Privacy Policy

1. Purpose

1.1 The Privacy Policy (the policy) provides a framework to protect the privacy of all individuals at UTS in compliance with relevant privacy laws.

2. Scope

2.1 This policy applies to all staff, students and affiliates.

2.2 This policy does not cover bodies that operate independently of the university’s governance framework, including controlled or associated entities of UTS.

3. Principles

3.1 UTS will:

1. create, promote and maintain a culture of respect for the privacy of all individuals
2. establish systems for, and provide guidance to, the UTS community for the appropriate management of personal information held by the university
3. take a holistic view of privacy by incorporating the health requirements of NSW privacy laws as well as other privacy laws and regulations that may apply from other jurisdictions where appropriate and reasonable, and
4. incorporate privacy requirements and protections into processes, procedures and information systems.

4. Policy statements

Privacy requirements

4.1 UTS staff, students and affiliates must comply with the:

1. Information Protection Principles (IPPs) under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA), and 
2. Health Privacy Principles (HPPs) under the Health Records and Information Privacy Act 2002 (NSW) (HRIPA).

4.2 In collecting, storing, using, disclosing, retaining and destroying personal information, UTS activities and processes must:

1. meet legal obligations under the PPIPA and HRIPA 
2. meet obligations of privacy laws in other jurisdictions where relevant, and 
3. consider community, staff and student expectations and concerns.

4.3 Unless otherwise specified, the term personal information refers to both personal and health information. Privacy guidance and processes will be consistent with the requirements of the IPPs and the HPPs and any lawful exemptions where relevant and appropriate.

4.4 Privacy must be considered at the outset when designing a new activity (including new technologies) or when changing an existing activity or technology that involves personal information (for example, new forms, surveys, projects, apps, information systems, training modules or cloud storage).

4.5 A privacy impact assessment (PIA) must be completed where an activity poses a high risk to the privacy of individuals (refer Privacy impact assessments and When to conduct a PIA (SharePoint)).

Privacy Management Plan

4.6 UTS’s Privacy Management Plan (PMP) details UTS’s approach to the protection and management of personal information under the privacy laws (refer Definitions). The PMP is reviewed on an annual basis to ensure currency and is publicly available on the UTS website (refer Privacy regulations).

Collecting personal information

4.7 Personal information must only be collected: 

1. for a lawful purpose that aligns with UTS’s object and functions under the University of Technology Sydney Act 1989 (NSW), and
2.  where it is approved by the relevant data steward.

4.8 Requests for information must not be excessive or unreasonably intrusive. Only information that is relevant and necessary for the required purposes can be collected.

4.9 Collection activities must be transparent and must be accompanied by a relevant and up-to-date privacy notice.

4.10 Personal information must be collected directly from the individual:

1. unless the individual has consented to the collection from another party, or
2. where consent is unreasonable or impractical to obtain in the circumstances.

4.11 A data steward must approve the collecting of information where consent is unreasonable or impractical to obtain (refer Collecting information (SharePoint)).

Storage, security and access

4.12 Personal information is held by the university if: 

1. UTS is in possession or control of the information, and/or 
2. the information is in the possession or control of UTS staff or affiliates in the course of their duties, regardless of their physical location.

4.13 Personal information held by UTS must be stored securely and shared only where appropriate and permitted via secure methods and in line with the Records Management Policy, the Data Governance Policy and the Information Security Policy using UTS approved information systems.

4.14 Access to personal information may only be provided to specific staff, students or affiliates where such access is required for a legitimate purpose and to support the business of the university. It is a breach of this policy (and privacy laws) to access the personal information of others for any other reason or for unauthorised or illegitimate purposes.

4.15 Access to sensitive personal information (including health information) must be limited to staff with a genuine requirement to have access to the information (for example, for a business or administrative process).

Use and disclosure

4.16 Reasonable processes must be in place to ensure the accuracy of personal information before it is used or disclosed.

