- 1 Purpose
- 2 Scope
- 3 Policy Statement
- 4 Procedures
- 5 References
- 6 Schedules
- 7 Policy Information
To provide guidance on handling personal student information
This policy and procedure applies to all University employees.
3 Policy Statement
3.1 Policy for Handling Personal Student Information
The University will only collect personal information that is necessary for one or more of its legitimate functions or activities.
The University will only collect personal information by lawful and fair means and not in an unreasonably intrusive way.
The University will identify itself and what it intends to do with information that it collects.
Where practicable, the University will collect personal information directly from the student concerned.
Where the University collects personal information about a student from a third party, it will take reasonable steps to ensure that the student has been made aware of the collection.
The University will only use or disclose information about students in ways that are considered to be consistent with students' expectations or are required in the public interest.
The University will only use or disclose personal information about a student for a purpose other than the primary purpose of collection (a 'secondary purpose') if:
- the secondary purpose is related to the primary purpose of collection and the student would reasonably expect the University to use or disclose the information for the secondary purpose, or
- The University reasonably believes that the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual's life, health or safety or a serious threat to public health or public safety, or
- The University has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities, or
- the use or disclosure is required or specifically authorised by law.
The University will take reasonable steps to make sure that the personal information it collects uses or discloses is accurate, complete and up to date.
The University will take reasonable steps to protect the personal information it holds from misuse, loss and from unauthorised access, modification or disclosure and will destroy or permanently de-identify personal information if it is no longer needed for any purpose.
The University will, on request, provide students with access to their own personal information held by the University, unless providing access would pose a serious and imminent threat to the life or health of any individual, or the information relates to existing legal dispute resolution proceedings between the University and the student, and the information would not be accessible by the process of discovery in those proceedings.
The University will provide a means for the correction of incorrect information.
The University will not collect personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, or details of health or sex life unless the collection is required or specifically authorised by law.
4.1 Procedures for Handling Personal Student Information
The University holds a large amount of personal information concerning staff, students and other persons, as a natural consequence of our teaching, research and administrative functions. Some personal information is collected from the persons concerned, while other information is generated by the University in the course of our activities (for example, examination results). The privacy of persons about whom the University holds personal information must be respected, and the University's policy addresses the circumstances in which privacy issues may arise.
Personal information is information not in the public domain which identifies an individual and which is capable of being associated with a specified individual.
In the University context, examples of personal student information include home address, home telephone number, date of birth, marital status, next of kin, enrolment details, academic performance, personal welfare (such as medical matters) and records of an individual student's library borrowings. It may include visual information, such as photographs of people. For the purposes of this policy, personal information is given a broader meaning than in the Right to Information Act 2009 (Qld) (the RTI Act refers to "personal affairs information", meaning matters of private concern to individuals).
4.3 Collection of personal information
Information should be collected only where it is necessary to carry out a particular function or administrative activity. For instance, it is rare that information concerning a student's marital status is required for normal administrative functions associated with enrolment or study. Where the information is not required for any specific purpose, it should not be collected.
Where information is collected for a particular purpose, it should not normally be used for any other purpose. For instance, it is not acceptable to supply the names and addresses of students to commercial providers of goods or services, even where particular benefits may be offered to those students, since such information has been collected by the University only for enrolment and study-related purposes. If personal information is likely to be used for some other purpose, this should be disclosed at least by the time that information is collected and preferably before it is requested. In certain circumstances, information collected for one University purpose may be used for another but such use should be approved by the Deputy Academic Registrar and Director (Student Administration).
4.4 Access to and use of personal information stored in records
There are several important principles that staff should consider when dealing with personal information held by the University.
Personal information should be accessed and used only for University purposes.
Access to either paper-based or computerised records should be sought and granted only where there is a demonstrated need for this because of a staff member's functions or responsibilities. Even where access is granted, it would be inappropriate, for instance, if an address, home telephone number or other information was accessed and used by a staff member for private reasons, e.g. to forward personal correspondence to a former flatmate, or to ascertain the results of friends and associates. This is so even if the person to whom the information relates gives permission, since this is not a 'University purpose'.
Personal information should be secured.
- Paper-based records should not be left where members of the public, or others to whom the information they contain is not generally made available, may access them. Records containing personal information should be filed securely.
- Appropriate arrangements should be put in place at the departmental level to ensure that access to computerised records is granted only to staff requiring such access in the course of their duties. Computer access passwords are intended as security devices and hence staff should not disclose their passwords to others.
- Sometimes personal information will be obtained orally, for instance, in an interview with a student concerning course progress. The information may or may not be recorded in documentary form. Nonetheless, privacy should be respected, and the information should not be discussed with others, except where this is necessary to undertake functions concerning the student or staff member who has provided the information.
Personal information should not be disclosed to third parties, except in the circumstances outlined below.
As a general rule, information not expected to be publicly known concerning staff and students should be treated as confidential, and should not be disclosed to anyone but University staff who have a demonstrated need for this information to carry out their duties. There are several exceptions to this general rule.
- Disclosure to the staff member or student to whom the personal information relates:
- Information privacy principles in general entitle those about whom information is held to access that information. This enables them to ensure that information about them is accurate, relevant, up-to-date, complete and not misleading. Thus, a staff member or a student would be entitled to request access to their personal file or to view information held in computerised formats about them. This general entitlement is given effect by the Queensland Right to Information Act 2009 (Qld), and is subject to its detailed provisions.
- In most cases where access is requested, it will be possible for access to be obtained without the need to make a formal application under the FOI Act. For further advice on dealing with requests, refer to the Right to Information Officer.
