Information Privacy Policy

Intent

To specify the right of access to, and amendment of, personal information collected by the University.

Scope

This policy applies to all University staff, students, contractors and other third party who collects or manages personal information on behalf of the University.

Definintions

RTI Act - Right to Information Act (Qld) 2009

IP Act - Information Privacy Act (Qld) 2009

Document - the Queensland Right to Information Act 2009 (RTI Act) defines a document as "a document, other than a document to which the RTI Act does not apply, in the possession, or under the control, of the University whether brought into existence or received in the University, and includes -

(a) a document to which the University is entitled to access and

(b) a document in the possession, or under the control, of an officer of the University in the officer's official capacity."

Documents may be in hard copy or electronic format and include files, reports, emails, correspondence, computer printouts, maps, plans, photographs, and audio and video recordings.

Administrative release - refers to access to information, in full or in part, in certain types of administrative or operational records. Such records are generally released as a matter of course, in response to a request, without the need for a formal application under legislative authority such as the RTI and IP Acts.

Policy

Background

The Information Privacy Act 2009 (IP Act) provides individuals with a legally enforceable right to access to, and amendment of, their own personal information held by the University, unless this would, on balance, be contrary to the public interest. James Cook University is defined as  a public authority under the IP Act and is therefor subject to the requirements of the Act.

Requests for non-personal information of for the personal information of others are dealt with under the terms of the Queensland Right to Information Act 2009, as outlined in the University's Right to Information Policy.

Collection and Management of Personal Information

JCU collects personal information to enable it to function effectively. Any personal information collected by the University is managed in accordance with the eleven Information Privacy Principles (IPPs) as set out in the IP Act. JCU is committed to an open environment which enables the general public, students and staff to access University documents that contain their own personal information without the need to make a formal IP Act request. In certain circumstances the University will release information administratively.

JCU collects the following types of personal information:

  • student records, such as enrolment, academic performance, graduation, welfare and equity group information;
  • employment records, such as recruitment and appointment, leave, payroll and superannuation information, performance management and discipline;
  • financial and business records, such as personal accounting information;
  • information technology records, such as internal and external telephone, email and internet activity records;
  • research participant records;
  • alumni and donor records;
  • library records; and
  • other records such as committee membership contact and personal details.

Day to day access to the personal information of others is restricted to staff in the organisational unit that requires access e.g. Human Resources staff have access to employment records.

Personal data will also be used to assist in the provision of the following activities and services:

  • education;
  • employment (references, sickness records);
  • research;
  • support services;
  • statutory, statistical and questionnaire returns;
  • alumni relations;
  • financial records; and
  • security and crime prevention.

JCU may in certain circumstances transfer personal information interstate or overseas e.g. information may be transferred off-shore for storage by contracted IT service providers. Where JCU transfers personal information interstate or overseas it will:

  1. comply with those provisions of the Queensland Information Privacy Act 2009 that relate to transborder data flows: and
  2. take all reasonable steps to ensure that third party service providers do not use or disclose transferred personal information for a purpose other than that for which it was collected by JCU. JCU will do this primarily by entering into legally binding contracts with service providers which require compliance with the Information Privacy Principles contained in the Information Privacy Act.

Release of Personal Information

The University has in place mechanisms and normal administrative practices to handle routine requests for access to information such as academic transcripts, or for alterations to information such as changes of address. Individuals wishing to obtain access to, or amend, information about themselves, should contact the relevant officer in the area in which the information is held or the Privacy Decision-Maker, Governance & Corporate Services, James Cook University, Townsville Qld 4811.

The personal information of staff and students will not be released without their written consent except in the following instances:

  1. where it is a matter of public record, (e.g. awards conferred);
  2. where it relates to a person's University contact details as provided through the JCU website;
  3. where requisite information is made available to professional regulatory bodies as part of the registration requirements of those bodies (e.g. state medical boards, teaching regulatory bodies);
  4. where a request is made in accordance with a legislative or statutory provision (e.g. requests by Centrelink, made under an Act or Statue, for details regarding the enrolment status of students;
  5. where an official written request has been received from a law enforcement agency in relation to a legal process;
  6. where a legally enforceable request or direction has bee received (e.g. subpoenas or writs issued by a court); or
  7. where disclosure is necessary to prevent or lessen a serious threat to a person's life, health, safety or welfare, or to public health, safety or welfare.

A record of all personal information released will be kept. Under the Information Privacy Act, an individual has the right of access to documents held by the University which contain that individual's personal information, and has the right to amend that information, if it is inaccurate, misleading, incomplete or out of date.

The Act provides that access to certain documents or to certain information contained in documents may be refused in order to protect public interests or the private or business affairs of others. A request to obtain access to documents which contain information about the private affairs of others will usually be refused.

The University may also refuse access to documents on the grounds that there would be a substantial and unreasonable workload in identifying, locating and collating the volume of documents in question.

If a request for access or amendment is refused, the University will give specific written reasons for the decision and advise the applicant of their rights to appeal against the decision.

Decision Making

The Vice-Chancellor is defined as the "principal officer" under the IP Act. The Vice-Chancellor has delegated the responsibility for determining he outcome of IP Act applications to the Manager, Governance Support and Corporate Information.

The Manger, Governance Support and Corporate Information and the Senior Records Coordinator are responsible for making decisions regarding release of documents within the time periods as set out in the Information Privacy Act and liaise with both prospective applicants and University units regarding access to documents.