4.17 Personal information may only be used or disclosed for the purpose for which it was collected or for a directly related purpose (that could reasonably be expected by the individual) or where: 

1. consent has been received from the individual for the additional use or disclosure 
2. it is necessary in an emergency situation (refer Privacy in emergency situations (SharePoint)) 
3. it is required or permitted by law, or 
4. otherwise permitted under IPPs or HPPs, or a valid exemption applies in line with this policy.

4.18 Disclosure under statement 4.17 excludes sensitive personal information. Sensitive personal information may only be disclosed with consent or in an emergency situation.

4.19 Jurisdictions outside New South Wales are subject to different privacy laws. Where personal information may be disclosed or transferred outside NSW, or to a Commonwealth agency as part of a UTS activity, the data steward must complete a PIA in advance of any planned disclosure or transfer to ensure that all privacy impacts are assessed and addressed (refer Privacy impact assessments (SharePoint)).

4.20 To comply with the HPPs, UTS may apply unique identifiers (such as ID numbers or codes) to an individual’s health information to control records and enhance privacy protections.

Data retention

4.21 Personal information may only be retained for as long as it may legally be used. This retention period is determined by: 

1. the purpose(s) for which the information was collected 
2. any relevant consent provided, and 
3. the legal retention requirements under the State Records Act 1998 (NSW) or other legislation relevant to the purpose or activity (refer Records Management Policy).

4.22 All information systems holding personal information must have a data retention plan developed and implemented in line with the Records Management Policy.

Service providers and other external parties

4.23 Where UTS engages with a vendor, service provider or other external party (hereafter external party), and where that engagement involves the collection, storage, use and/or disclosure of personal information by the external party, it is the responsibility of the relevant data steward to ensure that:

1. a privacy impact assessment is conducted in advance of the engagement
2. relevant privacy and information management obligations are imposed on the external party through an enforceable contract equivalent to the requirements outlined in this policy, and
3. the external party’s compliance with privacy and information management obligations in the contract is monitored to ensure the external party is meeting its contractual obligations.

Individual rights

4.24 An individual has a right to:

1. know what personal information is held about them and why the information is held
2. request access to their personal information (refer Accessing your information)
3. request that inaccurate or out-of-date personal information be amended, updated or corrected or that their information be deleted (refer Amending inaccurate information), and
4. where consent has been given, withdraw their consent as easily as it was granted (this includes any request to restrict or stop information from being processed further).

4.25 Data stewards must ensure requests for information are actioned appropriately and in line with this policy (refer Requests from individuals (SharePoint)).

Data breaches

4.26 A suspected or actual data breach involving personal information must be reported, responded to immediately and managed in line with the Data Breach Policy and, where it is part of a public interest disclosure, the Whistleblowing and Public Interest Disclosures Policy.

Complaints and privacy internal reviews

4.27 An individual can make a privacy-related complaint or raise a privacy issue or concern with the relevant area responsible for the activity or with the UTS Privacy Officer (refer Privacy contacts).

4.28 Staff who receive a privacy-related complaint must ensure that the complaint is managed as soon as practicable in line with the Staff Complaints Policy and the Student Complaints Policy as appropriate. Further guidance is available at Handling privacy complaints (SharePoint).

4.29 A privacy complaint may need to be managed as a privacy internal review under PPIPA. Where the complaint contains the following it must be referred immediately to the UTS Privacy Officer: 

1. is made in writing and addressed to UTS 
2. includes an Australian address for correspondence with the complainant, and 
3. is lodged within 6 months of the alleged conduct with enough information about the conduct for it to be investigated.

Exemptions

4.30 Exemptions to the privacy requirements outlined in this policy and its associated guidance may only be requested and approved where appropriate and in line with the exemption provisions in the privacy laws.

Policy breaches

4.31 Breaches of this policy by staff or affiliates will be managed under the Code of Conduct, relevant contract of employment and/or the relevant Enterprise agreements.

4.32 Breaches of this policy in relation to research data (that constitute a research integrity breach) will be managed in line with the Research Policy.