- Sometimes, persons supply original documents to the University, such as birth certificates, or certified academic records of study undertaken elsewhere. Where it is practicable to do so, original documents supplied by a person may be returned to them, and must be returned upon request. If this occurs, University records relevant to the transaction must include an annotation indicating that original documents have been sighted and returned.
- Disclosure to third parties only with the consent of the student or staff member concerned:
- Personal information may be disclosed to third parties with the consent of the student or staff member concerned. Such consent cannot be assumed, and should be given expressly and in writing. It cannot be assumed, for instance, that the University has implied consent to routinely supply student details to professional associations, potential employers or parents.
- Except in the special cases mentioned below, the fact that the enquirer may hold an official position, for example, as an officer of a government department, or in some other way may claim a special or even official right to get information makes no difference to this position. Nor does it matter whether the enquiry is made informally or by means of a formal written document.
- Details of a student's academic record should not be given to third parties. If an enquiry concerning a student's record is made by a person or body clearly having a valid reason for seeking the information, e.g. another university or a prospective employer forwarding details of the record as furnished to the enquirer by the student, the enquiry should be referred to the Deputy Academic Registrar and Director (Student Administration), who will, if appropriate, verify the record so furnished.
- Disclosure of matters of public record:
- Additionally, there is a limited amount of apparently personal information held by the University which in fact amounts to a matter of public record. A notable example is the status of a person as a graduate of the University. Where members of the public enquire about the status of persons as graduates of the University, they may be encouraged to use the publicly available source in the University Library or alternatively may write to the Deputy Academic Registrar and Director (Student Administration). The University's official graduation records are held in Central Administration. (Note the University does not currently hold records of graduates in the Library.)
- The fact that a student is enrolled at the University is not treated as a matter of public record. Consequently, such information should be disclosed only in the circumstances outlined in this policy.
- It should not automatically be assumed that divulging apparently innocuous information, such as staff lists, is acceptable. This is because of the opportunities which exist for using sophisticated software technologies to consolidate that information with other publicly available information and produce a selected mailing list, for example, for the direct marketing industry. Such requests should be referred to the Deputy Academic Registrar and Director (Student Administration).
- Disclosure of personal information under statutory or other legal authority:
- In some cases, legislation has conferred upon certain public officers the right to demand and receive information, even though it would otherwise be regarded as confidential. A typical example is the Income Tax Assessment Act under which the Commissioner can authorise officers of that department to require any person to answer any question or to produce any document for inspection. The Commonwealth Departments of Education, Science and Training, Social Security, or Immigration may also have powers to obtain access to personal information in specific circumstances.
- In cases where enquiries are received from public officials, the relevant statutory authority to obtain access to such information should be requested. Statutory authority should be detailed in writing, as should written verification of appointment as a person entitled to require the information. When this authority is produced, the enquiry should be referred to the University Lawyer for confirmation, or where the University Lawyer is unavailable, to the Deputy Academic Registrar and Director (Student Administration).
- Until such confirmation is obtained, inspection of University documents is not permitted, no personal information should be released verbally and copies of documents should not be provided.
- Similarly, where disclosure is sought in the course of legal proceedings, e.g. by service of a subpoena or writ of third party discovery, this must at all times be referred promptly to the University Lawyer for action.
- Disclosure in instances of wrongdoing associated with University activities:
- Staff in Faculty offices and in various sections of Central Administration often obtain transcripts of the academic record of persons seeking admission to a particular course of study, or who apply for a position on the University staff or for various forms of financial assistance. Occasionally, such staff may become aware that such records appear to have been falsified in order to obtain admission or appointment. These are examples of a wider class of instances where wrongdoing in connection with University affairs is suspected.
- Where staff suspect that some form of record falsification or other wrongdoing has occurred, any reporting of the issue should be to their supervisor in the first instance and then to the Deputy Academic Registrar and Director (Student Administration). At no time should staff disclose such information directly to entities outside the University.
- Occasionally, police officers involved in investigations of offences associated with University activities or the misuse of University property, will make enquiries for personal information about staff or students to assist with their enquiries. In exceptional circumstances, the University may consider release of such information. All such enquiries must be referred to the University Legal Office.
- Requests associated with bona fide research activities
- The University is willing to assist bona fide researchers undertaking studies, for example, by the distribution of questionnaires within the University community. Any assistance must be approved by the Deputy Academic Registrar and Director (Student Administration).
- Material to which such requests relate and which will be forwarded to staff/students must contain a clear statement of purpose, and responses must be entirely voluntary and made directly to the researcher.
- Usually, the University will either distribute the material within the University internal mail system or provide name/address labels under stringent conditions associated with the preservation of individual privacy. Costs will normally be recovered from the researcher. The University will provide no other follow-up or forwarding services.
4.5 Grievance Procedure
Privacy issues can be discussed with one's supervisor or supervisor's supervisor if necessary, on a confidential basis. If Students believe their privacy has been breached, a grievance may be lodged via the online complaints form. In order to enable such a complaint to be properly investigated, it should identify the person whose privacy appears to have been breached. Anonymous complaints will not be dealt with.
An investigation will be conducted in consultation with the relevant Head of Department or section. The Deputy Academic Registrar and Director (Student Administration) will have final responsibility for resolving the complaint.
4.6 Further Information
General enquiries concerning the application of this policy may be directed to the Deputy Academic Registrar and Director (Student Administration) in the first instance.
This policy must be read in conjunction with its subordinate schedules as provided in the table below.
7 Policy Information
Related forms, publications and websites
Terms defined in the Definitions Dictionary
Definitions that relate to this policy only
Personal Information, Students