View current

Privacy Policy

This is the current version of the approved document. You can provide feedback on this document to the Enquiries Contact - refer to the Status and Details tab from the menu bar above.

Section 1 - Purpose and Scope

(1) The University of Queensland (UQ) is committed to the fair collection, handling and management of all personal information in accordance with its privacy obligations.

(2) UQ’s privacy obligations primarily arise under the Information Privacy Act 2009 (Qld) (IP Act), including the Queensland Privacy Principles (QPPs). UQ may also have privacy obligations arising under:

  1. the Privacy Act 1988 (Cth); for example, UQ has obligations under this act in relation to dealings with tax file numbers
  2. contracts; for example, where UQ contracts with government agencies at a federal level and agrees to be bound by the requirements of the Privacy Act 1988 (Cth)
  3. international jurisdictions; for example, where UQ seeks to process personal data of individuals in other countries, UQ may need to comply with the requirements of their information protection regimes, e.g. European Union’s General Data Protection Regulation.

(3) UQ recognises every individual’s right to privacy and is committed to the management of personal information in accordance with its privacy obligations.

(4) In recognition of those commitments, UQ will:

  1. implement policies (including this Policy) detailing how the University manages personal information
  2. publish these policies on the University’s website (refer to the Policy and Procedure Library)
  3. have appropriate practices, procedures and systems in place to manage enquiries, breaches and complaints regarding the University’s compliance with its privacy obligations.

(5) This Policy:

  1. applies to all UQ staff
  2. does not apply to the controlled entities of the University. Boards of those entities must implement their own privacy policy, consistent with their legal obligations.
Top of Page

Section 2 - Principles and Key Requirements

Collection of personal information

Solicited personal information

(6) UQ collects and holds a wide variety of personal information. The types of personal information that the University collects and holds are published in the Personal Information Register.

(7) UQ will only collect personal information (other than sensitive information) when the information is reasonably necessary for, or directly related to, one or more of its functions or activities, including functions set out under section 5 of the University of Queensland Act 1998 (Qld) and other legislation.

(8) UQ will only collect sensitive information (as defined in the IP Act and distinct from UQ’s Information Security Classification Procedure) about an individual if:

  1. they consent, and the information is reasonably necessary for, or directly related to, one or more of UQ’s functions or activities; or
  2. one of the below conditions applies:
    1. The collection is required or authorised by an Australian law, or a court or tribunal order.
    2. It is unreasonable or impracticable to obtain their consent and UQ reasonably believes that collecting the information is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety.
    3. UQ has reason to suspect that unlawful activity or misconduct of a serious nature relating to its functions or activities has been, is being or may be engaged in, and reasonably believes collecting this information is necessary in order to take appropriate action in relation to the matter.
    4. UQ reasonably believes that collection of the information is reasonably necessary to assist an entity to locate a person who has been reported as missing, and the collection complies with relevant guidelines published under Chapter 3 Part 2 of the IP Act.
    5. The collection is reasonably necessary for the establishment, exercise, or defence of a legal or equitable claim.
    6. The collection is reasonably necessary for the purposes of a confidential alternative dispute resolution process.

(9) UQ will collect personal information only by lawful and fair means. Generally, UQ will collect personal information directly from the individual it is about. However, UQ may collect an individual’s personal information from someone else if:

  1. the individual it is about consents to the collection; or
  2. it is unreasonable or impracticable to collect the information from the individual it is about; or
  3. the collection is required or authorised under an Australian law, or a court or tribunal order.

Unsolicited personal information

(10) If UQ receives personal information that it did not ask for, the University must, within a reasonable period, decide whether or not it could have collected the information as if UQ had asked for it. In making this decision, UQ may use or disclose the unsolicited personal information.

(11) If UQ decides that the personal information could have been collected in accordance with clauses 6 to 9 above (as applicable) if UQ had asked for it, the information will be managed in accordance with this Policy, as if UQ had solicited the information.

(12) If UQ decides that it could not have collected the personal information in accordance with clauses 6 to 9 above (as applicable) if UQ had asked for it, and the information is not contained in a public record, UQ will, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.

