View Current

Records Management Procedure - Access to University Records

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) This procedure:

  1. sets out how students, staff and external parties can access records and information held by Charles Sturt University (the University)
  2. ensures that the University meets its obligations under the Government Information (Public Access) Act 2009 (the GIPA Act).

Scope

(2) This procedure applies to students and staff of the University and external parties seeking to access University records and information.

Top of Page

Section 2 - Policy

(3)  This procedure supports the Records Management Policy and the Privacy Management Plan.

Top of Page

Section 3 - Procedure

Part A - Student and staff personal records

Confidentiality

(4) Student and staff records are confidential. Subject to the legal obligations of the University, student or staff records, or parts thereof, will be released only to that student or staff member and to authorised University staff in the course of the University's regular business.

(5) The disclosure of personal and health information will be limited by the University and restricted to the purpose for which it was collected or as stated in the Privacy Management Plan, unless an exemption applies under a relevant privacy legislation or code of practice.

(6) If instructed in writing by a student or staff member, or where directed by a validly issued legal order, the University will release their records to another person or to an organisation.

(7) Where information from student records is disclosed other than in accordance with clauses (4)–(6), that information must be published in such a way that the student cannot be identified from that information.

(8) There are stricter obligations for the disclosure of personal sensitive information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health and sexual activities. The University will only disclose this information with the consent of the person, or when required to do so by law, or if the disclosure is necessary to prevent or minimise a serious or imminent threat to the person’s health or safety.

Student access to their own University records

(9) Current or former students may request access to their own records held by the University through the following process:

  1. Students may lodge a request with Student Central.
  2. The request should specify their personal details (e.g. full name, student number, date of birth, course studied and year(s)), what records they are seeking, and be sent from the email registered with the University, if possible. The University may request additional information and proof of identity if necessary.
  3. Student Central will check the request contains sufficient information and if so, forward the request to Student Administration to fulfill.
  4. Student Administration will review the request to establish the identity of the student and scope of the request. Once established, Student Administration will investigate if the requested records exist.
  5. If found, Student Administration will collect and collate the records. Some information contained in the records may be redacted to conform with privacy requirements.
  6. A digital copy of the file(s) will be sent either directly by email or the instructions on how to access the files from secure cloud storage will be sent to the requesting student.
  7. If the records requested are no longer held (see the Records Management Procedure for retention and disposal requirements) or are not found after a reasonable and good-faith search is made, the requester will be informed.

Staff access to their own University records

(10) Current or former staff members may request access to their own records held by the University through the following process:

  1. Staff members may lodge a request with the Division of People and Culture (DPC).
  2. The request should specify their personal details (e.g. full name, staff number, date of birth, period of work with the University) and what records they are seeking. If the requester is a current staff member the request should come from their University email, if possible. The University may request additional information and proof of identity if necessary.
  3. DPC will review the request to establish the identity of the staff member and scope of the request. Once this has been established, DPC will investigate if the records exist.
  4. If found, the records will be collected and collated by DPC. Some information contained in the records may be redacted to conform with privacy requirements.
  5. A digital copy of the file(s) will be sent either directly by email or the instructions on how to access the files from secure cloud storage will be sent to the requesting staff member.
  6. If the records requested are not held (see the Records Management Procedure for retention and disposal requirements) or are not found after a reasonable and good-faith search is made, the requester will be informed.

Part B - Internal access to University records

(11) Each Band 7 head of an organisational unit has operational responsibility for approving access to information and systems held by their unit and/or sharing records and information between systems and organisational units. This authority is subject to any restrictions or higher authorisation requirements under delegations, the Privacy Management Plan, the Legal Policy and its procedures and/or other University policies and procedures (e.g. Surveillance Procedure).

(12) Personal and health information collected by the University will only be used for the purpose it was collected, as set out in the Privacy Management Plan and/or in accordance with NSW and Commonwealth privacy legislation.

