The University of South Australia (University) ABN 37 191 313 308 is committed to:
regardless of whether the personal information relates to staff, students, contractors or visitors.
The University will comply with any applicable mandatory data breach notification requirements.
This policy applies to the entire University. This policy may be amended by the University. It is a general policy which contains the broad privacy framework in which the University operates.
This policy must be read in conjunction with any supplementary privacy policies which the University may introduce or vary from time to time.
This policy must also be read in conjunction with any procedures that the University may introduce from time to time relating to privacy. Privacy procedures contain the administrative steps necessary for the practical implementation of this policy. This will include matters such as the necessary form to be completed to access personal information and the fees which are payable in relation to certain requests.
What is "information" or a "record"?
"Information" and "records" are information in electronic or hard copy form. It includes pictures and databases. Importantly, this policy will not extend to information or records that are publicly available, or would constitute an "employee record" as defined by the Privacy Act.
What is "personal information"?
Personal information is information that identifies a particular individual. A person does not have to be mentioned by name for information to be "personal information". A record or information will contain personal information if an individual can be "reasonably identified" from the record or information. Personal information can include information and opinions, regardless of whether the information is true or not.
What is "sensitive information"?
Sensitive information is an important type of personal information. Sensitive information is personal information relating to an individual's:
Sensitive information also includes information relating to:
What are the Australian Privacy Principles (APPs)?
The University has modelled this policy and its related procedures on the APP. The APP, and how they are applied by the University, are set out below.
The University will only collect and hold personal information if:
It is necessary for the University to collect personal and sensitive information in both physical records and electronic files. The University collects personal information in a number of ways, including:
When it is not practicable or reasonable to obtain personal information from the individual to whom the information relates, personal information may be obtained from someone other than that individual to whom the information relates. If this occurs, the University will take reasonable steps to ensure that the individual is made aware that the personal information was obtained from a third-party, and why this was necessary and reasonable in the circumstances.
The University will deal with unsolicited personal or sensitive information in accordance with the APP. This will ordinarily include destroying the information or ensuring it is de-identified where it is reasonable to do so.
What types of personal information does the University collect?
An institution the size of the University collects a significant amount of personal information. Personal information collected by the University may include:
An individual has the right to refuse to provide personal information to the University. However, if an individual exercises this right of refusal, it may affect the University's ability to meet its obligations to that individual or to a third-party, such as a government agency.
The University will only solicit and collect sensitive information if:
The University will collect sensitive information where the information is necessary for a relevant function or activity. Examples of a relevant function or activity include (are but not limited to):
The University may also collect sensitive information about an individual in order to comply with the University's obligations under Australian law, including but not limited to:
At or before the time the University collects personal information, the University will take all reasonable steps to:
The matters which the University must notify to the individual are, for the most part, addressed elsewhere in this policy. For completeness, these matters include:
Use of Personal Information
Examples of the way in which personal information may be used to carry out the University's functions, activities and statutory obligations may include:
Disclosure of Personal Information
The primary purpose for using or disclosing an individual's personal information will include:
The University will take reasonable steps to ensure that personal information is not disclosed to a third-party, except in certain permitted situations. These include:
o disclosing personal information to a government department, such as the Australian Tax Office;
o disclosing personal information where required by the Higher Education Support Act 2003 (Cth); and
Where the University does provide personal information to a third-party within Australia, the University will take all reasonable steps to ensure that the third-party is fully compliant with the APP.
To avoid doubt, third-parties in Australia may include:
o contracted teaching staff;
o information technology service providers, including cloud service providers;
o counsellors and other health practitioners; and
o external business advisors, including auditors and lawyers.
There are also a limited number of exceptions in which the Privacy Act permits the use or disclosure of information without an individual's consent. An example of this is where the use or disclosure is necessary to prevent a serious and imminent threat to any person's life, health or safety or a serious threat to public health or safety, which need not be imminent.
The University will, on occasion and where reasonable and appropriate, use personal information in direct marketing. Direct marketing may occur by mail, email, SMS or telephone.
