(1) The Privacy Management Plan sets out commitments, obligations and responsibilities for managing and protecting the personal and health information held by Charles Sturt University (the University). The plan is developed to meet the requirements of the Privacy and Personal Information Protection Act 1998 and is intended to ensure that the University's obligations under the following legislation are understood and met: (2) This plan has the effect of a policy. (3) This plan applies to all personal and health information of staff, students and members of the public held by Charles Sturt University (the University) and its controlled entities. (4) The Privacy Management Plan is divided into the following parts: (5) The University has compliance obligations in relation to privacy under the following legislation, regulations and other compliance drivers: (6) The functions of the University are set out in section 7 of the Charles Sturt University Act 1989 (NSW) and include functions relating to the promotion, within the limits of the University's resources, of scholarship, research, free inquiry, the interaction of research and teaching, and academic excellence. (7) To achieve these functions, the University collects the following types of personal information: (8) The main kinds of health information managed by the University include the following: (9) The following categories of information are not considered personal information for the purpose of this plan: (10) The following Part sets out how the University collects, stores and manages personal information in compliance with the privacy principles stated in: (11) Incorporating completion of a privacy risk assessment (PRA) and, if required, a privacy impact assessment (PIA) into the University's risk management framework demonstrates that the University has properly considered privacy, has robust and effective privacy practices, procedures and systems, and helps to create stakeholder trust. (12) If a University project will involve the handling of personal information, a PRA will be completed. Examples of projects where a PRA should be considered are: (13) The greater the project’s complexity and privacy scope, the more comprehensive the PRA and, if required, PIA should be to determine and manage the project’s privacy impacts. (14) PRAs and PIAs must also be completed for any activities to which the foreign privacy legislation, such as the GDPR, may apply. (Refer to Part C). (15) The University will limit the collection of personal information to that which is reasonably necessary to enable the University to fulfil its lawful purposes. Health information will only be collected for a lawful purpose, directly related to the University's activities and necessary for that purpose. (16) The following are examples of how personal information may be collected by the University and the advice that will be provided to individuals: (17) As required by IPP 2, most personal information collected by the University is collected directly from the person to whom it relates, except where the person authorises the collection of information from another source, or a parent or guardian provides information for a person under 16 years of age. (18) The following are examples of where personal information may be collected from other sources and are not considered contrary to IPP 2: (19) As far as practicable, the University will inform students, staff and other individuals why the information is being collected and how it will be used, at the point of collection: (20) In some instances, personal information may be disclosed to third parties, either under statutory requirements and/or with the person's knowledge and permission: (21) Most personal information and health information is provided by the person to whom it relates and is therefore assumed to be accurate, relevant, not excessive and not an unreasonable intrusion. University policies (e.g. Enrolment and Fees Policy) stipulate that students are responsible for the accuracy of their personal information and are able and encouraged to amend their personal information as it changes. (22) In some instances, personal information of staff or students is required to be verified before decisions are made. This verification would include contacting referees before appointing or promoting staff and verifying the academic and other qualifications of students seeking enrolment at the University. In cases of alleged misconduct involving staff or students, there are prescribed processes for establishing the provenance of relevant personal information. (23) Organisational units only collect personal information that is directly related to the work of the unit. (24) The University seeks to minimise unreasonable intrusion to an individual and not collect and store excessive personal information or health information. For this reason: (25) The University will hold personal and health information securely and retain it for the periods required under the State Records Act 1998 (NSW). Personal information will be kept for no longer than is necessary for the purposes for which the information was collected and will be disposed of securely and in accordance with any requirements for the retention and disposal of personal information. (26) Most of the University's organisational units store personal information on computers or on file servers. Access to this information is protected by passwords that are issued and controlled by the Division