The University of South Australia (University) ABN 37 191 313 308 is committed to:
regardless of whether the personal information relates to staff, students, contractors or visitors.
We are also required to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) to the extent that we collect the personal information of residents of the European Union. The University is a data controller for the purposes of the GDPR.
The University has modelled this policy and its related procedures on the APPs, as well as the requirements of the GDPR. The APPs, and how they are applied by the University, are set out below.
This policy must be read in conjunction with any supplementary privacy policies which the University may introduce or vary from time to time. This policy must also be read in conjunction with any procedures that the University may introduce from time to time relating to privacy. Privacy procedures contain the administrative steps necessary for the practical implementation of this policy. This will include matters such as the necessary form to be completed to access personal information and the fees which are payable in relation to certain requests.
"Information" and "records" are information in electronic or hard copy form. It includes pictures and databases. Importantly, this policy will not extend to information or records that are publicly available, or would constitute an "employee record" as defined by the Privacy Act.
Personal information is information that identifies a particular individual. A person does not have to be mentioned by name for information to be "personal information". A record or information will contain personal information if an individual can be "reasonably identified" from the record or information. Personal information can include information and opinions, regardless of whether the information is true or not. Personal information may also be referred to in this policy as personal data.
Sensitive information is an important type of personal information. Sensitive information is personal information relating to an individual's:
Sensitive information also includes information relating to:
Sensitive information may also be referred to in this policy as "special category data" for the purposes of the GDPR.
A data controller for the purposes of the GDPR means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal information.
A data processor means a natural or legal person, public authority, agency or other body which "processes" personal data on behalf of a data controller, and in accordance with the data controller's instructions.
For the purposes of the GDPR, a data subject is an individual who is physically located in the European Union at the time that their personal information is collected by the University. A person does not need to be a citizen of a European country in order to considered a data subject. Throughout this policy we use the term "European Resident" to refer to a data subject.
For the purposes of the GDPR, a Member State refers to any one of the member states of the European Union.
The University will only collect and hold personal information if:
It is necessary for the University to collect personal and sensitive information in both physical records and electronic files. The University collects personal information in a number of ways, including:
When it is not practicable or reasonable to obtain personal information from the individual to whom the information relates, personal information may be obtained from someone other than that individual to whom the information relates. If this occurs, the University will, subject to any relevant laws, take reasonable steps to ensure that the individual is made aware that the personal information was obtained from a third-party, and why this was necessary and reasonable in the circumstances.
The University will deal with unsolicited personal or sensitive information in accordance with the APP. This will ordinarily include destroying the information or ensuring it is de-identified where it is reasonable to do so.
An institution the size of the University collects a significant amount of personal information. Personal information collected by the University may include:
An individual has the right to refuse to provide personal information to the University. However, if an individual exercises this right of refusal, it may affect the University's ability to meet its obligations to that individual or to a third-party, such as a government agency.
The University will only solicit and collect sensitive information if:
The University will collect sensitive information where the information is necessary for a relevant function or activity. Examples of a relevant function or activity include (are but not limited to):
The University may also collect sensitive information about an individual in order to comply with the University's obligations under Australian law, including but not limited to:
At or before the time the University collects personal information, the University will take all reasonable steps to:
The matters which the University must notify to the individual are, for the most part, addressed elsewhere in this policy. For completeness, these matters include, subject to any relevant laws:
The University collects the personal information on the lawful basis that it:
The primary purpose for using or disclosing an individual's personal information will include:
The University will take reasonable steps to ensure that personal information is not disclosed to a third-party, except in certain permitted situations. These include:
Where the University does provide personal information to a third-party within Australia in accordance with this policy, the University will take all reasonable steps to ensure that the third-party is fully compliant with the APP2.
To avoid doubt, third-parties in Australia may include:
Third parties outside of Australia to whom the University may disclose your personal information include:
There are also a limited number of exceptions in which the Privacy Act permits the use or disclosure of information without an individual's consent. An example of this is where the use or disclosure is necessary to prevent a serious and imminent threat to any person's life, health or safety or a serious threat to public health or safety, which need not be imminent.
The University will only process the special category data of data subjects to the extent that:
The University will, on occasion and where reasonable and appropriate, use personal information in direct marketing. Direct marketing may occur by mail, email, SMS or telephone.
Where the direct marketing is transmitted electronically or by telephone, the University will at all times comply with any applicable laws including the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
Direct marketing will ordinarily be directed to:
but may be directed to any other person where the marketing is conducted in accordance with this Policy.
Direct marketing will only occur if:
Direct marketing, as it relates to sensitive information, will be identical to that set out above for broader personal information, save and except for the University obtaining the express consent of the individual concerned to use or disclosure the sensitive information for a particular purpose.
Due to the national and international scope of its operations, it is not reasonably practicable to list all of the countries to which the University may transmit personal information overseas. The countries in which such recipients are likely to be located include, but are not limited to, the United States, the Netherlands, Singapore and Hong Kong. If you are an international student, then disclosure may also be made to your home country and, if an agent was involved in your application to the University who is located in another country, disclosure may also be made to that country.
However, if it is necessary to disclose personal information overseas, such as in the case of an international exchange program, the actual consent of the individual will, wherever practicable, be sought before the information is disclosed.
If it is not reasonably practicable to obtain the consent of the individual concerned, the person transmitting the information must satisfy themselves, before sending the personal information, that:
For the avoidance of doubt, where a cross-border disclosure occurs, the disclosure will be limited to the purpose for which it was originally intended, for example, for transmitting the contact details of a transferring student to an overseas educational institution.