Anonymity and pseudonymity

(13) Where possible, UQ will enable individuals to engage with the University anonymously or by using a pseudonym (e.g. a nickname or screen-name). Circumstances where this is not possible include where:

  1. UQ is required or authorised under an Australian law, or a court or tribunal order, to deal with individuals who have identified themselves
  2. it is impracticable for UQ to deal with individuals who have not identified themselves or have used a pseudonym. For example, in relation to:
    1. applications for admission to, or employment at, UQ
    2. the provision of services to individuals by any of UQ’s clinics
    3. discussing, or giving access to, personal information with the individual the information is about
    4. certain types of complaints (e.g. privacy complaints).

Notification regarding collection of personal information

Collection from an individual

(14) When collecting personal information about an individual, UQ will take steps that are reasonable in the circumstances to either notify the individual of, or otherwise ensure that the individual is aware of:

  1. the identity and contact details of UQ as the collecting agency
  2. the purpose for the collection of the information
  3. the consequences, if any, if UQ is unable to collect the personal information
  4. if applicable, the fact that collection of the personal information is required or authorised under an Australian law, or a court or tribunal order (including the name of the relevant law or details relating to the order)
  5. the names of any third parties, or the kinds of third parties, to which UQ usually discloses that type of personal information to
  6. UQ’s Privacy Policy (this Policy), which explains how an individual can access or amend that individual’s personal information and how to make a complaint if an individual believes that UQ has breached their privacy
  7. whether UQ is likely to disclose personal information to recipients outside of Australia and, if so the countries in which the recipients are likely to be located (if practicable to state those countries) or otherwise make the individual the personal information is about, aware of them.

Collection from a third party

(15) In addition to the matters outlined in clause 14, if UQ collects personal information from someone other than the individual it is about (or the individual may not be aware that UQ has collected the information), UQ will also take reasonable steps to either notify the individual of, or otherwise ensure that the individual is aware of, the fact that UQ collects (or has collected) the information, and the circumstances of that collection.

Use and disclosure of personal information

(16) Where UQ has collected an individual’s personal information for a particular purpose, it will only use or disclose that personal information for a different purpose if:

  1. the individual consents
  2. the individual would reasonably expect UQ to use or disclose the information for the other purpose and:
    1. if the information is sensitive information— the other purpose is directly related to the purpose for which the information was collected; or
    2. if the information is not sensitive information— the other purpose is related to the purpose for which the information was collected.
  3. the use or disclosure is required or authorised by an Australian law, or a court or tribunal order
  4. it is unreasonable or impracticable to obtain the individual’s consent and UQ reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety
  5. UQ has reason to suspect unlawful activity or misconduct of a serious nature relating to its functions or activities has been, is being or may be engaged in, and reasonably believes that the use or disclosure is necessary in order to take appropriate action in relation to the matter
  6. the use or disclosure is reasonably necessary for the establishment, exercise, or defence of a legal or equitable claim
  7. the use or disclosure is reasonably necessary for the purposes of a confidential alternative dispute resolution process
  8. UQ reasonably believes that the use or disclose is reasonably necessary for one or more enforcement-related activities conducted by a law enforcement agency
  9. UQ reasonably believes that the use or disclosure is reasonably necessary to assist an entity to locate a person who has been reported as missing and the collection complies with relevant guidelines published under Chapter 3 Part 2 of the IP Act
  10. the use or disclosure is permitted under QPP 6.2(f) in relation to a request from ASIO
  11. the use or disclosure is permitted under QPP 6.2(g) for research or statistical purposes.

(17) See UQ’s Personal Information Register for more information about UQ’s use and disclosure of personal information.

Quality and security of collected information

(18) UQ will take reasonable steps to ensure that the personal information:

  1. it collects is accurate, up-to-date and complete; and
  2. it holds is protected from misuse, interference or loss, and from unauthorised access, modification or disclosure.

(19) UQ may engage service providers to provide services to the University in relation to its statutory functions. Where a service provider will, in any way deal with personal information for or on behalf of UQ, UQ will take all reasonable steps to ensure the service provider is a bound contracted service provider for the purposes of the IP Act.

(20) If UQ holds personal information which is no longer needed for a purpose for which the information may be used or disclosed under the QPPs, UQ will take reasonable steps to destroy or de-identify the information, unless:

  1. the information is contained in a public record
  2. the information is required to be retained under an Australian law or a court or tribunal order.

Disclosure outside Australia

(21) Occasionally, UQ may disclose an individual’s personal information outside of Australia. However, UQ will only do this if any of the below apply:

  1. the individual agrees
  2. the disclosure is authorised or required under a law
  3. UQ is satisfied on reasonable grounds that the disclosure is necessary to lessen or prevent a serious threat to the life, health, safety or welfare of an individual or to public health, safety or welfare
  4. the disclosure is otherwise permitted under Chapter 2 Part 2 of the IP Act.