of Information Technology. (27) Personal information held on the University's primary information systems for student, finance, personnel and corporate records is protected against unauthorised access, modification or disclosure by additional security levels that control access and functionality accorded to the various users of the systems. (28) The Division of Information Technology is responsible for ensuring that the University's electronic records are regularly backed up and otherwise protected against loss or damage. (29) Where third party operating systems are used to hold personal information, contracts must include provisions for security, retention and disposal of the information in accordance with the University's legislative responsibilities. Specifically, the University will ensure that third party contracts incorporate appropriate obligations to ensure compliance with PPIP Act (and to the extent applicable, any other privacy laws) and this Privacy Management Plan. In these cases, the area of the University responsible for managing these activities or contract must complete a privacy impact assessment (PIA) beforehand to ensure the activity meets privacy obligations. (30) The disposal of personal information is managed in accordance with the State Records Act and the approved general retention and disposal authorities (GDAs): (31) In addition to the general information provided in this plan, individuals may contact the Privacy Officer for information about what personal and health information is being stored about them, how it is being used and any rights regarding access to the information, via the University's Privacy and your information webpage. (32) The Records Management Policy (and associated procedures) set out how students and staff can access their personal information, generally at no cost (subject to some limitations). See also Part D below which outlines how an individual can access information held about them in some circumstances. (33) The University encourages students or staff to keep their personal information and contact details up-to-date, this includes the right to annotate and correct information held by the University. Part D sets out how an individual can access and correct information held about them. (34) Much of the personal information collected by organisational units either does not change or changes only occasionally (for example, name, date of birth, marital status, gender, ethnicity). The University does not routinely check this type of information before using the information. (35) Some personal information is checked as a matter of course soon after its collection. For example, students’ enrolment each session is confirmed with them as their enrolment load determines the amount of HECS-HELP or fees for which they are liable. Students must also confirm their personal information held when enrolling in subjects each teaching session in order to progress the enrolment process. (36) Personal and health information collected by the University will only be used for the purpose it was collected unless the person has given their consent, or the purpose of use is directly related to the purpose for which it was collected, or to prevent or lessen a serious or imminent threat to a person’s health or safety. (37) The use of personal information for statistics and quality assurance purposes is considered to be related to the purpose for which the information was collected (for example, to improve the quality of services provided by the University). The Office of Planning and Analytics may receive personal information that it will provide to other organisational units in an aggregated or de-identified format. Where an organisational unit requests identified information, executive approval must confirm that the information is required to meet a genuine business need. (38) The disclosure of personal and health information will be limited by the University and restricted to the purpose for which it was collected unless an exemption applies under a relevant privacy legislation or code of practice. (39) As part of its routine management tasks, some organisational units disclose personal information to bodies outside NSW, usually at the request of the person concerned. This includes: (40) When requested, Student Administration will verify whether a named person has received a qualification from the University, or aspects of their academic performance, to an individual or body demonstrating justifiable reason, for example, at the request of a prospective employer of a graduate to check a claim for employment. The award of qualifications is a public act. Verifying to a third party whether a person has obtained a particular qualification from the University, their academic performance during their studies (e.g. their grades in a subject) and the publication of their name and conferred qualification does not contravene the IPPs. (41) There are stricter obligations for the disclosure of personal sensitive information relating to an individual's ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, health and sexual activities. The University will only collect personal sensitive information on a voluntary basis, or where it is required to do so by law. The University will only disclose this information with the consent of the person, or when required to do so by law, or if the disclosure is necessary to prevent or minimise a serious or imminent threat to the person’s health or