Under the Act (s. 6), ‘Personal Information’ is defined as:
'information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.'
Under the Act (s. 6), ‘Sensitive Information’ is defined as:
(a) information or an opinion about an individual's:
- (i) racial or ethnic origin; or
- (ii) political opinions; or
- (iii) membership of a political association; or
- (iv) religious beliefs or affiliations; or
- (v) philosophical beliefs; or
- (vi) membership of a professional or trade association; or
- (vii)membership of a trade union; or
- (viii)sexual preferences or practices; or
- (ix) criminal record;
- that is also personal information; or
(b) health information about an individual
The Privacy Act 1998 contains ten ‘National Privacy Principles’ (NPP), which are binding on organisations, such as DUSA, covered by the legislation. In particular NPP 1.3 requires DUSA to make certain information available to individuals on which it collects personal information:
At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:
- (a) the identity of the organisation and how to contact it; and
- (b) the fact that he or she is able to gain access to the information; and
- (c) the purposes for which the information is collected; and
- (d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and
- (e) any law that requires the particular information to be collected; and
- (f) the main consequences (if any) for the individual if all or part of the information is not provided.
The DUSA Constitution (Clause 1) defines that the purpose of DUSA is to advance the education of the students of Deakin University by:
- (a) promoting the interests and welfare of students;
- (b) promoting equality of opportunity for students and prospective students;
- (c) representing students within and outside the University;
- (d) co-ordinating the activities of students:
- (e) on campuses: across campuses, and off campus; and
- (f) providing amenities and services, principally for students and other members of the University community, and incidentally to the public.
DUSA initiatives will comply with the national privacy regime. Full compliance with the new national privacy regime will require a comprehensive review of DUSA’s procedures and work instructions. This policy outlines principles that will underpin this review.
Collection of information
Any personal information collected or generated by DUSA will be directly related to the functions and activities of DUSA. DUSA will only collect personal information necessary to fulfil its purposes as stated in the Constitution of DUSA. Personal information will be collected in a fair and lawful manner, and used only for relevant purposes.
DUSA may collect personal information about an individual when DUSA communicates with individuals, processes a membership application, processes a DUSA activity application and processes a job application. DUSA may also collect personal information from its website when an individual elects to provide personal information through the website.
DUSA will endeavour to ensure that all personal and/or sensitive information it holds is accurate, up to date, and of good quality.
DUSA will prominently display at all locations where personal information is requested from individuals, a statement advising of the identity of DUSA, of DUSA’s compliance with the Privacy Act and advising how a person may initiate queries of DUSA in relation to personal information they believe is held by DUSA. This statement will advise of the availability of a more comprehensive statement addressing the requirements of NPP 1.3. Copies of this statement will be available at all DUSA locations and on the DUSA website.
Where practicable DUSA will only obtain information about an individual from that individual. Where DUSA obtains information about an individual from a third party (such as Deakin University) DUSA will advise the individual that it possess this information.
Where DUSA sources personal information about an individual from a third party, it will advise the individual of the matters referred to in National Privacy Principle 1.3 by the delivery to the individual of a statement similar to that attached.
DUSA may need to collect sensitive information or health information about an individual. DUSA will only collect that information if DUSA has obtained the individual’s consent or if DUSA is required by law to collect that information.
Use of information
Any personal information collected or generated by DUSA will be directly related to the functions and activities of the organisation and used only for relevant purposes as stated in the Constitution of DUSA.
DUSA will not release the personal or sensitive information it holds unless required or provided for by law, or with the consent of the individual to whom the information relates.
Any display by DUSA of a visual image of an individual (whether as a physical object or in a publication or on the DUSA website), together with the publication of other information that identifies that individual, or allows the identity of that individual to be reasonably ascertained, will require the consent of the individual.
Affiliated clubs are part of DUSA. Office-bearers of such Clubs are required to use personal information only as it is necessary for the functions and activities of DUSA.
DUSA, under provisions outlined in the Privacy Amendment (Public Sector) Act 2000, will allow an individual, upon request, to access the personal and sensitive information (if any) held about that individual. An individual’s rights to access, and DUSA’s rights to refuse access, are set out under National Privacy Principle 6, in the Privacy Act 1988.
DUSA requires that an individual seeking such information identify the required information as clearly as possible.
DUSA will deal with all requests for information in a reasonable and timely fashion. DUSA will provide reasons to an individual if an application for access or for correction of any personal information held is denied. DUSA may charge an administrative fee to cover its costs of providing access.
DUSA will endeavour to protect any personal or sensitive information from loss or misuse. This includes protecting it from unauthorised access, modification and disclosure.
Information may be stored as hardcopy documents or in electronic form. Only authorised users can access personal or sensitive information. Access will only be granted for approved purposes.
DUSA will maintain physical security over our paper and electronic stores and premises and appropriate security over electronic records.
Filing cabinets, safes and other repositories containing records of personal information will be locked. Staff will ensure that any paper records containing personal information are lodged in a locked repository before ceasing work for the day.
Irrelevant personal information or information about third persons will not be included in files.
To ensure that the personal information DUSA holds is accurate, complete and up to date, DUSA will periodically review its paper files and electronic databases to remove personal information that it no longer needs. Further, DUSA will correct any errors that an individual brings to its attention.
If DUSA does not correct any errors that an individual brings to its attention, DUSA will give the individual reasons for its refusal to do so. Upon an individual’s request, DUSA will attach a statement to the information acknowledging the individual’s claim that the information is inaccurate, incomplete and out-of-date. As with applications for access, DUSA may charge an administrative fee to correct personal information held by it.
DUSA will not give personal information to any other organisation to use for their marketing purposes.
DUSA will not disclose personal information to any other organisation except Deakin University. DUSA will only disclose personal information about an individual for the fulfilment of those purposes stated in the Constitution of DUSA unless DUSA has obtained the consent of the person to whom the information relates.
The Privacy Act 1988 also allows DUSA to disclose personal information for purposes related to public safety and law enforcement.
DUSA already holds personal information on individuals collected before the new privacy regime came into force.
DUSA will review personal information already held and destroy this information unless it is considered that this information is necessary for one or more of DUSA’s functions and activities.
Transborder data flows
DUSA will not transfer personal information about an individual to any other organisation or individual outside Australia unless that country has similar laws with respect to individual privacy in a foreign country and such disclosure is necessary to fulfil its purposes as stated in the Constitution of DUSA.
Privacy enquiries and DUSA
DUSA will treat all privacy enquiries seriously and respond to them within two weeks.
If an individual believes that the privacy of their information has been compromised in any way they may lodge a complaint. Complaints can be lodged in person, or in writing to the: 'DUSA Privacy Officer'
The managers of each area will be responsible for the initial response to any privacy enquiries. If the privacy officer receives a complaint s/he will pass the query onto the relevant manager.
A Privacy Officer will be appointed by DUSA to objectively and impartially investigate complaints if a compliant is unsatisfied with the initial internal complaints investigation, or with the time that has elapsed since his or her initial query.
Review of procedures and work instructions
DUSA managers will be responsible for reviewing all aspects of the operations of their area by 31 August each year to ensure compliance with this policy. Where necessary they shall make amendments to procedures and work instructions.