The University of South Australia (University) collects personal information about individuals for a range of purposes to enable it to carry out its functions.
Australian Privacy Principle 5 (APP5) requires the University to take reasonable steps to ensure that it notifies an individual of certain matters at the time it collects their personal information.
The University is required to provide similar notification to European Residents whose personal data it collects in accordance with Articles 12 to 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR).
The purpose of this privacy notice is to let visitors to the University's webpages know what information is collected about them when they visit the University's web pages.
Separate privacy notices may be provided to you in those circumstances where your personal information is being collected via a different method or in different circumstances.
Who collects your personal information, and who is the data controller for the purpose of the GDPR?
1. Your personal information is being collected by the University of South Australia (University). The University is also the data controller for the purposes of the GDPR, and can be contacted as follows:
(a) In writing University of South Australia
Privacy Officer/Data Protection Officer
GPO Box 2471
Adelaide SA, 5001
(b) By telephone 08 8302 0147
(c) By email firstname.lastname@example.org
What personal information is collected?
2. The University does not collect or solicit any personal information via its web pages which might be unlawful, unnecessary, excessive or unrelated to its functions or activities.
3. Personal information collected by the University may include:
(a) name, gender and date of birth;
(b) photographs (ie physical likeness);
(c) emergency contact details;
(d) email address;
(e) social media account details;
(f) residential and postal address and telephone numbers;
(g) occupation and contact details;
(h) student application forms and supporting documentation, including information in respect of your parents' education and study;
(i) bank account or financial details (noting that the University will not keep credit card information on file and any printed information will be redacted);
(j) government related identifiers, such as Tax File Numbers and Commonwealth Higher Education Student Support Numbers;
(k) information received as part of the recruitment process if the individual applies for a position in the University;
(l) information regarding the use of University webpages, products, services and social media platforms/pages;
(m) academic records, transcripts, enrolment and assessment details;
(n) donor contact details and the details of any gifts made to the University; and
(o) passport and visa details.
4. Your personal information that the University may collect includes a includes a sub-category of information known as "sensitive information" (also known as special category data for the purposes of the GDPR). Sensitive information/special category information may include information in respect of:
(a) health, genetics and biometrics;
(b) racial or ethnic origin;
(c) political opinions;
(d) membership of a political association;
(e) religious beliefs or affiliations;
(f) philosophical beliefs;
(g) membership of a professional or trade association;
(h) membership of a trade union;
(i) sexual orientation or practices;
(j) criminal record; and
(k) child related employment screening reports.
5. For the purposes of the APPs, the University may collect sensitive information/special category data where that sensitive information/special category data:
(a) is necessary for the University to perform a relevant function or activity; or
(b) must be collected in order to comply with the University's obligations under law.
6. For the purposes of the GDPR, sensitive information/special category information will only be collected, used and stored where:
(a) you have given explicit consent for the University to do so;
(b) it is necessary for the University to carry out its obligations in the fields of employment, social security or social protection law;
(c) the special category data has already been made public by you;
(d) it is necessary for the establishment, exercise or defence of legal claims
(e) it is necessary to protect your vital interests where you are physically or legally incapable of giving consent;
(f) it is necessary for reasons of substantial public interest;
(g) it is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
(h) it is necessary for reasons of public interest in the area of public health; or
(i) it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
How is personal information collected?
7. The University will only collect your personal information by lawful and fair means.
8. The University will generally collect your personal information from you directly, unless:
(a) you consent to the collection of the information from someone else; or
(b) the University is required or authorised by law to collect the personal information from a third party; or
(c) it is unreasonable or impracticable to obtain the personal information from you directly.
9. There are a number of ways the University may collect your personal information, including:
(b) when you submit information to the University via online application, authorisation, registration or consent forms on its webpages; and
(c) when you request information from the University via online application, authorisation, registration or consent forms on its webpages.
Why does the University collect your personal information?
The University collects your personal information on the lawful basis that it:
(a) is necessary to perform its obligations under a contract with you;
(b) is performing a public task carried out in the public interest. This includes:
(i) to administer and manage processes which are key to the operations of the University, including admission, teaching, enrolment, scholarships and examinations;
(ii) to provide information in relation to the University's courses and facilities to students or prospective students;
(iii) to facilitate public health, scientific and historical research.
