Skip to Content

Home > Privacy and Personal Information

Part C: How the privacy principles apply

How the privacy prinicples apply
Introduction
Definitions
1. Limiting our collection of personal information
2. Anonymity
3. Unique identifiers
4. How we collect personal information- the source
5. How we collect personal information- the method and content
6. Notification when collecting personal information
7. Security safeguards
8. Transparency
9. Access
10. Correction
11. Accuracy
12. Use
13. Disclosure

How the privacy prinicples apply

The privacy principles are the standards which SCU is expected to follow when dealing with personal information (including health information).

The phrase 'privacy principles' refers to the combination of the 12 Information Protection Principles (IPPs) set out in sections 8 to 19 of the Privacy and Personal Information Protection Act 1998, and the 15 health privacy principles (HPPs) in Schedule 1 of the Health Records and Information Privacy Act 2002 (HRIP Act).

There are a number of ways that our conduct may be exempt from one or more of the IPPs or HPPs. Exemptions are found in the Acts themselves, in temporary Directions made by the Privacy Commissioner, and in Privacy Codes of Practice. In some cases, other legislation will override the privacy principles.

The following section uses plain language (not the wording of the law itself) to describe the privacy principles and how SCU staff must comply with them. It also mentions the exemptions that may be relevant for SCU, depending on the context. If you need guidance on interpreting the requirements of the privacy principles or exemptions, please contact SCU's Privacy Contact Officer.

Introduction

Our privacy obligations have been condensed into one set of 13 plain language principles to be followed by SCU:

  1. limiting our collection of personal information
  2. anonymity
  3. unique identifiers
  4. how we collect personal information – the source
  5. how we collect personal information – the method and content
  6. notification when collecting personal information
  7. security safeguards
  8. transparency
  9. access
  10. correction
  11. accuracy
  12. use
  13. disclosure


This Part of the PMP outlines:

  • key definitions
  • each of the SCU plain language privacy principles
  • when there are different rules for 'health information' or 'sensitive personal information'
  • some examples of how the privacy principles work in practice, and
  • the common exemptions to each privacy principle.


Important note about using this Part

This Part of the PMP uses plain language, not the exact wording of the law. This is to make understanding our obligations a little easier. This document does not cover the full complexity of the privacy laws applying to SCU. It has been simplified, and doesn't cover all exemptions or situations.

If in doubt, you should always check the exact wording in the legislation, and seek guidance from the SCU Privacy Contact Officer, or the NSW Privacy Commissioner.

This document is an educational tool, not legal advice.

Definitions

Collection of personal information means the way SCU acquires the information. Collection can be by any means. Examples include: a written form, a verbal conversation, an online form, or taking a picture with a camera.

Disclosure means when we provide personal information to an individual or body outside SCU – or, in some cases, to other discrete units within SCU.

Health information means personal information that is also information or an opinion about:

  • a person's physical or mental health or disability
  • a health service provided, or to be provided, to a person
  • a person's express wishes about the future provision of health services to him or her
  • other personal information collected to provide a health service, or in providing a health service, or in connection with the donation of human tissue, or
  • genetic information that is or could be predictive of the health of a person or their relatives or descendants.

Holding personal information: SCU will be considered to be 'holding' personal information if it is in SCU's possession or control, or if it is held by a contractor or service provider on our behalf. Most of the privacy principles apply to when SCU is 'holding' personal information, which means we remain responsible for what our contractors or service providers do on our behalf.

Personal information means "information or an opinion … about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion".

Personal information can include information that is recorded (e.g. on paper or in a database), but also information that is not recorded (e.g. verbal conversations). It can even include physical things like a person's fingerprints, tissue samples or DNA.

Some things are exempt from the definition of "personal information", including information about a person who has been dead for more than 30 years, and information about an individual that is contained in a document kept in a library, art gallery or museum for the purposes of reference, study or exhibition.

Also note that "health information" is sometimes treated a little differently to other types of "personal information", and has its own definition – see above. There are also some special rules for "sensitive personal information" – see below.

