Privacy Policy

  1. Purpose
  2. Application
  3. Definitions
  4. Policy
  5. Complaints
  6. More Information


The University of South Australia (University) ABN 37 191 313 308 is committed to:

  • protecting the individual's right to privacy in relation to the collection, management, storage, use and disclosure of personal information; and
  • ensuring the accuracy and security of any personal information it holds in relation to individuals;

regardless of whether the personal information relates to staff, students, contractors or visitors.

The University will comply with any applicable mandatory data breach notification requirements.

The University is not an organisation covered by the Privacy Act 1998 (Cth) (Privacy Act). However, the University is committed to ensuring best practice in all respects, including privacy. This privacy policy is therefore compliant with the Australian Privacy Principles in the Privacy Act (APP).


This policy applies to the entire University. This policy may be amended by the University. It is a general policy which contains the broad privacy framework in which the University operates.

This policy must be read in conjunction with any supplementary privacy policies which the University may introduce or vary from time to time.

This policy must also be read in conjunction with any procedures that the University may introduce from time to time relating to privacy. Privacy procedures contain the administrative steps necessary for the practical implementation of this policy. This will include matters such as the necessary form to be completed to access personal information and the fees which are payable in relation to certain requests.


What is "information" or a "record"?

"Information" and "records" are information in electronic or hard copy form. It includes pictures and databases. Importantly, this policy will not extend to information or records that are publicly available, or would constitute an "employee record" as defined by the Privacy Act.

What is "personal information"?

Personal information is information that identifies a particular individual. A person does not have to be mentioned by name for information to be "personal information". A record or information will contain personal information if an individual can be "reasonably identified" from the record or information. Personal information can include information and opinions, regardless of whether the information is true or not.

What is "sensitive information"?

Sensitive information is an important type of personal information. Sensitive information is personal information relating to an individual's:

  • racial or ethnic origin;
  • political opinions;
  • membership of a political association;
  • religious beliefs or affiliations;
  • philosophical beliefs;
  • membership of a professional or trade association;
  • membership of a trade union;
  • sexual orientation or practices; and
  • criminal record.

Sensitive information also includes information relating to:

  • health;
  • genetics; and
  • biometrics.

What are the Australian Privacy Principles (APPs)?

The University has modelled this policy and its related procedures on the APP. The APP, and how they are applied by the University, are set out below.


Collection of Personal and Sensitive Information


The University will only collect and hold personal information if:

  • it is reasonably necessary for the University to conduct its functions and activities;
  • it is able to do so in a lawful, transparent and non-intrusive way; or
  • it is required to do so by law.

It is necessary for the University to collect personal and sensitive information in both physical records and electronic files. The University collects personal information in a number of ways, including:

  • directly from the individual for example through email, telephone or by the individual completing forms;
  • from third parties such as other educational institutions or government departments;
  • from the University's own records; and
  • through business development and marketing events.

When it is not practicable or reasonable to obtain personal information from the individual to whom the information relates, personal information may be obtained from someone other than that individual to whom the information relates. If this occurs, the University will take reasonable steps to ensure that the individual is made aware that the personal information was obtained from a third-party, and why this was necessary and reasonable in the circumstances.

The University will deal with unsolicited personal or sensitive information in accordance with the APP. This will ordinarily include destroying the information or ensuring it is de-identified where it is reasonable to do so.

What types of personal information does the University collect?

An institution the size of the University collects a significant amount of personal information. Personal information collected by the University may include:

  • name, gender and date of birth;
  • email address;
  • social media account details;
  • residential and postal address and telephone numbers;
  • student application forms and supporting documentation;
  • bank account or financial details;
  • government related identifiers, such as Tax File Numbers and Commonwealth Higher Education Student Support Numbers;
  • information received as part of the recruitment process if the individual applies for a position in the University;
  • information regarding the use of University websites and webpages, products, services and social media platforms/pages;
  • academic records, transcripts, enrolment and assessment details; and
  • passport and visa details.

An individual has the right to refuse to provide personal information to the University. However, if an individual exercises this right of refusal, it may affect the University's ability to meet its obligations to that individual or to a third-party, such as a government agency.

 Sensitive Information

The University will only solicit and collect sensitive information if:

  • it is required to do so by law; or
  • it has the consent of the individual to whom the information relates, and it is reasonably necessary for the University to collect the sensitive information to enable it to carry out a relevant function or activity.

The University will collect sensitive information where the information is necessary for a relevant function or activity. Examples of a relevant function or activity include (are but not limited to):

  • to provide a health service to the individual, including psychological and counselling services; or
  • qualification for scholarships, financial or other assistance which may be allocated by reference to matters which constitute sensitive information, such as cultural background.