4.33 Breaches of this policy by students will be managed in line with the Student Rules and the Student Rights and Responsibilities Policy as appropriate.

5. Roles and responsibilities

5.1 Policy owner: The Director, Governance Support Unit (GSU) is responsible for policy enforcement and compliance, general oversight of records, information and privacy management at UTS, including the management of data breaches under the Data Breach Policy. The Director, GSU is also responsible for:

1. privacy-related statutory reporting requirements
2. delegating and resourcing the role of UTS Privacy Officer
3. overseeing and deciding the outcome of privacy internal reviews conducted under PPIPA, and
4. approving and publishing the Privacy Management Plan (available at Privacy regulations).

5.2 Policy contact: The UTS Privacy Officer is responsible for:

1. approving and disseminating procedures and guidelines to implement and support compliance with this policy (at a university-wide level or activity basis as appropriate)
2. establishing the privacy processes and activities in line with this policy
3. providing privacy training (available via Neo HR system) and other relevant awareness and education activities
4. providing advice on privacy requirements, risks and issues
5. assisting with and providing advice as part of a privacy impact assessment
6. investigating privacy internal reviews and related complaints and referring outcomes to the Director, GSU
7. appointing a privacy contact officer to assist in these duties as required.

5.3 Implementation and governance roles:

Data stewards are responsible for: 

1. approving the disclosure of information other than disclosure in emergency situations (a data steward may authorise (under procedures or in a position description) this function to a specific staff position or role) 
2. ensuring privacy impact assessments on new and/or high-risk activities under their stewardship are undertaken (this includes managing any associated risk and controls applied to address those risks that arise from a PIA) 
3. providing appropriate training and education programs for all staff regarding the privacy requirements of their specific faculty or unit activities, and 
4. approving information collection activities and processes, including acceptable use of the information collected.

Data stewards, deans, directors and heads of areas are responsible for:

1. advocating good privacy practices and ensuring staff are aware of their privacy obligations
2. ensuring staff have completed any required privacy training
3. ensuring privacy is addressed in business process procedures where relevant, and
4. dealing appropriately with informal privacy complaints in consultation with the UTS Privacy Officer.

Staff and affiliates who supervise student research activities (including graduate research) are responsible for ensuring that students are informed of their obligations under this policy and privacy laws.

All staff, students and affiliates are responsible for: 

1. being aware of their privacy obligations and responsibilities 
2. completing any required privacy training, and 
3. handling personal information in line with this policy whether working or studying on or off-campus or when using personal devices or UTS IT resources.

6. Definitions

These definitions apply for this policy, the Privacy Management Plan and all associated procedures. Definitions in the singular include the plural meaning of the word.

Affiliate is defined in the Code of Conduct.

Consent means, for the purposes of this policy, the informed, specific and current permission received from an individual (who has the capacity to understand and provide it), allowing the university to undertake certain actions in relation to their personal information. Consent must be voluntary, informed, specific to the activity, current and provided freely with choice by an individual with capacity.

Data breach is defined in the Data Breach Policy.

Data steward is defined in the Data Governance Policy.

Disclosure means providing personal information to a third-party external to the university in circumstances where the information would not normally be accessible, and where UTS loses effective control of the information. Sharing personal information between business units of UTS is not considered a disclosure where it is required to conduct the legitimate business activities of the university for which the information has been collected.

Emergency situation means, in the context of this policy, either a serious and imminent threat to the life, health or safety of an individual, a serious threat to public health or public safety, or an emergency as defined under the State Emergency and Rescue Management Act 1989 (NSW).

Health information is defined under section 6, HRIPA and is a subset of personal information that relates specifically to an individual’s health. Health information not only relates to data about the health of research participants or information held in medical records, it may also include information that relates to permanent or temporary physical or mental disabilities, workers compensation processes or accident reports, sick leave management, special considerations and other arrangements that relate to health issues.