safety. (42) Examples of where this information may be collected and/or disclosed with the individual’s permission include but are not limited to: (43) The University issues a unique University number to all students and staff in order to carry out its functions. (44) The University will not adopt, use or disclose a government related identifier unless authorised by or under an Australian law or a court or tribunal. (45) Students and staff are not provided with the option of being known under a pseudonym or to be anonymous because: (46) A health records linkage system is a computerised system designed to link health records for an individual held by different organisations for the purpose of facilitating access to health records. The University does not currently use any health records linkage (such as My Health Record). (47) The University may use personal information and disclose it to prevent or lessen a serious and imminent threat to a person’s health or safety. (48) This exception has been determined by the NSW Civil and Administrative Tribunal (NCAT) to be permitted in very limited circumstances. The threat must be both serious and imminent: imminent meaning likely to occur at any moment, or impending. There must also be a belief held on reasonable grounds about the serious and imminent threat by the officer of the University when this exception is relied on. (49) Staff involved in assessing any threat should speak to their supervisor and also contact the University's Privacy Officer and/or the General Counsel for advice. (50) Division 3 of PPIP Act sets out the exceptions to compliance with IPPs. The exemptions relevant to University operations are set out below. (51) These should not be read as an exhaustive list of exemptions and any University officer unsure whether an exemption applies when handling personal information in their role should discuss the matter with their supervisor or contact the University's Privacy Officer. (52) The University is not required to comply with the privacy obligations under section 24 of the PPIP Act if: (53) The University is not required to comply with the obligations under section 23 of the PPIP Act if: (54) A reference to ‘law enforcement purposes’ includes law enforcement purposes of any state or territory, or the Commonwealth, of Australia. (55) Examples of other legislation which may authorise non-compliance include the GIPAA, the State Records Act 1998 (NSW) and the Data Sharing (Government Sector) Act 2015 (NSW). The operation of this and any other legislation that permits non-compliance with the PPIP Act does not affect the University's handling of the personal information and health information, other than for the purpose of the exempt conduct. (56) There is often confusion between the operation of the Privacy Act 1988 (Cth) (the federal Privacy Act) and the PPIP Act and the HRIP Act. The University is defined as a ‘public sector agency’ under the PPIP Act and the HRIP Act and must comply with the privacy obligations arising under those laws, which are the University's primary privacy obligations. (57) Under section 27A of the PPIP Act, a public sector agency is not required to comply with the information protection principles with respect to the collection, use or disclosure of personal information if: (58) Under section 27B of the PPIP Act, there is an exemption that applies to the collection, use or disclosure of personal information used for research purposes, or the compilation or analysis of statistics in the public interest, provided that specific conditions are met. Staff engaged in research that wish to access personal information held by the University for research purposes should refer to the NSW Information and Privacy Commissioner's Statutory Guidelines on Research – For more information consult with the University's Privacy Officer or the General Counsel. Approval from the University's authorised delegate is required before any information can be provided. (59) The University's Research Data Management Procedure specifies the responsibilities of the University, its researchers and research students regarding the management of research data. (60) The PPIP Act provides a restriction on disclosure for ‘sensitive’ types of information, which are defined as an individual’s ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual activities. The University will not disclose this type of information unless it is necessary to prevent a serious and imminent threat to the life or health of an individual. (61) It should be remembered that sensitive personal information may be contained in identification documents, such as passports and drivers’ licences. For example, photos might establish racial origin or religion and a document evidencing an individual’s marital status may disclose their sexual orientation. (62) The University is also exempt from various provisions of the PPIP Act where: (63) The University may also have mandatory reporting obligations to regulatory bodies, such as the NSW Independent Commission Against Corruption (ICAC), and other government agencies. (64) The University publishes: (65) Enquiries about the inclusion of personal information in a public register can be made to the University's Privacy Officer. (66) Foreign privacy regulation, such as the GDPR, may apply to a variety of University activities including: (67) Under some foreign privacy regulations, such as the GDPR, it is a requirement where information is collected, stored or