The University’s privacy obligations primarily fall under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA). However the Privacy Act 1988 (Cth) also applies to the University in some respects.
Privacy Management Plan
Under the PPIPA, the University is required to have a Privacy Management Plan (opens in a new window) and embraces this obligation as an exercise of good governance and transparency in the way in which the University collects and deals with the personal information of its staff, students, and other members of the University community.
The PMP applies to all personal information and health information of any person that has been collected or received by the University. All academic and organisational units of the University must collect, store, use and disclose personal or health information in accordance with the procedures set out in the PMP, or in other University policies and procedures (such as the Records and Archives Management Policy (opens in a new window)). The obligations of the University extend to third parties who handle personal information on its behalf, including volunteers and other organisations engaged by the University.
The PMP also applies to the University’s controlled entities, which currently include Western Sydney University College, Western Unlimited Ltd, WSU Early Learning Ltd and the Whitlam Institute within Western Sydney University.
The PMP sets out in detail the way in which the University collects, uses, stores, secures, discloses and destroys personal information and health information. It also provides information about how a person can access their personal information and how to make complaints about privacy matters.
FAQS - common privacy issues
Here are some of the commonly asked privacy questions that occur at the University.
Why does the University collect personal information and what does it do with it?
The University is a public institution engaged in teaching, research, community service and engagement. In order to perform its functions, the University needs to collect, hold, use and manage the personal information of people who work or study there and/or access services. This includes students, staff, alumni and other members of the University community. Examples of why the University needs to collect personal information are set out in detail in the Privacy Management Plan.
Once personal information is collected from a person, the University is required to store, use, disclose and destroy that information in accordance with privacy laws. For more information, please refer to the Privacy Management Plan (opens in a new window).
How do the University’s privacy requirements interact with technology?
While technology continues to rapidly evolve the way businesses operate, the University still must ensure that its processes comply with privacy laws. The University has policies in place about data storage, information technology security and systems approval and implementation to ensure it complies with the regulatory framework regarding data security. This includes arrangements involving the transfer of data outside New South Wales for cloud storage or other purposes. For more information, please refer to the Privacy Management Plan (opens in a new window).
If a police officer or government agency calls and asks for personal information of a staff member or student, what should I do?
The University often receives telephone and written inquiries from law enforcement and government agencies seeking personal information of students and staff members. This includes for criminal investigation or inquiries by Centrelink or the Australian Taxation Office. The University does not provide personal information unless the University is required by law to disclose it, or there is an appropriate exemption under privacy laws. Any requests should be referred immediately to the Privacy Officer or the Office of General Counsel (opens in a new window).
I am a student and I want access to the personal information the University has about me that I cannot access through my email or vUWS. What do I do?
You can apply to inspect your student record (excluding records held by any of the student support services) in writing to the Senior Manager, Student Administration either:
1. by email from the student’s University student email account; or
2. in person or over the telephone at Student Central (opens in a new window), the University’s main face-to-face contact service with students.
If you want to access the information held by any of the student support services, you should put your request in writing to Student Services (opens in a new window).
Please note that you may be also asked to verify your identity before you are granted access.
How does the University know that the information it holds is up-to-date and still relevant?
The University relies on the people who provide their personal information to provide information that is accurate, relevant, up-to-date and free of errors. The University has processes in place to ensure personal information it holds is updated for accuracy from time to time, including by:
(a) reviewing and updating processes that always require collection of personal information, such as recruitment and enrolment;
(b) undertaking a fresh collection of personal information and health information for different processes within the University, for example during complaint-handling or a workers’ compensation matter;
(c) in the case of students in contact with Student Support Services, requesting updated health information on a bi-annual basis or when circumstances change.
What is the difference between use and disclosure?
“Use” of personal information means using it for a purpose related to the University’s functions, such as enrolment of students. “Disclosure” of personal information means providing it to another person or organisation. However, there is no absolute distinction between use and disclosure.
In most cases, it is not “disclosure” of personal information if one organisational unit within the University provides or grants access to to another organisational unit, as long as this is done for the purpose for which the information was collected in the first place, or to enable students or staff to access services offered by the University. Examples include the Graduations Unit accessing a student’s enrolment records to verify they are eligible to graduate and organising computer lab and library access.