Privacy obligations means the privacy principles and any exemptions to those principles that apply to SCU.

Sensitive personal information means information about a person's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or union, or sexual preferences or practices.

Use means when SCU uses personal information for some purpose.

[top]

1. Limiting our collection of personal information

1.1 The principle in brief

We will only collect personal information if:

  • it is for a lawful purpose that is directly related to one of our functions, and
  • it is reasonably necessary for us to have the information.

1.2 Special rule for health information or sensitive information?

No.

1.3 Key messages, examples and definitions

We won't ask for personal information unless we really need it. In particular, we will avoid collecting "sensitive information" if we don't need it.

By limiting our collection of personal information to only what we really need, it is much easier to comply with our other obligations.

Example: when designing a form, ask yourself: "do we really need each bit of this information?"

Example: If we need to know a person's age to provide age-appropriate services, we will ask for their age or year of birth, not their date of birth.

1.4 Common exemptions

Before you rely on an exemption, check with the SCU Privacy Contact Officer.

  • unsolicited information
  • information collected before 1 July 2000

[top]

2. Anonymity

2.1 The principle in brief

We will allow people to receive services from us anonymously, where lawful and practicable.

2.2 Special rule for health information or sensitive information?

No.

2.3 Key messages, examples and definitions

Example: Potential 'customers' of SCU should be provided with information about SCU's programs and services, without having to identify themselves.

2.4 Common exemptions

None.

[top]

3. Unique identifiers

3.1 The principle in brief

We will only identify people by using unique identifiers if it is reasonably necessary for our functions.

3.2 Special rule for health information or sensitive information?

No.

3.3 Key messages, examples and definitions

Identifiers can assist with efficient record management, but they also pose privacy risks if they are used to match or compile large quantities of data about a person from different sources. For that reason, sharing unique personal identifiers between different organisations is generally prohibited.

A unique personal identifier is not just a person's name or file number. It can be a key (such as a number) which aims to uniquely identify a person – for example so that you can separate all the different people with the name 'John Smith'.

A student number, tax file number, a unique patient number or a driver's licence number is a unique personal identifier.

3.4 Common exemptions

None.

[top]

4. How we collect personal information – the source

4.1 The principle in brief

We will only collect personal information directly from the person unless they have authorised otherwise.

4.2 Special rule for health information or sensitive information?

Yes. The rule for health information is a little easier. We must collect health information directly from the person, unless it is unreasonable or impractical to do so.

4.3 Key messages, examples and definitions

If we need information about Sue, we should ask Sue herself, rather than Jim.

By collecting information direct from the source, it will be easier for us to comply with other obligations too, like ensuring the accuracy of the information, and getting permission for any disclosures of the information.

Example: An SCU student has fainted and a representative from Student Services has called the first aid officer. It is OK to ask the student's friend for some health information about the student ("is the student diabetic?") because it is unreasonable and impractical to ask the student directly.

Example: Potential students have already authorised UAC to provide their information to SCU on their behalf, when applying for a course at SCU.

4.4 Common exemptions

Before you rely on an exemption, check with the SCU Privacy Contact Officer.

  • unsolicited information
  • where the person is under 16, we can instead collect the information from their parent or guardian (but we don't have to)
  • if another law authorises or requires us to collect the information indirectly (i.e. from a different source)
  • for some law enforcement and investigation purposes
  • when we are taking a family, social or medical history from a client of our health or counselling services
  • information collected before 1 July 2000
  • if compliance would, in the circumstances, prejudice the interests of the individual to whom the information relates.

4.5 Other relevant points

Where a person lacks some capacity (e.g. because of a brain injury), we can ask their authorised representative for the information instead. But we must also still try to communicate with them directly. Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to collect personal information from or about a person who has limited or no capacity.

Privacy NSW's Handbook to Health Privacy provides some other examples of when it might be "unreasonable or impractical" to collect health information directly from the person.

