This policy sets out how The College of Law complies with the requirements of the Privacy Act 1988 (Commonwealth of Australia) and the Privacy Act 1993 (New Zealand) and how that compliance is incorporated within policy and procedural documents for the use of staff.
1.0 Policy snapshot
The College of Law is committed to the principles and practice of privacy, as set out in the National Privacy Principles described in the Privacy Act 1988 (Cth) as amended and the Information Privacy Principles described in the Privacy Act 1993 (NZ) . This document sets out the detail that backs up that commitment.
Personal information which is collected, stored and used in College operations is any information that may be identified with an individual, that extends beyond what information exists about that individual in the public domain, e.g. what is in the phone book.
Sensitive information is personal information about a person’s ethnicity, colour, sex, sexual orientation, age, physical or mental disability, marital status, family responsibilities, pregnancy, religion, political opinion, trade union membership & activity, nationality, social origin, health record, credit record or criminal record.
The rules set out in this document apply to all personal and sensitive information held by the College. The College sets the highest standards for managing and using personal information.
Whenever a task set out in a documented procedure used by the College includes a requirement to handle personal or sensitive information, the steps required are always described within the document to make sure the requirements of the Privacy Act 1988 (Cth) and Privacy Act 1993 (NZ) are complied with.
2.0 The information that is held
Personal information that is held may include, but is not limited to:
- Account information, file notes and databases
- Applications, and associated documentation and background information about students
- Resumes, documentation associated with job applications, training notes and other personnel records
- Correspondence (to or from students, lawyers, etc)
- Mailing lists and databases containing information other than basic contact details
- Notes made by staff about contacts and dealings with students
- Details supplied when making a complaint
- Analyses of students
3.0 Collecting information
Whenever personal information is collected and intended to be recorded, the College will ensure that the information is collected from the person directly, and not from third parties, unless the individual consents for the information to be collected from others.
4.0 Storing information
All personal information will be handled securely. This means it will be:
- Handled only by those whose job role requires them to use it
- Where possible, used only in the work area of the personnel authorised to use it
- Stored in an environment where it is secure from casual or deliberate unauthorised access.
5.0 Using information (directions to staff)
- If personal information is used for research, marketing or media purposes, it will be de-identified unless written permission from the relevant individual for its use is gained.
- Personal information about students is not to be disclosed to any outside parties, unless their written consent to do so is obtained, or it is a reasonable disclosure under legislation or required for the College to conduct its legitimate activities.
- Files or data containing personal information is not to be removed from the premises unless there is a legitimate reason to do so, and security is assured.
- Personal information is to be used only for the purpose for which it was originally obtained, or for something that is reasonably related (such as administering accounts). If personal information is going to be used for something that the individual would not reasonably expect, their consent for the use must be obtained in writing.
- It is possible for the College to disclose sensitive health information about individuals even where consent has not been given, provided it is to ensure that they receive appropriate care or treatment or where it is necessary for compassionate reasons.
- Where feasible and indicated, before personal information that is recorded is used, check that it is accurate and current.
6.0 Opt out rules
An individual can opt to be removed from the College's information/education mailing list.
7.0 Correcting incorrect or incomplete personal information
It may be discovered that the personal information in College records about an individual is incorrect or incomplete when:
• A staff member becomes aware of the discrepancy after some dealing with the individual (for example, a telephone call or correspondence) or during routine work, or
• A staff member becomes aware of a discrepancy after dealing with a third party, for example a law firm, university or relative, or
• The individual informs us directly that their circumstances have changed.
8.0 What to do about discrepancies
When it is discovered that College records are incorrect or incomplete, or it is suspected that there may be some discrepancy, Student Services staff will:
- Verify the discrepancy. This may require that the individual is contacted directly to confirm the facts. Try to confirm the details in writing, if possible.
- Once the facts are confirmed, amend or update the relevant record or records. Make a note of the change and the reason for the change.
- If any other business unit has written or electronic records about the individual (eg. Accounts) inform them about the possibility that their records may also need to be changed.
9.0 Handling requests for access to records
In the Privacy Statement individuals are asked to contact the College with privacy related requests by phoning, faxing or emailing the Privacy Officer. However it may become necessary to take a request directly in the course of dealings with individuals, when answering the phone, face-to-face, or via an unrelated letter or email. Requests may also be received from staff members, job applicants or previous employees.
When staff members need to respond to a telephone or in-person personal information request, they will:
- Tell the person that the College has specific privacy related policies and procedures which are committed to protecting privacy and abiding by the privacy laws
- Ask them to put their request in writing and send it by mail or email to the Privacy Officer.
- When a letter or email is received which contains a privacy related request, forward the request to the Privacy Officer
- Reply to the correspondent, stating that their privacy is an important issue for the College and that every measure will be taken to respond as appropriately and as quickly as possible. Explain that the request has been forwarded to the Privacy Officer, who will contact them and that more information can be obtained by reading the Privacy Statement.
The Privacy Officer for Australia is the Director, Academic Audit and Policy - currently Adrian Deans at the St Leonards campus. Mr Deans can be contacted on 02 9965 7015 or email@example.com
The Privacy Officer for New Zealand is the Chief Executive of the College of Law New Zealand - currently Peter Tritt at the Auckland campus. Mr Tritt can be contacted on 09 300 1893 or firstname.lastname@example.org
10.0 Processing requests from other individuals
10.1 Privacy Officer
When a request for access to records is received from an individual who is not a staff member, job applicant or previous employee, the Privacy Officer will:
- Verify the identity of the person making the request.
- Determine what records the person wants to see.
- Determine whether there is any valid exclusion under the Privacy Act why the College may not be required to provide the records. For example, if the access compromises privacy of others, if the matter is subject to legal action, or if the access would reveal commercially sensitive decision-making processes, there is a case not to allow the access. Check National Privacy Principle 6 to clarify the position.
- If it is decided that the individual cannot see the records, advise them in writing about the decision. If required, speak to them personally to discuss it.
- If it is decided that the individual can see the records, review the material to note what is there. In some cases, it may be necessary to clarify items.
- Determine whether it is appropriate to provide paper copies of the material, or whether it would be better for them to view the records in person.
- Arrange for the copies or visit.
- Keep a note of the outcomes and any adverse reactions by the individual. Negotiate with the individual as required to resolve any problem. If required, advise them that they can take up any problems with the Office of the Federal Privacy Commissioner.
- If there is any complaint after access to records by a staff member, job applicant or previous employee, process the complaint according to the heading 'Handling complaints about privacy'.
11.0 Handling complaints about privacy
11.1 Privacy Officer
When a complaint about privacy is received, the Privacy Officer will:
- Review the complaint
- Determine who is the best staff member to investigate and handle the matter. In some cases, depending on the severity of the problem or the identity of the person, the matter may need to be handled personally by the Privacy Officer.
- Document the complaint.
11.2 Person handling the complaint
When a relevant person is identified to handle a complaint regarding privacy, that person will:
- Review the complaint
- If it can be resolved immediately:
- Take appropriate steps to address the problem
- Clarify the actions to be taken with the Privacy Officer before contacting the complainant
- Contact the complainant as soon as possible to advise the outcomes
- Confirm the outcomes in writing
- If the matter will take some time to resolve:
- Contact the complainant as soon as possible to advise how long it will take
- Keep the complainant advised about progress on a periodic basis
- Keep the Privacy Officer apprised of all developments
- Clarify the final actions to be taken with the Privacy Officer before contacting the complainant
- When the matter is resolved, confirm the outcomes in writing
- Note the actions taken.