in which we handled your personal or health information in one of the following ways: (41) A request for an internal review can only be made where it is alleged that our conduct has: (42) We can only accept an application for internal review if it meets the thresholds specified in Part 5 of PPIPA. The application should: (43) The request for an internal review should be mail to the address below, or made online at internal review: (44) The internal review, as far as practicable, will be conducted by the Privacy and Right to Information Officer, or an appropriately qualified employee, who does not have a conflict of interest (Reviewing Officer). (45) The Reviewing Officer will assess the request for internal review in accordance with Part 5 of PPIPA and: (46) We may, as result of the outcome of an internal review, do any of the following: (47) If you are still unhappy with how we have addressed your concerns, you may lodge a complaint with the Information and Privacy Commission New South Wales or seek an external review with the NSW Civil and Administrative Tribunal at: (48) Where we become aware of a breach of the IPPs or HPPs or the Privacy Act, we will take appropriate steps to identify, mitigate and address the breach in accordance with our Privacy Data Breach Response Plan. Reports of breaches or potential breaches must be sent to the Privacy and Right to Information Officer at privacy@newcastle.edu.au. (49) Some data breaches are serious and can potentially cause serious harm to you and us. NSW does not currently have a mandatory notifiable data breach reporting obligation. Reporting is voluntary. The voluntary scheme means that if we have experienced a serious data breach we may report the details to the Privacy Commissioner, so the Privacy Commissioner can assess, provide advice and/or investigate. (50) Where a data breach relates to the Privacy Act, we will respond in accordance with the OAIC’s mandatory data breach reporting obligations. (51) We will assess the specific (52) A breach of the Privacy Management Plan, the Privacy Policy, and any associated policy and procedure by a member of our (53) It is an offence under PPIPA, HRIPA or Privacy Act for a (54) (55) If a complaint or internal review is received by us about the conduct of a (56) An issues register is maintained by the Privacy and Right to Information Officer. Issues or feedback may be e-mailed to privacy@newcastle.edu.au (57) We maintain an Agency Information Guide which provide our processes for information access to your personal information. (58) You may raise concerns and complaints about the way in which we manage privacy. The Privacy Management Plan, and the Agency Information Guide provide information on the relevant pathways. In addition, PPIP Act, and HRIP Act and the Privacy Act stipulate review pathways. (59) All (60) The Privacy and Right to Information Officer is responsible for the: (61) The Vice-Chancellor as Principal Officer for privacy has overall responsibility for ensuring the promotion of the objectives of, and compliance by us with PPIP Act and HRIP Act and Privacy Act. (62) The (63) (64) (65) The Information Privacy Commissioner has Fact sheets available: A guide to privacy laws in NSW available in other languages. Privacy Policy
Section 1 - Audience
Section 2 - Purpose
Section 3 - Definitions
Section 4 - Privacy Management Plan
Section 5 - Information Protection Principles and Health Privacy Principles
Collection of information
IPP 1 and HPP 1 – Lawful
IPP 2 and HPP 3 – Direct Collection
IPP 3 and HPP 4 – Open
IPP 4 and HPP 2– Relevant
Storage of information
IPP 5 and HPP 5– Secure
Access and Accuracy of information
IPP 6 and HPP 6 – Transparent
Access and Accuracy of information
IPP 6 and HPP 6 – Transparent
IPP 8 and HPP 8 – Correct
Use of information
IPP 9 and HPP 9 – Accurate
IPP 10 and HPP 10 – Limited
Disclosure of information
IPP 11 and HPP 11 – Restricted and Limited Disclosure
IPP 12 – Safeguarded
HPP 12 – Information Identifiers and Anonymity
HPP 13 – Anonymity
HPP 14 – Information Transferrals and Linkages
HPP 15 – Authorised
Section 6 - Privacy Act 1988 (Cth)
Top of PageSection 7 - Law Enforcement Agencies
Top of PageSection 8 - System Design and Review
Section 9 - Training and Awareness
Section 10 - Complaints and Reviews
University of Newcastle
University Drive
Callaghan NSW 2308
Top of Page
Section 11 - Data Breach
Top of PageSection 12 - Controlled Entities
Section 13 - Administration
Section 14 - Agency Information Guide
Section 15 - Concerns and Complaints
Section 16 - Roles and Responsibilities
Section 17 - Privacy Information available in other languages
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.
Privacy Officer and Rights to Information Officer
NSW Information Privacy Commission
Level 15, McKell Building
2-24 Rawson Place
HAYMARKET NSW 2000
Free call: 1800 472 679
Fax: 02 6446 9518
ipcinfo@ipc.nsw.gov.au
NSW Civil and Administrative Tribunal
PO Box K1026
HAYMARKET NSW 1240
Phone: 1300 006 228