[top]

5. How we collect personal information – the method and content

5.1 The principle in brief

We will not collect personal information by unlawful means.

We will not collect personal information that is intrusive or excessive.

We will ensure that the personal information we collect is relevant, accurate, up-to-date, complete, and not misleading.

5.2 Special rule for health information or sensitive information?

No.

5.3 Key messages, examples and definitions

We won't ask for information that is not relevant, very personal, or might become out of date. But we only need to take 'reasonable steps' to ensure we meet this standard.

To determine what might be 'reasonable steps', we will consider:

  • the sensitivity of the information
  • the possible uses of the information, and
  • the practicality and cost of aiming for 'best practice'.

Example: PQR wants to do a student satisfaction survey or conduct teacher or unit feedback studies. It is not relevant for SCU to know each student's or teacher's home address, date of birth or marital status.

5.4 Common exemptions

Before you rely on an exemption, check with the SCU Privacy Contact Officer.

  • unsolicited information
  • information collected before 1 July 2000

[top]

6. Notification when collecting personal information

6.1 The principle in brief

When collecting personal information, we will take reasonable steps to tell the person:

  • who will hold and/or have access to their personal information
  • what it will be used for
  • what other organisations (if any) routinely receive this type of personal information from us
  • whether the collection is required by law
  • what the consequences will be for the person if they do not provide the information to us, and
  • how the person can access their personal information held by us.

6.2 Special rule for health information or sensitive information?

As a general rule, we have to try harder to notify people when we're collecting health information or any information that might be considered sensitive.

6.3 Key messages, examples and definitions

Individuals providing their personal information to SCU have a right to know the full extent of how the information they provide will be used and disclosed, and to choose whether or not they wish to go ahead with providing information on that basis.

Notification therefore allows a person to make an informed decision about whether or not to give us their personal information. Notification is done through a 'privacy notice'.

Privacy notices can be given in writing or verbally, but writing is better. But we only need to take reasonable steps to ensure each person receives the notice.

Where the person lacks some capacity (e.g. because of a brain injury), we must notify their authorised representative, but also still try to communicate with the person direct.

To determine what might be "reasonable steps", we will consider:

  • the sensitivity of the information
  • the possible uses of the information, and
  • the practicality and cost of aiming for 'best practice'.

6.4 Common exemptions

Before you rely on an exemption, check with the SCU Privacy Contact Officer.

  • unsolicited information
  • information collected before 1 July 2000
  • if another law authorises or requires us to not notify people
  • some law enforcement and investigation purposes
  • the person has already been notified by the organisation that gave us the information

6.5 Other relevant points

When drafting a privacy notice, use the SCU Template privacy notice attached in Appendix A to this document. Any new projects which might collect personal information should be reviewed by the SCU Privacy Contact Officer to ensure an adequate privacy notice is included.

For non-English speaking background clients, the Community Language Privacy Notice should be used.

Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to notify a person who has limited capacity to understand.

[top]

7. Security safeguards

7.1 The principle in brief

We will take reasonable security measures to protect personal information from loss, unauthorised access, use, modification or disclosure.

We will ensure personal information is stored securely, not kept longer than necessary, and disposed of appropriately.

7.2 Special rule for health information or sensitive information?

As a general rule, we will have to work harder to protect health information or any information that might be considered sensitive.

7.3 Key messages, examples and definitions

Security measures could include technical, physical or administrative actions.

Example: We must only provide personal information to a contractor or service provider if they really need it to do their job. We must also take reasonable steps to prevent any unauthorised use or disclosure of the information by a contractor or service provider, and remember to bind our contractors to the same privacy obligations as us.

Example: We must follow good practice records management.

To determine what might be "reasonable steps", we will consider:

  • the sensitivity of the information
  • the context in which the information was obtained
  • the purpose for which we collected the information
  • the possible uses of the information, and
  • the practicality and cost of aiming for 'best practice'.

7.4 Common exemptions

None.