disclosed as a result of express consent given by an individual, that consent may be withdrawn by that individual at any time. (68) The individual may have the right to request the erasure, portability or restriction of processing of their personal data, and to object to the processing of their personal data. (69) To request access, correction or erasure of personal information under the GDPR, please contact the University's Privacy Officer at: informationintegrity@csu.edu.au. (70) Individuals have a right under the privacy statutes to request access to, and correction of, personal information held by the University. (71) Staff, students and members of the public are encouraged in the first instance to contact the head of the organisational unit responsible for holding the personal information in question if they wish to: (72) Individuals have the right to correct personal information held by the University if it is inaccurate, out of date, incomplete, irrelevant or misleading. The handling of a request to access or correct personal information will be at no cost to the individual seeking access to their personal information or to address a concern about their personal information. (73) If the University is unable to provide access to or correct their personal information, the individual will be notified in writing of: (74) Where a request to correct personal information held by the University is refused, the individual may request that the University associate a statement with that information that the individual believes the personal information held is inaccurate, out of date, incomplete, irrelevant or misleading. The University must take reasonable steps to associate the statement with the individual’s personal information so that the statement is apparent to users of the personal information. (75) Organisational units may seek advice from the University Ombudsman, as the University's privacy officer, for advice on allowing access and corrections to the personal information they hold. (76) A person who is aggrieved by the conduct of the University in relation to their personal information is entitled to a review of that conduct. An individual may (77) An application for internal review must: (78) The University’s Privacy Officer will then either deal with the application directly and undertake the review, or will appoint another suitable person. Except as provided for in the PPIP Act, the person who deals with the application must, as far as practicable, be a person: (79) The appointed person will review the conduct the subject of the application and complete the review in accordance with Part 5 of the PPIP Act. In reviewing the conduct of the subject of the application, the person appointed to deal with the application must consider any relevant material submitted by the applicant and the Privacy Commissioner. (80) The internal review should be completed as soon as is reasonably practicable in the circumstances, and will usually be completed within 30 days. (81) Following completion of the review, the University may do any one or more of the following: (82) The University will notify the NSW Privacy Commissioner as soon as practicable after receiving an application for internal review, and keep the NSW Information Privacy Commissioner informed of the progress and findings of the internal review and the action proposed to be taken by the University in relation to the matter. (83) If an applicant for internal review is not satisfied with the findings of the internal review or the action taken by the University in relation to the application, they may make an application within 28 days to the NSW Civil and Administrative Tribunal (NCAT) for a review of the decision that is the subject of the application. (84) Staff and students may also make a complaint to the NSW Information and Privacy Commission. (85) A data breach occurs when personal information or data held by the University is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Suspected or confirmed data breaches will be managed as set out in the Information Technology Procedure - Personal Data Breach. (86) An eligible data breach occurs where: (87) The Australian Government has established the Notifiable Data Breaches (NDB) scheme under the Privacy Act (Cth) to ensure that individuals are notified about serious breaches of their personal or health information. This scheme came into effect on 22 February 2018. (88) The Notifiable Data Breaches scheme applies directly to the University in limited circumstances, and the University is only required to notify the Office of the Australian Information Commissioner (OAIC) where there is a data breach that involves tax file numbers. (89) The Notifiable Data Breaches scheme applies to contractors and other organisations that the University does business with because they are subject to the Privacy Act (Cth). Some of these contractors and other organisations may have access to or store personal or health information on behalf of the University. (90) The University is required to comply with the mandatory Notifiable Data Breaches scheme which includes notifying the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm to an individual to whom the personal or health information relates. (91) The University is required to maintain an internal data breach incident register to comply with the mandatory Notifiable Data Breaches scheme. (92) The NSW Government established a Mandatory Notification of a Data Breach (MNDB) scheme under the Privacy and Personal Information Protection Act (NSW) that requires the University to provide notifications to affected individuals in the event of an eligible data breach of their personal or health information held by the University. This scheme came into effect on 28 November 2023. (93) The University is required to comply with the MNDB scheme which includes notifying the NSW Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm to an individual to whom the personal or health information relates. (94) The Privacy Officer must establish and maintain: (95) The Information Technology Procedure – Personal Data Breach outlines the procedures and practices used by the University to ensure compliance with the obligations and responsibilities set out in part 6A of the PPIP Act for the MNDB scheme. (96) The University will establish processes for responding to data breaches and reporting notifiable data breaches in line with the requirements of the Privacy Act 1988 (Cth), PPIP Act and HRIPA and, where applicable, foreign privacy laws such as the GDPR. (97) The University will incorporate standard provisions for all contracts with contractors and other organisations who handle personal or health information on behalf of the University. These provisions will include, as a minimum, requirements to: (98) Individuals who intentionally breach, disclose or use any personal or health information about another person otherwise than in connection with the lawful exercise of their official functions commit an offence under part 8 of the PPIP Act and/or the HRIP Act. This may include: (99) The supervisory authority for the GDPR imposes fines and penalties that are effective, proportionate, and dissuasive. This may include but is not limited to: (100) The obligations of the University and its staff as identified under the PPIP Act and HRIP Act will be the subject of information and training sessions conducted by the University's Privacy Officer and online training modules completed by staff. These information and training sessions and training modules will be designed to enhance staff awareness of privacy and cyber principles and current threat trends, in addition to training and awareness around identifying, responding to, and managing data breaches. (101) General alerts will also be made on the University's communication systems to remind staff and students of their privacy protection obligations. (102) The University’s privacy web page provides detailed information on how the University meets its obligations under the privacy legislations, the Privacy and Personal Information Protection Act 1998 (NSW)and the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW). (103) Where privacy-related matters are addressed in policies and procedures, the University's Privacy Officer is a core stakeholder in accordance with the Policy Development and Review Procedure and will be consulted when minor or major changes are proposed, to ensure compliance with the PPIP Act and HRIP Act and any other relevant legislation. (104) People seeking further information or advice regarding the matters contained in this plan can review the University's Privacy web page or contact the University's Privacy Officer. (105) Nil. (106) Nil. (107) For the purpose of this plan, the following additional terms have the definitions stated:Privacy Management Plan
Section 1 - Purpose
Scope
Top of PageSection 2 - Policy
What the plan covers
Part A - Overview of privacy obligations and information collected
Compliance obligations
Personal and health information collected by the University
What is not considered personal information
Part B - Application of privacy principles
Privacy risk assessments (PRAs) and privacy impact assessments (PIAs)
Collection of information
Collection for lawful purposes (IPP 1, HPP 1 and APP 3)
Collection from the person concerned (IPP 2, HPP 3)
Requirements for collection - open (IPP 3, HPP 4)
Requirements for collection – relevant and accurate (IPP 4, HPP 2)
Storage of information
Retention and security (IPP 5 and HPP 5)
Access and accuracy
Information about the information held (IPP 6 and HPP 6)
Access to information (IPP 7 and HPP 7)
Alteration of information (IPP 8 and HPP 8)
Use of information
Checking information before use (IPP 9 and HPP 9)
Limits on use of information (IPP 10 and HPP 10)
Limits on disclosure of information (IPP 11, HPP 11 and HPP 14)
Sensitive information (IPP 12)
Identifiers and anonymity
Use of identifiers (equivalent to HPP 12, APP 9)
Anonymity and pseudonymity (equivalent to HPP 13, APP 2)
Health linkage system (HPP 15)
Exemptions
Serious and imminent threat
PPIP Act exemptions
Investigations
Law enforcement purposes or otherwise lawfully authorised
Public sector agencies
Research
Sensitive personal information
Other exemptions
Public registers
Part C - General Data Protection Regulations (GDPR) – additional provisions for privacy regulation of foreign countries
Part D - Inquiries, reviews and breaches of privacy
Internal review by the University
External reviews and complaints
Breaches of privacy and unauthorised access to personal information
Notifiable Data Breaches scheme (Cth)
Mandatory Notification of Data Breach scheme (NSW)
University processes
Offences
Part E - Training and awareness
Contact information
Section 3 - Procedures
Section 4 - Guidelines
Section 5 - Glossary
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.
Penalties include fines, imprisonment or both.