Privacy complaints
Making a privacy complaint
If you believe your privacy has been breached, or have concerns regarding the management of your personal information, you can:
- attempt to resolve the matter with the relevant UTS area
- for student-related matters, make a complaint to the Student Complaints Resolution Office by completing the student complaints form on the student portal
- ask for an internal review.
In most cases, privacy complaints can be handled locally by the relevant UTS area, with the assistance of the Student Complaints Resolution Office, without the need to lodge an internal review. Students may also contact the Student Complaints Resolution Office for assistance.
If you've complained, and you're not satisfied with the outcome, you may request an internal review in relation to the conduct in question.
UTS takes any alleged breaches of privacy seriously and, where possible, will take appropriate action to rectify the situation quickly.
Requesting an internal review
An internal review is a formal process undertaken in accordance with section 53 of the Privacy and Personal Information Protection Act 1998 (NSW) to investigate a privacy-related complaint relating to conduct that involves personal information or health information.
Deadline to lodge an internal review request
You must lodge an internal review request within six months of the conduct in question.
UTS is not required to accept internal review requests outside this time, but may choose to consider late applications if there is an acceptable reason.
Lodging an internal review request
You should fill out the request for internal review form (PDF 846kB). This form is not mandatory but the same information will need to be provided in writing. By using this form you will be able to provide the necessary details to enable UTS to investigate the privacy complaint. Supporting documentation can be attached to provide further details, where required, including proof of identity.
Requests for an internal review must be lodged with the UTS Privacy Officer.
Further information
Contact the UTS Privacy Officer if you wish to lodge an internal review and would like advice about:
- whether the conduct you want reviewed relates to privacy
- the internal review process
- the information required to be provided in your application.
Internal review process
UTS undertakes internal reviews relating to privacy in line with the legislative requirements specified by the Information and Privacy Commission NSW in their Privacy internal review for agencies checklist.
The Information and Privacy Commission NSW Complaints about the actions of agencies has further information about the university's internal review obligations
Internal review officer
An internal review will usually be undertaken by the UTS Privacy Officer. However, if there is a potential conflict of interest, or the UTS Privacy Officer is unavailable, the Director, Governance Support Unit will appoint a different staff member to undertake the review.
Role of the NSW Privacy Commissioner
UTS must inform the NSW Privacy Commissioner about any internal review applications it receives and provide relevant documents, including the internal review application and the university’s draft and final internal review reports. The commissioner will be given the opportunity (before the internal review process is complete) to make a submission to UTS in relation to the conduct in question and UTS's findings in its draft final report.
Deadline for UTS to complete an internal review
UTS has 60 days from receipt of the internal review application to complete the internal review. UTS will inform the applicant of the outcomes of the internal review within 14 days of its completion. These deadlines may be extended by mutual agreement with the applicant.
If UTS has not completed its internal review by the required deadline, the applicant may lodge an appeal. See appealing an internal review decision.
How UTS conducts an internal review
A UTS internal review investigation relating to privacy will usually involve:
- an assessment of the information in question against the definitions of personal information or health information, as appropriate
- identifying the relevant Information Protection Principles (under Part 2 of the NSW Privacy and Personal Information Protection Act 1998) or the Health Privacy Principles (under Schedule 1 of the NSW Health Records and Information Privacy Act 2004), and assessing the conduct against the relevant principles. For more information go to the Information and Privacy Commission NSW Information Protection Principles for agencies and Health Privacy Principles for agencies
- a review of relevant information held in the university's recordkeeping systems, as well as business systems, network and email folders
- a review of relevant business processes, and
- interviews with relevant staff who may have been involved in the conduct in question or who provide or manage the related business process.
If the information being investigated is not considered personal or health information, the conduct in question will not be investigated further as part of a privacy internal review.
Appealing an internal review decision
If you are not satisfied with the outcome of your internal review request, you can appeal the conduct in question with the Administrative and Equal Opportunity Division of the NSW Civil and Administrative Tribunal (NCAT). You must apply to NCAT for a review within 28 calendar days of receiving notice about the decision.
Where an internal review is not completed within 60 days, the 28-day time limit to request an NCAT review starts from the later of the following two dates:
- the date the applicant was notified of the outcome of the internal review, or
- the day on which the 60-day internal review time limit expires.
For more information about applying for a NCAT review go to NCAT: Application process.
The UTS Privacy Officer can also provide further information.
Note: In this section on privacy at UTS, the term ‘personal information’ refers to both personal and health information, unless specified otherwise. Both terms are explained in Privacy definitions.