[top]

8. Transparency

8.1 The principle in brief

We will enable anyone to know:

  • whether we are likely to hold their personal information
  • the purposes for which we use personal information, and
  • how they can access their own personal information.

8.2 Special rule for health information or sensitive information?

No.

8.3 Key messages, examples and definitions

We have a broad obligation to the community, to be open about how we handle personal information. This is different to collection notification, which is much more specific, and given at the time of collecting new personal information.

Example: This PMP will be available on our website. This PMP briefly explains our privacy obligations, and sets out the major categories of personal and health information that we hold.

8.4 Common exemptions

None.

[top]

9. Access

9.1 The principle in brief

We will allow people to access their personal information without unreasonable delay or unreasonable expense.

We will only refuse access where authorised by law, and we will provide written reasons.

9.2 Special rule for health information or sensitive information?

No.

9.3 Key messages, examples and definitions

People should be able to see what information we hold about them, with a minimum of fuss.

Our policy is that as much as possible, we will let both students and staff see their own personal information at no cost, and through an informal request process.

We can't charge people to lodge their request for access. But we can charge reasonable fees for copying or inspection, if we tell people what the fees are up-front. Fees should be no more than we would charge for the same thing under the Government Information (Public Access) Act 2009 (NSW).

9.4 Common exemptions

Before you rely on an exemption, check with the SCU Privacy Contact Officer.

  • if another law (such as the Government Information (Public Access) Act 2009 (NSW)) authorises or requires us to not to give the person access

9.5 Other relevant points

Any unusual request to access personal information should be put in writing, and then referred to the SCU Privacy Contact Officer to review.

Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to provide access to personal information held about a person who has limited or no capacity.

[top]

10. Correction

10.1 The principle in brief

We will allow people to update or amend their personal information, to ensure it is accurate, relevant, up-to-date, complete or not misleading.

We will suppress a person's address on request.

Where possible, we will notify any other recipients of any changes.

10.2 Special rule for health information or sensitive information?

No.

10.3 Key messages, examples and definitions

If we disagree with the person about whether the information needs changing, we must instead allow the person to add a statement to our records.

We can't charge people to lodge their request for amendment. But we can charge reasonable fees for making an amendment, if we tell people what the fees are up-front. Fees should be no more than we would charge for the same thing under the Government Information (Public Access) Act 2009 (NSW).

Our policy is, as much as possible, to let people update their own personal information at no cost. But this does not mean they can just ask us to alter their student grades without going through the proper processes.

Example: When a student calls or visits Student Services to obtain information about their course of study, or to change their personal details, or accesses Student One to update their contact details, the amendment process should be processed quickly and for no cost.

10.4 Common exemptions

Before you rely on an exemption, check with the SCU Privacy Contact Officer.

  • if another law authorises or requires us to not to amend the information

10.5 Other relevant points

Any unusual request to amend personal information should be put in writing, and then referred to the SCU Privacy Contact Officer to review.

[top]

11. Accuracy

11.1 The principle in brief

Before using or disclosing personal information, we will take appropriate steps to ensure that the information is relevant, accurate, up-to-date, complete, and not misleading.

11.2 Special rule for health information or sensitive information?

No.

11.3 Key messages, examples and definitions

We must ensure that personal information is still relevant and accurate before we use or disclose it.

We only need to take reasonable steps to check the information – but more steps will be needed if we're likely to use the information in a way that will disadvantage the person.

What might be considered "reasonable steps" will depend upon the circumstances, but some points to consider are:

  • the context in which the information was obtained
  • the purpose for which we collected the information
  • the purpose for which we now want to use the information
  • the sensitivity of the information
  • the number of people who will have access to the information
  • the potential effects for the person if the information is inaccurate or irrelevant
  • any opportunities we've already given the person to correct inaccuracies, and
  • the effort and cost involved in checking the information.

Example: When Enrolment services are determining a potential student's eligibility to study with us, we will give the person an opportunity to correct the information we are relying on before we make our final decision. The same process applies to any information about students or staff published by the SCU's Communications Media and Marketing department.