The University may, from time to time, utilise marketing and survey services provided by third parties located offshore, such as:
Where this occurs, the disclosure will be for the purpose of marketing the University's products and services to students or prospective students/applicants, and individuals will be provided with a simple means of opting out of the University's marketing communications (which means will be drawn to the individual's attention).
The University may, from time to time, disclose the personal information of European Residents to third parties outside of the European Union. However, the University will only do so where:
a derogation or exception as listed in the GDPR applies.
The University will take all reasonable steps to ensure the personal information it collects, uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the collection, use or disclosure.
The individual providing the personal information, to the University, must also ensure that the personal information is both relevant and accurate.
The University will take reasonable steps to protect personal information it holds from:
The University has in place computer software and hardware that provides electronic protection of and/or prevents access to personal information from unauthorised persons, particularly from those individuals who are external to the University. Electronic protection will include:
The University also has in place documented record management procedures in relation to the collection, physical security and storage of hard copy records.
The University has in place systems to manage all personal information so that it is able to destroy or permanently de-identify personal information, wherever reasonable and practicable, that is no longer needed for any reason.
Generally, subject to your right to erasure, personal information retained by the University will be stored for as long as the University requires it to carry out the purpose for which the data was collected, following which time it will be either destroyed or anonymised.
The University reserves the right to retain the personal information of European Residents which it holds for the following purposes indefinitely:
The University will deal with requests for access or correction, by an individual, of their personal information held by University, in accordance with this policy.
All requests must be made in writing, and in the appropriate form specified by the University from time to time.
On receipt of an application, and within a reasonable timeframe, the University will take reasonable steps to inform the individual who made the request:
The University will confirm with the individual whether they wish to have access to the personal information in question.
The University will ordinarily give an individual access to their personal information unless an exception applies. Exceptions include where:
The University will not impose a fee for making an access or correction request in the first instance.
The University reserves the right to charge a reasonable fee for the administrative costs it incurs as a result of providing access to the personal information. Administrative costs that may be charged by the University include:
The University may withhold access to the personal information until the fee is paid.
If a request for access or correction is denied by the University it will, within a reasonable time period, provide the individual who made the request with a general, written explanation as to why the request was refused. The University must also take such steps, if any, as are reasonable in the circumstances to give access in a way that meets the needs of the University and the individual.
The University will be obliged, without an individual's request for correction, to correct inaccurate, out-of-date, incomplete, irrelevant or misleading personal information if the University is satisfied that, having regard to the purpose for which the personal information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If this occurs, the University must take all reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.
If an individual is of the view that their personal information requires correction, they should contact the Privacy Officer listed below.
In accordance with the NDB Scheme, in the event of a suspected data breach The University will:
If the University has reasonable grounds to believe that an "eligible data breach" has occurred, it will:
If the University is unable to locate the individual to whom the eligible data breach relates for the purpose of providing them with a copy of the OAIC Statement, a copy of the OAIC Statement will be posted on our website.
In accordance with the GDPR, the University will ensure that:
The University will keep a record of all personal data breaches, regardless of whether or not they need to be reported to the Supervisory Authority.
The University will not report a personal data breach in the event that, after conducting an assessment, we consider that the risk of harm to an individual's rights and freedoms is unlikely.
A "personal data breach" for the purposes of the GDPR includes, but is not limited to, whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.
In addition to the protections afforded under the Privacy Act and the APPs, if you are a European Resident, you have a number of additional rights under the GDPR, including:
In the event that the University engages a data processor to process the personal data of European Residents on the University's behalf, it will only do so if that data processor has provided the University with sufficient guarantees that it will implement appropriate technical, contractual and organisational measures that ensure compliance with the GDPR, and the protection of the personal information of European Residents.
To the extent that the University engages a third party data processor, it will ensure that it enters into a written agreement with that data processor, which sets out, as a minimum, terms which require the processor to:
submit to audits and inspections, provide the University with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the University immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
The University uses a variety of different categories of cookies on its website. Each cookie has a specific purpose. Generally, the cookies used by the University can be split into two categories:
Essential cookies are those which are strictly necessary in order for the University's websites to operate/function effectively. Essential cookies do not generally collect your personal information.
All other cookies are non-essential, and may, in some cases, collect your personal information.
The cookies used by the University may be set by the University itself, or by third parties. The University uses the following non-essential cookies (some of which are set by third parties), for the following identified purposes:
You have the right to decide whether to accept or block cookies that we use on our website. However, please be aware that if all cookies are blocked (particularly any essential cookies), the functionality of our website may be impaired.
You can exercise your cookie preferences by adjusting your browser settings. The links below set out information about how to change your browser settings for some of the most commonly used web browsers:
You should be aware that most browsers automatically accept cookies. Therefore, if you do not wish cookies to be used, you may need to actively delete or block the cookies. If you reject the use of all cookies, you will still be able to visit our website but some of the functions may not work correctly.
To the extent that any cookies placed on the University's website by the University or a third party can uniquely identify a European Resident, the requirements of the GDPR will be adhered to. In particular, the University will ensure that:
You can opt out of the collection and use of your information for ad targeting. Mechanisms for exercising that choice are available here http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.
If an individual has any questions or concerns, or believes the University has breached its obligations under the APPs or this policy generally, please contact our Privacy Officer, Director: Chancellery and Council Services by email at firstname.lastname@example.org or by mail to:
GPO Box 2471
Adelaide SA, 5001
If you are a European Resident and have any questions about the University's compliance with the GDPR, please contact the Privacy Officer, Director: Chancellery and Council Services (who is also the University's Data Protection Officer for the purposes of the GDPR) in the first instance.
Last updated 12 July 2018