Officers in charge of individual University units, or their Records Management Coordinators, are responsible for locating information held in their areas. If information cannot be located, a written explanation of what action was taken to locate the information will be provided to the Senior Records Coordinator.

The Director, Governance Services and University Secretary, as Internal Review Office, is responsible for the internal review of decisions made by the Manger, Governance Support and Corporate Information and the Senior Records Coordinator, if requested by the applicant.

Making Requests for Access to Personal Information

An IP Act request by a person, for access to their own personal information, must be made using hte appropriate form. An applicant should obtain an application from the Corporate Information webpage and post or deliver the application to:

     The Senior Records Coordinator,

     Governance and Corporate Services Office,

     James Cook University,

     Townsville Qld 4811

 Response to Requests for Access

The University is required to acknowledge receipt of the request within 10 business days, to consult with the applicant regarding any difficulties in dealing with the request, and either grant access to the documents of provide specific written reasons for refusing access within 25 business days. This may be extended by a further 10 business days if consultation with a third party is required.

If inspection only of documents has been requested the applicant will be provided with reading facilities. At the applicant's request, the University will provide a copy of the documents, where possible, in the format requested.

Charges

There is no charge for access to, or amendment of, personal infomation. There may be charges for copies of documents or other services. Where hardship can be demonstrated these fees may be waived.

Appeal

The IP Act gives members of the public a legally enforceable right to appeal against a refusal by the University to grant access to, or to amend, personal information.

Internal Review

If the decision on an IP Act request was made by a University officer other than the Vice-Chancellor, an applicant may request the University to reconsider its decision. An applicant may however apply directly for external review without first seeking internal review.

An application for internal review must by lodged in writting within twenty business days of notification of the decision stating reasons for seeking amendment of the decision or identifying particular aspects of the decision which are of concern, and must be lodged with:

The IP Internal Reviewer,

Governance & Corporate Services Office

James Cook University

Townsville Qld 4811

A fresh decision will be made as soon as practicable, but no longer than twenty busines days after the application is received, by the RTI Internal Reviewer. Reasons will be given if the appeal against the original decision is not upheld. Applicants will also be advised of their rights to seek external review. Where the Internal Review Officer fails to make a decision within the prescribed timeline, it will be deemed that they have made a decision re-affirming the original decision.

External Review

The Information Commissioner is an independent person responsible for reviewing the IP Act decisions of all agencies.

An application to the Commissioner for external review may be made if:

  • the request was decided originally by the Vice-Chancellor;
  • an applicant is dissatisfied with the outcome of an internal review; or
  • the Internal Review Officer fails to make a decision within the prescribed timeline.

An application for external review must be made in writing within twenty business days of the notification of the decision or outcome of internal review.

Further information and contacts are available on the Corporate Information webpage.

Third-Party Requests for Personal Information in Relation to Legal Processes

From time to time, third parties, such as the Queensland Police, legal representatives and others sumbit requests for personal informatoin in relatoin to legal processes.

Information will only be provided to legal representatives where a subpoena or writ of non-party discolurse is provided, or where the individual to whom the request relates has provided written consent.

Where law enforcement agencies (e.g. the Police) or third parties wish to request personal information regarding a student, then this request must be submitted in writing by an authorised officer, quoting the Act or Statute under which the request is made, and addressed to the Director, Student & Academic Services or nominee.

Where law enforcement agencies (e.g. the Police) or third parties wish to request personal information regarding a member of staff, then this request must be submitted in writing by an authorised officer, quoting the Act or Statute under which the request is made, and addressed to the Director, Human Resources Management or nominee.

Procedure: Privacy Complaints Procedure

Procedure Responsibility Timeline

If individuals believe that they their personal information has not been dealt with in accordance with the Information Privacy Act 2009, they may make a complaint to the Privacy Decision-Maker at the University. The complaints should be forwarded to the Privacy Decision-Maker, Governance & Corporate Services, James Cook University, Townsville Qld 4811 (See note 1 below)

Complainant Up to twelve months from the date when the breach was suspecte to have occured.
Complaints will be acknowledged in writing Privacy Decision-Maker Within 10 business days from the date on which the complaint was received.
The complaint will be processed and the complainant will be advised in writing of the decision Privacy Decision-Maker Within 45 business days from the date on which the complaint was received.
If applicants are not satisfied with the decision they may apply in writing to the Privacy Decision-Maker for internal review of the initial decision. Complainant Within 20 business days of the complainant receiving the initial complain decision.
The internal review will be carried out and the complainant will be advised in writing of the review decision Internal Review Officer Within 20 business days of the date of receipt of application for internal review.

Note 1: The Information Commissioner's Office requires that any complaint first be lodged with the University, and that the Information Commissioner will not hear complaints after twelve months has lapsed from the date of alleged breach of privacy.

Related documents, legislation or JCU Statutes

Information Privacy Act 2009 

Right to Information Act 2009 

Statement on the Use of Communication Facilities 

Records Management Policy

Records Management Guidelines Procedures for Dealing with an Information Request

Approval Details

 

Policy sponsor:          Director, Governance Services & University Secretary

Approval authority:    Vice-Chancellor

Version no:               11-1

Date for next review:  16/02/2016

Modification History

Version no.  Approval date    Implementation date        Details

11-1          16/02/2011         17/02/2011

 

 

Quick Navigation
Connect with us Facebook LinkedIn Flickr