(1) This document sets out a framework for the protection of personal privacy and confidentiality consistent with the University’s obligations and commitment to protecting the privacy of all members of the University community. (2) The University will act responsibly to collect, manage, use and disclose personal information in accordance with the Northern Territory Information Act 2002. (3) This policy provides guidance and principles for the protection of personal privacy and information as required by the Information Act 2002 and other legislative instruments, including how to handle international responsibilities such as those under the European Union’s General Data Protection Regulation. (4) All staff of the University and other members of the University community who are responsible for the collection, handling, storage, disposal and access to personal and confidential information must be aware of their responsibilities under the Information Act 2002. This policy also applies to those members of the University staff and community who incidentally collect such information as part of or outside their normal duties. (5) The University will only collect personal information that is necessary for one or more of its functions or activities. (6) The University will only collect personal information in a lawful, fair and not unreasonably intrusive way. (7) When personal information is collected from an individual, the University will take reasonable steps to ensure that the individual is: (8) If it is reasonable and practical to do so, the University will only collect personal information about an individual from that individual. If the University collects personal information about an individual from another person, it will take reasonable steps to ensure the individual is or has been made aware of the matters listed above unless making the individual aware of these matters would pose a serious threat to the life or health of a person. (9) The University may use and disclose personal information only in the following instances, after a written note of the use or disclosure is made: (10) The University will not transfer personal information about an individual to a person (other than the individual) outside the Northern Territory unless: (11) The organisation has taken reasonable steps to ensure that the information will not be held, used or disclosed by the person to whom it is transferred, in a manner that is inconsistent with the Information Privacy Principles or Australian Privacy Principles. (12) The University will ensure that any contracts with third parties where personal information may be transferred, contain privacy clauses requiring compliance with the Information Act 2002 and the Information Privacy Principles and/or the Privacy Act 1988 and the Australian Privacy Principles. (13) The University will take all reasonable steps to ensure that the personal information it collects, uses or discloses is accurate, complete and up to date. (14) The Notifiable Data Breach Scheme, as detailed in the Privacy Act 1988 requires regulated entities to notify affected individuals and the Australian Information Commissioner about the occurrence of eligible data breaches. (15) As soon as possible after the breach has occurred, all suspected eligible data breaches must be referred to the University’s Privacy Officer for actioning and reporting as they deem appropriate. (16) The University will protect all personal information it holds from misuse, loss, unauthorised access, modification or disclosure by: (17) Security, integrity and accuracy of information is governed by the University’s Information and Communication Technologies Acceptable Use Policy, Information Security and Access Policy, and Records and Information Management Policy and Procedure. (18) The University will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose in accordance with the Retention and Disposal Schedules. (19) Staff members, students, researchers, contractors and any other third party who collect use or disclose personal information on behalf of the University have a responsibility to act consistent with the Information Privacy Principles and Australian Privacy Principles and to take appropriate measures to avoid a breach of confidence. (20) Under the Higher Education Support Act 2003, it is an offence (punishable by fine or imprisonment), if a staff member of the University discloses, copies or records personal information otherwise than in the course of official employment, or causes unauthorised access to or modification of personal information held by the University. (21) At any time during and after employment with the University, staff members must not use, divulge, copy or communicate any confidential information to any person without the University’s consent, regardless of whether the other person is an employee of the University or not, except as required in the ordinary performance of the staff member’s duties. (22) Unauthorised access to personal information must be reported to the University’s Privacy Officer and, where relevant, to the responsible owner of the information system concerned. Failure to comply with this Policy may necessitate disciplinary action. (23) University matters relating to individuals or non-public information must not be discussed, except where directly related to the staff member’s role, as this may constitute a breach of confidence and therefore misconduct. (24) Users of the University’s Information and Communication Technologies (ICT) facilities are reminded that anything that is written or recorded is potentially subject to subpoena or Freedom of Information requests or other authorised access. Inappropriate use of the University’s Information and Communication Technologies (ICT) facilities may be subject to disciplinary action. (25) The General Data Protection Regulation (GDPR) is the privacy law of the European Union (EU) that took effect from 25 May 2018 and applies to all EU and European Economic Area (EEA) member states. It also applies to the United Kingdom post-Brexit, as the UK has retained the GDPR in UK law and will continue to be read alongside the Data Protection Act 2018 (UK). (26) The GDPR covers the personal data of all-natural persons within the EU/EEA and UK ("EU/EEA and UK data subjects"). The GDPR makes no distinctions based on an individual’s permanent place of residence or nationality. The GDPR applies to all such individuals' personal data. (27) The GDPR also applies to the processing of personal data by data controllers or data processors who are not based in the EU/EEA and UK, where they process personal data of individuals in the EU/EEA and UK in connection with the offering of goods/services. (28) EU/EEA and UK data subjects have additional rights under the GDPR, including that they are entitled (subject to the requirements and constraints of the GDPR) to: (29) On the request of an individual, the University will take reasonable steps to inform the individual of the kind of personal information it holds, why it holds the information and how it collects, holds, uses and discloses the information. (30) On the request of an individual, the University will provide access to their personal information, except to the extent that: (31) However, where providing access would reveal evaluative information generated within the University in connection with a commercially sensitive decision-making process, the University may give the individual an explanation for the commercially sensitive decision rather than access to the decision. (32) If the University holds personal information about an individual and the individual establishes that the information is not accurate, complete or up to date, the University will take reasonable steps to correct the information so that it is accurate, complete and up to date. (33) If an individual and the University disagree about whether personal information about the individual held by the University is accurate, complete or up to date; and (34) The University will provide reasons for refusing to provide access to or correct personal information. (35) If an individual requests the University for access to, or to correct personal information held by the University, the University will, within a reasonable time: (36) If the University charges a fee for providing access to personal information, the fee will not be excessive. Access and amendment requests should be directed to the University’s Privacy Officer. (37) If the University corrects personal information that the University previously disclosed to another entity, and the individual requests the University to notify the other entity of the correction, the University will take such steps as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so. (38) The University will not collect sensitive information about an individual unless: (39) However, the University may collect sensitive information about an individual if: (40) Non-compliance with Governance Documents is considered a breach of the Code of Conduct – Staff or the Code of Conduct – Students, as applicable, and is treated seriously by the University. Reports of concerns about non-compliance will be managed in accordance with the applicable disciplinary procedures outlined in the Charles Darwin University and Union Enterprise Agreement 2022 and the Code of Conduct – Students. (41) Complaints may be raised in accordance with the Code of Conduct – Staff and Code of Conduct - Students. (42) All staff members have an individual responsibility to raise any suspicion, allegation or report of fraud or corruption in accordance with the Fraud and Corruption Control Policy and Whistleblower Reporting (Improper Conduct) Procedure.Privacy and Confidentiality Policy
Section 1 - Preamble
Section 2 - Purpose
Section 3 - Scope
Section 4 - Policy
Collection of Personal Information
Trans-border Data Flows
Data Quality
Data Breaches
Information Security
Privacy and Confidentiality Obligations
Information and Communication Technologies Facilities
General Data Protection Regulation (GDPR)
Access and Correction
Notification of correction to third parties
Sensitive Information
Top of Page
Section 5 - Non-Compliance
View Current
This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.