Where the direct marketing is transmitted electronically or by telephone, the University will at all times comply with any applicable laws including the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
Direct marketing will ordinarily be directed to:
but may be directed to any other person where the marketing is conducted in accordance with this Policy.
Direct marketing will only occur if:
Direct marketing, as it relates to sensitive information, will be identical to that set out above for broader personal information, save and except for the University obtaining the express consent of the individual concerned to use or disclosure the sensitive information for a particular purpose.
The University may use information gathered about your access to our website, in order to customize, tailor and send personalized advertising to you. This information may be shared with third party marketing providers, such as Google Inc or AdRoll, who deliver advertising content to you on other websites.
An example of this is Google AdWords Remarketing, which the University uses to advertise across the internet. Google Adwords will display relevant advertisements which are tailored to you, based on those parts of our website that you have viewed (by placing a cookie on your machine).
Due to the national and international scope of its operations, it is not reasonably practicable to list all of the countries to which the University may transmit personal information overseas. The countries in which such recipients are likely to be located include, but are not limited to, the United States, the Netherlands, Singapore and Hong Kong. If you are an international student, then disclosure may also be made to your home country and, if an agent was involved in your application to the University who is located in another country, disclosure may also be made to that country.
However, if it is necessary to disclose personal information overseas, such as in the case of an international exchange program, the actual consent of the individual will, wherever practicable, be sought before the information is disclosed.
If it is not reasonably practicable to obtain the consent of the individual concerned, the person transmitting the information must satisfy themselves, before sending the personal information, that:
For the avoidance of doubt, where a cross-border disclosure occurs, the disclosure will be limited to the purpose for which it was originally intended, for example, for transmitting the contact details of a transferring student to an overseas educational institution.
The University may, from time to time, utilise marketing and survey services provided by third parties located offshore, such as:
Where this occurs, the disclosure will be for the purpose of marketing the University's products and services to students or prospective students/applicants, and individuals will be provided with a simple means of opting out of the University's marketing communications (which means will be drawn to the individual's attention).
The University will take all reasonable steps to ensure the personal information it collects, uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the collection, use or disclosure.
The individual providing the personal information, to the University, must also ensure that the personal information is both relevant and accurate.
The University will take reasonable steps to protect personal information it holds from:
The University has in place computer software and hardware that provides electronic protection of and/or prevents access to personal information from unauthorised persons, particularly from those individuals who are external to the University. Electronic protection will include:
The University also has in place documented record management procedures in relation to the collection, physical security and storage of hard copy records.
The University has in place systems to manage all personal information so that it is able to destroy or permanently de-identify personal information, wherever reasonable and practicable, that is no longer needed for any reason.
The University will deal with requests for access or correction, by an individual, of their personal information held by University, in accordance with this policy.
All requests must be made in writing, and in the appropriate form specified by the University from time to time.
On receipt of an application, and within a reasonable timeframe, the University will take reasonable steps to inform the individual who made the request:
The University will confirm with the individual whether they wish to have access to the personal information in question.
The University will ordinarily give an individual access to their personal information unless an exception applies. Exceptions include where:
The University reserves the right to charge a reasonable fee for providing access to the personal information, but not for making the application or correcting personal information held by the University. The University may withhold access to the personal information until the fee is paid.
If a request for access or correction is denied by the University it will, within a reasonable time period, provide the individual who made the request with a general, written explanation as to why the request was refused. The University must also take such steps, if any, as are reasonable in the circumstances to give access in a way that meets the needs of the University and the individual.
The University will be obliged, without an individual's request for correction, to correct inaccurate, out-of-date, incomplete, irrelevant or misleading personal information if the University is satisfied that, having regard to the purpose for which the personal information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If this occurs, the University must take all reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
If an individual is of the view that their personal information requires correction, they should contact the Privacy Officer - Director Chancellery and Council Services listed below.
If an individual believes the University has breached this policy, please contact our Privacy Officer - Director Chancellery and Council Services by email at firstname.lastname@example.org or by mail to:
Privacy Officer - Director Chancellery and Council Services
GPO Box 2471
Adelaide SA, 5001
If you have any questions or require further information please contact our Privacy Officer - Director Chancellery and Council Services by e-mail at email@example.com.