Health Privacy Principles (HPPs) mean the principles under Schedule 1 of the HRIPA that define the legal obligations for collecting, storing, retaining, using and disclosing health information, use of identifiers, consent for linking health records in systems, and rights of access and accuracy. 

Information Protection Principles (IPPs) mean the principles under Part 2, Division 1 of the PPIPA that define the legal obligations for collecting, storing, retaining, using and disclosing personal information, restrictions on disclosing sensitive personal information, and rights of access and accuracy. 

Information system is defined in the Data Governance Policy.

Personal information is information as defined under section 4, PPIPA. Personal information refers to information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion, irrespective of whether the information is recorded in a material form or not, and including information or an opinion forming part of a database.

For the purposes of this policy ‘personal information’ includes ‘sensitive personal information’ and ‘health information’ unless otherwise specified.

Privacy impact assessment (PIA) means the formal assessment of an activity to identify the impact it may have on the privacy of individuals and how to mitigate any risks to privacy associated with the activity and ensure compliance with relevant legislation. 

Privacy internal review means a review of conduct against relevant IPPs or HPPs under PPIPA or HRIPA that is triggered in response to a formal privacy complaint that satisfies the requirement to conduct a privacy internal review under Part 5 of PPIPA. 

Privacy laws means, for the purposes of this policy, the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA). Other privacy legislation may be applicable and included in the term where relevant, including, but not limited to the Privacy Act 1988 (Cwlth) or relevant international privacy laws (including the European Union’s General Data Protection Regulation (GDPR) and the People's Republic of China’s Personal Information Protection Laws (PIPL)).

Sensitive personal information means a subset of personal information about a person’s ethnic or racial origin, sexual activities, religious or philosophical beliefs, political opinions or trade union membership (refer section 19, PPIPA) and biometric information that may be used for verification or identification purposes and biometric templates.

Approval information

Policy contact	UTS Privacy Officer
Approval authority	Vice-Chancellor
Review date	2028
File number	UR17/4140
Superseded documents	Privacy Vice-Chancellor’s Directive (UR14/558)

Version history

Version	Approved by	Approval date	Effective date	Sections modified
1.0	Vice-Chancellor	20/12/2017	03/04/2018	New policy.
2.0	Vice-Chancellor	17/05/2021	28/05/2021	Amendments as a result of a scheduled three-year review and to reflect updates resulting from the Policy Impact Project (2020) and references to European Union’s General Data Protection Regulations and clarification of the role of data stewards.
2.1	Vice-Chancellor	27/10/2021	01/11/2021	Changes to reflect portfolio realignment under Fit for 2027 project and updated data breach response plan.
2.2	Vice-Chancellor	07/03/2022	09/03/2022	Changes to the definition of emergency situation to meet requirements of the State Emergency and Rescue Management Act 1989 (NSW).
2.3	Director, Governance Support Unit (Delegation 3.14.1)	16/03/2023	09/06/2023	Minor update to reflect the new Artificial Intelligence Operations Policy.
2.4	Director, Governance Support Unit (Delegation 3.14.1)	08/09/2023	30/09/2023	Changes resulting from the development of the Whistleblowing and Public Interest Disclosures Policy.
3.0	Vice-Chancellor	09/11/2023	23/11/2023	Full review.

References

Code of Conduct

Data Breach Policy

Data Governance Policy

Enterprise agreements

European Union’s (EU) General Data Protection Regulation (GDPR)

Health Records and Information Privacy Act 2002 (NSW) (HRIPA)

Information Security Policy

Privacy Act 1988 (Cwlth)

Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)

Privacy at UTS (and Privacy contacts)

Privacy hub (SharePoint)

Privacy impact assessments (SharePoint)

Privacy Management Plan (available at Privacy regulations)

Records Management Policy

Requests for access to information (SharePoint)

Requests to correct or delete information (SharePoint)

State Emergency and Rescue Management Act 1989 (NSW)

University of Technology Sydney Act 1989 (NSW)

Whistleblowing and Public Interest Disclosures Policy