The University may also collect sensitive information about an individual in order to comply with the University's obligations under Australian law, including but not limited to:

  • language or cultural background;
  • citizenship status;
  • status as an Indigenous Australian;
  • disability status; and
  • health information.

Notification of the Collection of Personal Information

At or before the time the University collects personal information, the University will take all reasonable steps to:

  • notify the individual of the matters referred to below; or
  • otherwise ensure that the individual is aware of the matters below.

The matters which the University must notify to the individual are, for the most part, addressed elsewhere in this policy. For completeness, these matters include:

  • the identity and contact details of the University;
  • if the University will collect personal information from someone other than the individual;
  • the fact that the University collects, or has collected, the information and the circumstances of that collection;
  • if the collection of personal information is required or authorised by law;
  • the purpose or reason why the University needs to collect the personal information;
  • the main consequences, if any, for the individual if all or some of the personal information is not collected by the University; and
  • any other third-party to which the University usually discloses personal information of the kind collected by the University.

Use and Disclosure of Personal Information

Use of Personal Information

Examples of the way in which personal information may be used to carry out the University's functions, activities and statutory obligations may include:

  • contact details for all staff, students, visitors and alumni;
  • to provide information in relation to the University's courses and facilities to students or prospective students;
  • collating the information necessary for the University to review its existing programs, courses, facilities and resources that it provides to staff and students;
  • to administer and manage processes which are key to the operations of an educational institution including admission, teaching, enrolment, scholarships and examinations;
  • to operate and maintain information technology;
  • general program and course administration;
  • to conduct market research in relation to the University;
  • financial management including the collection of fees and charges; and
  • mandatory reporting to external government agencies such as Centrelink or the Australian Tax Office.

Disclosure of Personal Information

The primary purpose for using or disclosing an individual's personal information will include:

  • to identify an individual and verify their identity;
  • to provide University services to an individual;
  • to do any of the things listed in the section of this Privacy Statement entitled "Use of Personal Information"; and
  • to communicate with an individual.

The University will take reasonable steps to ensure that personal information is not disclosed to a third-party, except in certain permitted situations. These include:

  • where the University obtains the individual's consent;
  • where it is necessary to provide that information to a third-party who provides services to the University. This is addressed in further detail below;
  • where the disclosure is required or authorised by law or regulatory obligations. Examples of this include:

    o disclosing personal information to a government department, such as the Australian Tax Office;
    o disclosing personal information where required by the Higher Education Support Act 2003 (Cth); and

  • any other circumstance permitted by the APP.

Where the University does provide personal information to a third-party within Australia, the University will take all reasonable steps to ensure that the third-party is fully compliant with the APP.

To avoid doubt, third-parties in Australia may include:

  • government departments and agencies; and
  • contracted service providers including

o contracted teaching staff;
o information technology service providers, including cloud service providers;
o counsellors and other health practitioners; and
o external business advisors, including auditors and lawyers.

There are also a limited number of exceptions in which the Privacy Act permits the use or disclosure of information without an individual's consent. An example of this is where the use or disclosure is necessary to prevent a serious and imminent threat to any person's life, health or safety or a serious threat to public health or safety, which need not be imminent.

Direct Marketing

The University will, on occasion and where reasonable and appropriate, use personal information in direct marketing. Direct marketing may occur by mail, email, SMS or telephone.

Where the direct marketing is transmitted electronically or by telephone, the University will at all times comply with any applicable laws including the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).

Direct marketing will ordinarily be directed to:

  • current or prospective students;
  • educational institutions who may, or are likely to have, an interest in the services the University has to offer; and
  • graduates and alumni;

but may be directed to any other person where the marketing is conducted in accordance with this Policy.

Direct marketing will only occur if:

  • the University has the consent of the individual or where otherwise permitted by law (including where the use or disclosure is necessary to meet a contractual obligation to the Commonwealth);
  • the individual would reasonably expect the University to use or disclose the personal information for that purpose, being direct marketing in relation to the services offered by a tertiary educational institution such as the University;
  • the University provides a simple and readily identifiable means by which the individual may refuse to receive direct marketing from the University (a refusal request);
  • the University provides a simple and readily identifiable means by which the individual may opt out from receiving direct marketing from the University which they had previously consented to receiving (an opt out request); and
  • the individual has not made an opt out or refusal request to the University.

Direct marketing, as it relates to sensitive information, will be identical to that set out above for broader personal information, save and except for the University obtaining the express consent of the individual concerned to use or disclosure the sensitive information for a particular purpose.

The University may use information gathered about your access to our website, in order to customize, tailor and send personalized advertising to you. This information may be shared with third party marketing providers, such as Google Inc or AdRoll, who deliver advertising content to you on other websites.