(13) The use of personal information for statistics and quality assurance purposes is considered to be related to the purpose for which the information was collected (for example, to improve the quality of services provided by the University). The Office of Planning and Analytics may receive personal information that it will provide to other organisational units in an aggregated or de-identified format. Where an organisational unit requests identified information, executive approval must confirm that the information is required to meet a genuine business need and/or that an exemption applies under the relevant legislation.

Part C - External access to University records - Government Information (Public Access) (GIPA) requests

Principles and responsibilities

(14) The University is committed to the principles of openness and accountability that underpin the Government Information (Public Access) Act 2009 (GIPA Act).

(15) The University will assess and respond to all applications for access to information made under the GIPA Act in accordance with the GIPA Act and after payment of the prescribed fees. The fees may vary and will be as determined by the NSW Government.

(16) The University will provide access to information it holds, restricted only when there is an overriding public interest against releasing that information.

(17) Responsibilities for requests under the GIPA Act are as follows:

  1. The Vice-Chancellor is the principal officer for the implementation of the GIPA Act and the University's overall management of GIPA matters.
  2. The Vice-Chancellor has delegated these responsibilities to the University Ombudsman, and in their absence, to the University Secretary. In the absence of both the University Ombudsman and University Secretary, the responsibilities will be delegated to another officer of the University.
  3. All staff members are responsible for providing information requested by the Vice-Chancellor's delegate when responding to an application for access.
  4. The University Ombudsman (or other delegated officer) will reach a decision based on their professional judgement, considering the University's statutory obligations under the GIPA Act and its intention to give members of the public a legally enforceable right to access government information.

(18) If an internal review of a GIPA Act decision is requested, it will be done by a person who did not make the original decision and that person will be at least as senior as the person who made the original decision.

University documents

(19) The University’s open access information is available to the public free of charge. This includes:

  1. the policy library
  2. a disclosure log of information released under formal access applications
  3. a register of University contracts an agency has with private sector entities for a value of more than $150,000 (including GST)
  4. an agency information guide
  5. documents tabled in Parliament by or on behalf of the University, and
  6. any other documents so designated under the GIPA Act.

(20) Documents held by the University or by an officer of the University in their official capacity are subject to the GIPA Act.

GIPA requests

(21) The University Ombudsman maintains a webpage that includes links to the open access information of the University.

(22) Requests for other University information can be made and will be managed as follows:

  1. Individuals may lodge a request using the form on the University Ombudsman - Right to information website
  2. Any application for access to documents made under the GIPA Act and received by other organisational units of the University will be promptly forwarded to the University Ombudsman for action.
  3. The University Ombudsman will acknowledge receipt of the application and make a determination as to the validity of the application.
  4. The University Ombudsman may enter into discussions with an applicant to suggest that a request could be dealt with informally unless there is an overriding public interest that would prevent this.
  5. The University Ombudsman will request information within the scope of the GIPA request from the relevant University officers. All information requested will be forwarded promptly. A failure to provide information requested is an offence under the GIPA Act.
  6. The GIPA Act and the GIPA Regulations specify when the fees and charges may, and in some cases must, be waived, reduced or refunded.
  7. The University Ombudsman will assess the level of access to be provided according to the requirements of the GIPA Act. The University Ombudsman will undertake third-party contact as required under the GIPA Act.
  8. Access to documents will be provided, and all access will be recorded, as per the requirements of the GIPA Act.

Accountability and performance management

(23) The University Ombudsman will report, via the University annual report, details as required by the GIPA Act and regulations regarding the management of GIPA responsibilities and compliance.

(24) The University Ombudsman will take initiatives to broaden awareness and understanding amongst University staff of the GIPA Act and this procedure.

Top of Page

Section 4 - Guidelines

(25)  Nil.

Top of Page

Section 5 -  Glossary

(26) For the purpose of this policy, the following terms are used:

  1. Band 7 – means the University roles with delegated authority to Band 7 as set out in the Delegations and Authorisations Policy.
  2. Staff - means current or former continuing or fixed-term or casual employees of the University.
  3. Student – as defined in the policy library glossary.
  4. Student record - means any enrolment, administrative, financial or academic information relating to a student, retained by the University. This does not include sensitive information including misconduct, counselling or other support services records.