There are also exemptions in privacy laws relating to disclosure of personal information, including if there is a serious and imminent threat to a person’s life or health, or where police need to investigate a crime.
For more information about how the University handles disclosure, please refer to the Privacy Management Plan (opens in a new window) or contact the Privacy Officer for more information.
Is live streaming of graduation ceremonies a disclosure of personal information?
No. Graduation ceremonies are attended by members of the general public invited by graduands and are considered public events. These are live streamed through the University’s website and can be viewed by people worldwide, which enables families of international students to enjoy the ceremony from overseas.
How is health information different to personal information?
Health information is a form of personal information that is dealt with under separate privacy legislation to other personal information.
Health information can include information about a person’s physical or mental health, disability, the health services provided to them, or the person’s wishes about health services they want to receive in the future. It also includes personal information collected as part of a health service, including organ donation, genetic information, and numbers assigned to an individual in relation to health information.
There are some differences to ways that health information is treated and this is explained in more detail in the Privacy Management Plan (opens in a new window).
Why does my personal information appear in the Award Verification Service?
The University’s Award Verification Service is a public facing database that has basic information about graduates of Western Sydney University. It is a public register for the purpose of the privacy laws and its purpose is to protect the value and integrity of qualifications conferred by the University.
Are there any exceptions for personal information collected for research purposes?
Yes. Under the NSW privacy laws, there are specific exemptions that apply to collection, use and disclosure for research purposes. There are, however, strict requirements for management of personal information used for research under privacy laws and under other University policies, such as the Research Code of Practice (opens in a new window), Research Data Management Policy (opens in a new window) and Research Conducted by External Parties Approval Policy (opens in a new window).
The University's privacy contact point is the Privacy Officer. The Privacy Officer helps to create a privacy compliant culture at the University, and:
- assists with inquiries about how personal information can and cannot be used by the University;
- gives advice when requested about whether personal information can be disclosed, including in emergency situations;
- receives records about disclosure of information to law enforcement, government or other organisations when the University is compelled to do so;
- manages requests for internal reviews complaining about the conduct of the University in relation to privacy matters;
- manages privacy breaches made by or on behalf of the University;
The University’s Privacy Officer can be contacted as follows:
By phone: (02) 4570-1428
By email: firstname.lastname@example.org
Other privacy related policies and documents
Other University policies and related documents relevant to privacy are as follows:
- Acceptable Use of Digital Services Policy (opens in a new window);
- Consent to Release Personal or Health Information to Third Parties - Students (opens in a new window);
- Consent to Release Personal or Health Information to Third Parties - Staff (opens in a new window);
- Death Response Policy (opens in a new window);
- Digital Information Security Policy (opens in a new window);
- Digital Services Implementation Policy (opens in a new window);
- Information about Health Privacy for Students Undertaking Clinical Experience (or Other Placement) in the Health Sector (opens in a new window);
- Records and Archives Management Policy (opens in a new window);
- Research Code of Practice (opens in a new window);
- Research Data Management Policy (opens in a new window);
- Student Declaration (opens in a new window);
- Website Privacy Statement (opens in a new window);
- Workplace Surveillance Policy (opens in a new window).
The University’s privacy training program is mandatory for staff, researchers, contractors and staff of the University's controlled entities. University staff must complete the training module via MyCareer Online. Others, such as researchers, contractors and entity staff who do not have access to Staff Online, must complete the training via vUWS.
The University also runs training workshops for managers and supervisors of staff to ensure a privacy compliant culture. Any staff requiring additional training should contact the Privacy Officer.
The Privacy Officer will investigate complaints from individuals about the way in which the University handles their personal or health information. Complaints can be made by making a request for an Internal Review. All complaints are investigated in accordance with the procedures outlined in the Privacy Management Plan (opens in a new window).
A person may also contact the NSW Information and Privacy Commissioner (IPC) to make a complaint at www.ipc.nsw.gov.au (opens in a new window). Please be aware that the IPC will usually refer matters back to be handled internally by the University.
Contact the University’s Privacy Officer for more information.
Reporting potential privacy breaches