 An example of this is Google AdWords Remarketing, which the University uses to advertise across the internet. Google Adwords will display relevant advertisements which are tailored to you, based on those parts of our website that you have viewed (by placing a cookie on your machine).

 If you do not wish to receive personalized advertising content, please visit  (to opt out of Google's use of cookies) or either of  or  (to opt out of a third party's use of cookies).

Cross-border Disclosure of Personal Information

Due to the national and international scope of its operations, it is not reasonably practicable to list all of the countries to which the University may transmit personal information overseas. The countries in which such recipients are likely to be located include, but are not limited to, the United States, the Netherlands, Singapore and Hong Kong. If you are an international student, then disclosure may also be made to your home country and, if an agent was involved in your application to the University who is located in another country, disclosure may also be made to that country.

However, if it is necessary to disclose personal information overseas, such as in the case of an international exchange program, the actual consent of the individual will, wherever practicable, be sought before the information is disclosed.

 If it is not reasonably practicable to obtain the consent of the individual concerned, the person transmitting the information must satisfy themselves, before sending the personal information, that:

  • the recipient of the personal information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APP would protect the information if it were to apply; and
  • there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.

For the avoidance of doubt, where a cross-border disclosure occurs, the disclosure will be limited to the purpose for which it was originally intended, for example, for transmitting the contact details of a transferring student to an overseas educational institution.

 The University may, from time to time, utilise marketing and survey services provided by third parties located offshore, such as:

  • Google Inc; and
  • Facebook Inc.

Where this occurs, the disclosure will be for the purpose of marketing the University's products and services to students or prospective students/applicants, and individuals will be provided with a simple means of opting out of the University's marketing communications (which means will be drawn to the individual's attention).

Quality and Security of Personal Information

The University will take all reasonable steps to ensure the personal information it collects, uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the collection, use or disclosure.

The individual providing the personal information, to the University, must also ensure that the personal information is both relevant and accurate.

The University will take reasonable steps to protect personal information it holds from:

  • misuse, interference and loss; and
  • from unauthorised access, modification or disclosure.

The University has in place computer software and hardware that provides electronic protection of and/or prevents access to personal information from unauthorised persons, particularly from those individuals who are external to the University. Electronic protection will include:

  • mandatory password protection on computers; and
  • firewall and antivirus software.

The University also has in place documented record management procedures in relation to the collection, physical security and storage of hard copy records.

The University has in place systems to manage all personal information so that it is able to destroy or permanently de-identify personal information, wherever reasonable and practicable, that is no longer needed for any reason.

Access to Personal Information

The University will deal with requests for access or correction, by an individual, of their personal information held by University, in accordance with this policy.

All requests must be made in writing, and in the appropriate form specified by the University from time to time.

On receipt of an application, and within a reasonable timeframe, the University will take reasonable steps to inform the individual who made the request:

  • what personal information the University holds in relation to that individual;
  • why the personal information is held;
  • how the University collects (or collected), holds (or held), uses (or used) and discloses (or disclosed) the personal information.

The University will confirm with the individual whether they wish to have access to the personal information in question.

The University will ordinarily give an individual access to their personal information unless an exception applies. Exceptions include where:

  • giving access would have an unreasonable impact on the privacy of other individuals;
  • the request for access is frivolous or vexatious; or
  • the access would be unlawful.

The University reserves the right to charge a reasonable fee for providing access to the personal information, but not for making the application or correcting personal information held by the University. The University may withhold access to the personal information until the fee is paid.

If a request for access or correction is denied by the University it will, within a reasonable time period, provide the individual who made the request with a general, written explanation as to why the request was refused. The University must also take such steps, if any, as are reasonable in the circumstances to give access in a way that meets the needs of the University and the individual.

Accuracy and Correction of Personal Information

The University will be obliged, without an individual's request for correction, to correct inaccurate, out-of-date, incomplete, irrelevant or misleading personal information if the University is satisfied that, having regard to the purpose for which the personal information is held, the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

If this occurs, the University must take all reasonable steps to correct that information to ensure that, having regard to the purpose for which it is held, the information is accurate, up-to-date, complete, relevant and not misleading.

If an individual is of the view that their personal information requires correction, they should contact the Privacy Officer - Director Chancellery and Council Services listed below.


If an individual believes the University has breached this policy, please contact our Privacy Officer - Director Chancellery and Council Services by email at or by mail to:

Privacy Officer - Director Chancellery and Council Services
GPO Box 2471
Adelaide SA, 5001


If you have any questions or require further information please contact our Privacy Officer - Director Chancellery and Council Services by e-mail at