11.4 Common exemptions

None.

[top]

12. Use

12.1 The principle in brief

We may use personal information:

  • for the primary purpose for which it was collected
  • for a directly related secondary purpose within the reasonable expectations of the person, or
  • for another purpose if the person has consented.

12.2 Special rule for health information or sensitive information?

No.

12.3 Key messages, examples and definitions

We should only use personal information for the purpose for which it was collected. We shouldn't go finding new and interesting uses for people's personal information.

Example: If the primary purpose of collecting student information was to process an enrolment and course selection, directly related secondary purposes within the reasonable expectations of the person for which their personal information could be used by SCU would include billing for the course, auditing or course evaluation.

12.4 Common exemptions

Before you rely on an exemption, check with the SCU Privacy Contact Officer.

  • to deal with a serious and imminent threat to any person
  • if another law authorises or requires us to use the information
  • some law enforcement and investigative purposes
  • some research purposes, subject to approval by the SCU Human Research Ethics Committee.

12.5 Other relevant points

The primary purpose for which we have collected the information should have been set out in a privacy notice. To use personal information for a purpose set out in the privacy notice is usually OK, but for any other purpose, check with the SCU Privacy Contact Officer first.

Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to seek consent for a secondary use of personal information from a person who has limited or no capacity.

Privacy NSW's Statutory Guidelines on Research explain how health information can be used for research purposes. It also provides a good rule of thumb for the use of other types of personal information for research purposes.

[top]

13. Disclosure

13.1 The principle in brief

We will only disclose personal information if:

  • at the time we collected their information, the person was given a privacy notice to inform them their personal information would or might be disclosed to the proposed recipient, or
  • the disclosure is directly related to the purpose for which the information was collected, and SCU has no reason to believe that the individual concerned would object to the disclosure, or
  • the person concerned has consented to the proposed disclosure.

13.2 Special rule for health information or sensitive information?

Yes. If the personal information is 'sensitive personal information', we may only disclose it if the person has consented.

Tougher rules also apply when transferring health information outside of NSW (including to the Commonwealth Government). We can only transfer health information outside NSW if one of the following applies:

  • the person concerned has consented
  • if it is necessary for a contract with (or in the interests of) the person concerned
  • if it will benefit the person concerned, we cannot obtain their consent, but we believe the person would be likely to give their consent
  • we reasonably believe that the recipient of the information is subject to a law or binding scheme equivalent to the HPPs, or
  • we have bound the recipient by contract to privacy obligations equivalent to the HPPs.

13.3 Key messages, examples and definitions

So long as the personal information in question is not 'sensitive personal information', we can disclose information in ways we clearly notified the person about at the time we collected their personal information.

However if we didn't tell the person about the proposed disclosure in a privacy notice, or if the personal information in question is 'sensitive personal information', or if it is health information and we want to send it outside NSW, we will usually have to get the person's consent for the disclosure.

13.4 Common exemptions

Before you rely on an exemption, check with the SCU Privacy Contact Officer.

  • to deal with a serious and imminent threat to any person
  • to deal with a serious threat to public health or safety (health information only)
  • if another law authorises or requires us to disclose the information
  • some law enforcement and investigative purposes
  • some research purposes, subject to approval by the SCU Human Research Ethics Committee.

13.5 Other relevant points

The primary purpose for which we have collected the information should have been set out in a privacy notice. To disclose personal information that is not 'sensitive' for a purpose set out in the privacy notice is usually OK, but for any other purpose, check with the SCU Privacy Contact Officer first.

Privacy NSW's Best Practice Guide Privacy and people with decision-making disabilities explains how to seek consent for a disclosure of personal information from a person who has limited or no capacity.

Privacy NSW's Statutory Guidelines on Research explain how health information can be disclosed for research purposes. It also provides a good rule of thumb for the disclosure of other types of personal information for research purposes.

[top]

Updated: 07 May 2013