(c) is complying with the University's legal obligations. This includes:
(i) its mandatory reporting obligations to external government agencies such as Centrelink or the Australian Tax Office.
(ii) its obligations under the Higher Education Support Act 2003 (Cth);
(iii) its obligations under the Education Services for Overseas Students Act 2000 (Cth); and
(iv) to confirm your entitlement to Commonwealth assistance.
(d) is pursuing the University's legitimate interests. This includes:
(i) communicating with you in respect of your enrolment, as well as other courses, events, and services offered by the University that may be of interest to you;
(ii) to assist in the collection of fees, charges and general financial management of the University;
(iii) to conduct market research in relation to the University;
(iv) to collate the information necessary for the University to review its existing programs, courses, facilities and resources that it provides to staff and students;
(v) to collate contact details for all University employees, adjuncts, , students, visitors, alumni, graduates, donors and corporate stakeholders;
(vi) to facilitate alumni relations;
(vii) to facilitate the solicitation of donations
(viii) to facilitate fundraising efforts;
(ix) to conduct market research in relation to the University;
(x) to operate and maintain its information technology systems; and
(xi) to facilitate public health, scientific and historical research.
What will happen if the University does not collect your personal information?
10. You may elect not to provide the University with your personal information. However, if you choose to do so, the University may be restricted (if not rendered completely incapable) in its capacity:
(a) to facilitate your enrolment;
(b) provide you with educational services, support and Commonwealth assistance; or
(c) in the case of donors, provide you with a consolidated receipt for any donations made to the University.
To whom will the University disclose your personal information?
11. If the University collected your personal information for a particular purpose (the primary purpose), the University will not use or disclose this information for another purpose (the secondary purpose), unless:
(a) you consented to the use or disclosure of the information; or
(b) you would reasonably expect the University to use or disclose the information for the secondary purpose .
12. The University will take reasonable steps to ensure that personal information is not disclosed to a third-party, except in certain permitted situations. These include:
(a) where the University obtains the individual's consent;
(b) where it is necessary to provide that information to a third-party who provides services to the University;
(c) where the disclosure is required or authorised by law or regulatory obligations, such as its disclosure obligations to the ATO, as well as those under the Higher Education Support Act 2003 (Cth); or
(d) any other circumstance permitted by the APP.
13. Third parties in Australia to whom the University may disclose your personal information may include:
(a) government departments and agencies, including any relevant professional registration bodies/boards;
(b) in relation to employment applications, external selection panel members; and
(c) contracted service providers including:
(i) contracted teaching staff;
(ii) information technology service providers, including cloud service providers;
(iii) counsellors and other health practitioners; and
(iv) external business advisors, including auditors and lawyers.
14. Third parties outside of Australia to whom the University may disclose your personal information include:
(a) information technology service providers, including cloud service providers; and
(b) third party marketing providers, including Google, Facebook and AdRoll.
Overseas disclosure of your personal information
15. If it becomes necessary for the University to disclose personal information to an overseas recipient outside of Australia, the actual consent of the individual will, wherever practicable, be sought before the information is disclosed.
16. If it is not reasonably practicable to obtain the consent of the individual concerned, the person transmitting the information must satisfy themselves, before sending the personal information, that:
(a) the recipient of the personal information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APP would protect the information if it were to apply; and
(b) there are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.
17. For the avoidance of doubt, where a cross-border disclosure occurs, the disclosure will be limited to the purpose for which it was originally intended,
18. If it becomes necessary for the University to disclose the personal information of European residents to a recipient outside of the European Union, it will only do so where:
(a) the foreign jurisdiction governing a third party has been assessed as "adequate" in terms of data protection in accordance with the GDPR;
(b) sufficient safeguards (such as a binding contract or corporate rules or any other safeguards prescribed by the GDPR) have been put in place; or
(c) an exception listed in the GDPR applies.
