1.1 This Policy has been developed to ensure compliance by Campion College, its employees and others with legislation including the Privacy Act 1988 (Cth); and also that appropriate systems are put in place and maintained to ensure ongoing compliance with privacy laws.
1.2 This document outlines Campion College’s principles for protecting the privacy of personal information that it holds about its staff and students, and those who interact with the College.
disclosure refers to release of personal information out of the effective control of the College (that is, to a body, agency or person separate from the College).
health information means information or an opinion about:
(a) the health or a disability (at any time) of an individual; or
(b) an individual’s expressed wishes about the future provision of health services to him or her; or
(c) health service provided, or to be provided, to an individual; that is also personal information.
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
staff includes the College’s officers, employees, contractors and volunteers.
3.1 This policy applies to all staff, students, and other stakeholders of Campion College.
4.1 Campion College recognises that staff and students, both past and present, and other clients and individuals having links to the College, have a legitimate expectation that the College will protect and appropriately manage the personal information it collects and holds about them.
4.2 Campion recognises that, in collecting, storing, and using information about staff, students, and clients, it has obligations for the protection of personal privacy. The College is committed to:
- Complying with privacy legislation requirements; and
- Ensuring that the College’s officers, employees, contractors and volunteers understand Campion’s, and their own, rights and responsibilities in relation to privacy matters.
4.3 Note that College officers, employees, contractors and volunteers are responsible for ensuring their own work practices comply with this Policy and any related Procedures. A breach of this Policy may constitute misconduct and be subject to disciplinary action, or a breach of contract.
5.1. Collection of personal information
5.1.1 The College will not collect personal information by unlawful, unfair or intrusive means. Personal information will only be collected by the College for inclusion in its records or publications where:
- It is collected for a lawful purpose relating to a function or activity of the College;
- The information is relevant to the purpose of collection; and
- The information is as up-to-date and complete as can reasonably be expected.
5.1.2 The College will collect and hold personal and health information such as name, date of birth, contact details, next of kin and emergency contact details, tax file number, visa and/or passport details, health information (if required), information about educational history or work experience and academic records.
5.1.3 The College may also collect personal information and other data from you through the use of a cookie or other automated means including server logs. A cookie is a packet of data that a website puts on your computer’s hard disk to identify you as a visitor to that website. The information collected by the College through cookies and other means may include your server address, your domain name, your IP address, the date and time of your visit, the pages accessed and documents downloaded, the previous site visited and the type of browser you
used. You may choose to disallow cookies through your web browser settings.
5.2. Access to personal information records
5.2.1 A significant means of protecting personal privacy within the College is by ensuring that individual staff access personal information records (whether in physical files or computerised formats) only where there is a legitimate need to do so, and only to the extent required to perform the staff member’s duties.
5.2.2 Management of access to personal information records is a responsibility of the College Executive. Access to personal information in information systems should be granted on the “least privilege principle”, so that rights to modify personal information are granted with particular care. Systems and processes should be in place to revoke access that is no longer required, for example, in the case of a change in position or formal responsibilities or termination of employment.
5.3. Security of personal information
5.3.1 The College has a responsibility to implement procedures to protect the security of personal information, to prevent loss and unauthorised access, use, modification, disclosure or any other misuse of such information. Care must be taken to ensure secure and confidential destruction of records containing personal information.
5.3.2 All staff must take responsibility for IT security, as this is an integral means of protecting personal privacy. Individual user responsibilities relating to security are outlined in the Policy on Acceptable Use of Information Technology Facilities.
5.3.3 Personal information records held in physical files must be secured. Care should be taken by all staff handling physical files to ensure that storage facilities are locked when not in use and that work areas are also adequately secured.
5.4. Use of personal information records
5.4.1 Personal information should only be used in circumstances where it is relevant, and provided that it is used only for the purpose for which it has been collected or a directly related purpose. Staff must not disclose personal information outside the College except as specified in this policy, including to cross-border parties. The main purposes for which the College will collect, hold, use and disclose personal information are:
- To identify and verify identities;
- To communicate about services, activities, events or matters relevant to the College’s mission as a Catholic higher education institution;
- To provide services, including:
- processing applications and/or enrolments;
- processes relating to College residential accommodation; and
- processing of payments;
- To help improve services;
- To manage health and safety situations (if required); and
- For any other purposes that has been consented to.
5.4.2 Where the College has express or implied consent, or where otherwise permitted by law, it may use personal information to send information about its services, as well as other information by mail, email, SMS, telephone, or other online communication platforms. Individuals receiving information may opt out at any time by contacting the College (see section 5.8 below).
5.5. Exceptions relating to the disclosure of personal information
5.5.1 Personal information may be disclosed where the individual concerned has expressly consented to that disclosure or where individuals have been informed of the usual practices for disclosure. Disclosure of personal information may also be permitted where:
- disclosure is necessary to prevent or lessen an imminent and serious threat to a person’s life or health;
- disclosure is required by law (e.g. requirements to provide information to the ATO, TEQSA or the Department of Education and Training);
- disclosure is necessary for enforcement of criminal or other laws imposing penalties such as fines.
5.6. Register of graduates
5.6.1 Privacy principles do not apply to material which is maintained on a public register, which includes the register of graduates. A graduate’s name, the degree conferred and the date of conferral is available to any member of the public upon request.
5.7. Access to and amendment of an individual’s own record
5.7.1 An individual is generally entitled to have access to the personal information which the College holds about them, and to amend it where it is inaccurate, incomplete, out-of-date or misleading. An employee should also be advised of any adverse reports or documents relating to performance placed on his/her individual record. Requests to access records will be responded to as soon as is reasonably possible and may be to advise that access is not possible (such as when the information is no longer held or used).
6. Roles and Responsibilities
6.1 It is the responsibility of all staff to respect personal privacy in so far as they collect, access or use personal information in the course of their duties, and to comply with the specific requirements of this policy. The Director of Operations has general responsibility for privacy management.
7.1 Australian Information Commissioner Act 2010 (Cth) (‘AIC Act’)
7.2 Freedom of Information Act 1982 (Cth) (’FOI Act’)
7.3 Privacy Act 1988 (Cth)
7.4 Health Records and Information Protection Act 2002 (NSW) (‘HRAIPA’)