Workplace Confidentiality Guidelines

The University recognises its responsibility to collect, manage, use and disclose personal information and to comply with legislative requirements and the UniSA Code of Ethical Conduct. The University respects the individual's right to privacy and undertakes to keep personal and sensitive information (refer to definitions below) in confidence.

According to the University's Code of Ethical Conduct, university staff must protect the confidentiality of information acquired in the course of their work. A staff member should not use or disclose any personal or sensitive information to a third party without specific authority unless use or disclosure is in the normal course of business within the University or there is a legal or professional duty to disclose the information.

Guidelines for staff with HR responsibilities

These Confidentiality Guidelines apply to all staff members with human resource (HR) responsibilities. These include People, Talent and Culture (PTC) staff, all Casual Administration System (CAS) Administrators and staff with business access to the human resource information system.

The Privacy Act 1988 contains a set of principles called the National Privacy Principles (NPPs). These principles provide definitions of personal and sensitive information as follows:

  • Personal Information – Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
  • Sensitive Information  Personal information about an individual's racial or ethnic origin, political opinion, membership of a political association, religious beliefs or affiliations, health status (either physical or emotional), disability, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, or criminal record.

For the purposes of these Guidelines, sensitive information also includes information associated with the employment relationship, e.g. type of employment, remuneration, leave, etc. In addition, this may be information relating to people management strategies, remuneration benchmarking information for Senior Management Group (SMG), etc. and may be in either hard copy or electronic form.

Collection of personal and sensitive information

The PTC Unit collects personal and sensitive information only where it is necessary for the human resource function or any related activity. This information should normally be solicited directly from the individual concerned. On joining the University your data is collected and continues to be managed in accordance with the Privacy Policy of the University. You will be advised at the time of collection whether provision of the information is compulsory and what other parties will have access to the information. If you have any concerns please contact your local PTC staff member.

The PTC Unit endeavours to ensure that personal and sensitive information collected is accurate, relevant, up-to-date, complete and not misleading and will take all reasonable steps to protect these records from misuse, loss, unauthorised access, modification or disclosure. In accordance with mutual obligation, staff members have the right of access to their personal information and to correct the information where relevant.

Storage of personal information

Any information that identifies a staff member is available only to PTC staff with appropriate authorisation on a restricted access basis. Access to records of personal information will be authorised by the Executive Director: PTC. Only staff members who require the information in order to carry out their duties and responsibilities will have permission to access personnel files.

According to Records Management Guidelines, one single personnel file must be generated and maintained for the expected life of the person. Paper-based personnel files are entered on the University's Filemaster database and a barcode is allocated. The staff member's name, position and year of birth are recorded. The files should be maintained for 75 years after the date of birth or seven years after separation from the University, whichever is longer. Following a staff member's separation from the University, personnel files should be forwarded to the Records Management Officer for archiving. The University may also retain an electronic personnel file which will also be held in accordance with the requirements of the State Records Act.

Personnel files for members of senior management are kept in the PTC Unit with restricted access.

Guidelines for good practice in protecting the privacy of University staff

The following are practical, everyday work practices that human resource practitioners should apply in ensuring confidentiality in the workplace.

  • Familiarise yourself with the National Privacy Principles (NPPs) of the Privacy Act 1988
  • Workstation screensavers should be set for activation after five minutes
  • Computers should be shut down when leaving your desk for the day
  • Hard copies of confidential information should be maintained in secure folders and not left at unattended workstations
  • Filing cabinets or drawers containing confidential information located at individual work stations are to be locked when not in use and when the staff member is away from their workstation
  • Confidential storerooms are to be locked at all times when not in use
  • Maintain awareness when having confidential telephone conversations, or impromptu meetings at workdesks (where possible meeting rooms are to be utilised)
  • Do not discuss any matter relating to personal staff information in social environments
  • Printed information should be collected as quickly as possible or locked print should be selected for highly sensitive document production
  • Confidential information that must be retained should be archived as described previously. Information that is no longer required and can be destroyed, should either be shredded or placed in the Confidential Bin for confidential recycling