Storage and Security of Information
19. The University has in place:
(a) computer software and hardware that provides electronic protection of and/or prevents access to personal information from unauthorised persons, particularly from those individuals who are external to the University. Electronic protection measures include mandatory password protection on computers, as well as firewall and antivirus software; and
(b) documented record management procedures in relation to the collection, physical security and storage of hard copy records.
20. Generally, subject to your right to erasure, personal information retained by the University will be stored for as long as the University requires it to carry out the purpose for which the data was collected, following which time it will be either destroyed or anonymised.
21. The University reserves the right to retain the personal information of European Residents which it holds for the following purposes indefinitely:
(a) archiving purposes in the public interest;
(b) scientific or historical research purposes; or
(c) statistical purposes.
22. In the event that the University engages a data processor to process the personal information of European residents on the University's behalf, it will only do so if that data processor has provided the University with sufficient guarantees that it will implement appropriate technical, contractual and organisational measures that ensure compliance with the GDPR, and the protection of the personal information of European residents.
Access and correction of your personal information
23. An individual may request access to their personal information, or request that it be corrected.
24. All requests must be made in writing, and in the appropriate form specified by the University from time to time.
25. In the event that the University is satisfied that the personal information it holds is inaccurate, out-of-date, incomplete, irrelevant or misleading, it will take all reasonable steps to correct that information to ensure that it is accurate, up-to-date, complete, relevant and not misleading.
26. On receipt of an application for access, and within a reasonable timeframe, the University will take reasonable steps to inform the individual who made the request:
(a) what personal information the University holds in relation to that individual;
(b) why the personal information is held;
(c) how the University collects (or collected), holds (or held), uses (or used) and discloses (or disclosed) the personal information.
27. The University will generally grant an individual access to their personal information unless an exception applies. Exceptions include where:
(a) giving access would have an unreasonable impact on the privacy of other individuals;
(b) the request for access is frivolous or vexatious;
(c) the request is manifestly unfounded or excessive (taking into account whether the request is repetitive in nature); or
(d) the access would be unlawful.
28. The University will not impose a fee for making an access or correction request in the first instance.
29. The University may charge a reasonable fee for the administrative costs it incurs as a result of providing access to the personal information (particularly where a request is manifestly unfounded or excessive). These administrative costs include:
(a) staff costs in searching for, locating and retrieving the requested personal information, and deciding which personal information to provide to the individual
(b) staff costs in reproducing and sending the personal information
(c) costs of postage or materials involved in giving access
(d) costs associated with using an intermediary.
30. If a request for access or correction is denied by the University it will, within a reasonable time period, provide the individual who made the request with a general, written explanation as to why the request was refused.
Additional rights of European Residents under the GDPR in respect of their personal information
31. In addition to the protections afforded under the Privacy Act and the APPs, if you are European resident, you have a number of additional rights under the GDPR, including:
(a) the right to receive personal data you have provided to us in a structured, commonly used and machine readable format, including the right to request that we transmit this data directly to another data controller controller.
(b) the right to restrict the processing of your personal data in certain circumstances. This means that you can limit the way that we use your data (this right is an alternative to requesting the erasure of your data); and
(c) the right to require us to erase your data in certain circumstances.
32. If you wish to exercise these rights, please contact the Data Protection Officer.
Status of your consent
34. Alternatively, you will have the opportunity to withdraw your consent each time you are sent a new communication piece, including emails, letters and phone calls.
35. The withdrawal of your consent does not affect the lawfulness of the manner in which your personal information was handled/processed before your consent was withdrawn.
Privacy complaints and concerns
36. If you wish to make a complaint about the way the University has handled your personal information under the Privacy Act or APPs, please contact the University's Privacy Officer by email to email@example.com, or by mail directed to:
(a) Privacy Officer
GPO Box 2471
Adelaide SA, 5001
37. You may also lodge a complaint with the Office of the Australian Information Commissioner.
38. If you are a European resident, please contact the University's Privacy Officer (who is also the University's Data Protection Officer for the purposes of the GDPR) by email at firstname.lastname@example.org, or by mail directed to:
(a) Privacy Officer
GPO Box 2471
Adelaide SA, 5001
39. You can also lodge a complaint with the relevant supervisory authority in your jurisdiction.