Access to and correction of personal information

(22) There are a number of ways that an individual can access or amend the personal information that UQ holds about them.

(23) In the first instance, an individual can:

  1. Contact the relevant organisational unit at UQ, who will advise them as to whether they can comply with the request, and any special requirements.
  2. Make a request under one of UQ’s administrative access schemes (see Access to and Amendment of UQ Documents Procedure).

(24) Under the Right to Information Act 2009 (Qld), an individual can also make a formal application to:

  1. access documents that contain their personal information
  2. amend documents that contain their personal information if they consider the information to be inaccurate, incomplete, out-of-date or misleading.

(25) Further information about accessing or amending the personal information UQ hold about an individual is available on UQ’s website.

Privacy breaches

(26) A privacy breach occurs when UQ fails to manage an individual’s personal information consistent with its privacy obligations. All privacy breaches must be reported to UQ’s Privacy Officer.

(27) A privacy breach may also constitute a data breach. Data breaches are managed in accordance with UQ’s Data Breach Policy.

Privacy complaints

(28) If an individual believes that UQ has not managed their personal information in accordance with its privacy obligations, they may make a complaint.

(29) To make a privacy complaint, an individual must submit a complaint in writing. This can be done:

  1. through UQ’s privacy website
  2. by email to privacy@uq.edu.au
  3. through UQ’s Complaints Management System
  4. in hardcopy for the attention of a Privacy Officer.

(30) UQ will treat all complaints confidentially and protect personal information of the complainant subject to any use or disclosure for the purposes of dealing with a complaint or as required, authorised or permitted by law.

(31) If an individual is dissatisfied with the outcome of their complaint, or does not receive notification of the outcome of their complaint within 45 business days, they may refer the complaint to the Office of the Information Commissioner.

Privacy Impact Assessments

(32) UQ Staff may undertake a privacy impact assessment to identify and mitigate potential privacy risks associated with the collection, use, sharing and maintenance of personal data.

(33) When proposing new or changed services or processes that will handle personal information, UQ may undertake a privacy impact assessment in accordance with the:

  1. Data Handling Procedure
  2. Information Governance and Management Framework.
Top of Page

Section 3 - Roles, Responsibilities and Accountabilities

Vice-Chancellor

(34) The Vice-Chancellor is ultimately accountable for ensuring the University meets its privacy obligations and does this through oversight of the application of policies and procedures designed to satisfy those obligations through regular reporting mechanisms.

UQ Staff

(35) UQ staff are responsible for ensuring that personal information is managed in accordance with UQ’s privacy obligations, including:

  1. exercising due care and concern when handling or using personal information obtained in the exercise of their duties, including complying with the requirements of this Policy and the Data Breach Policy; and
  2. promptly notifying a UQ Privacy Officer of actual or suspected breaches of UQ’s privacy obligations
  3. where applicable, processing of and response to applications to access or amend personal information as provided by UQ’s Access to and Amendment of UQ Documents Procedure.

Chief Operating Officer

(36) The Chief Operating Officer is accountable for:

  1. overseeing and ensuring UQ’s privacy compliance, including guiding the response to high-risk breaches and eligible data breaches
  2. developing, implementing, and maintaining privacy policies and procedures to ensure that UQ can demonstrate compliance with applicable laws and regulatory requirement
  3. ensuring that UQ has appropriate controls in place to demonstrate compliance with its privacy obligations
  4. reporting to the Senate Risk and Audit Committee and University Senior Executive Team with respect to the University’s compliance with this Policy
  5. ensuring UQ staff have access to appropriate training materials and resources in relation to privacy compliance.

Privacy Officer

(37) A Privacy Officer is responsible for:

  1. providing advice and support, to UQ Staff and the broader community, in relation to UQ’s management of its privacy obligations
  2. participating in UQ’s processing of and response to privacy complaints
  3. participating in UQ’s response to actual or suspected breaches of the QPPs and data breaches, consistent with their role identified in the Data Breach Policy
  4. supporting Information Stewards and organisational units in the completion of privacy impact assessments.

Governance and Policy

(38) The Governance and Policy unit is responsible for:

  1. providing advice and support, to UQ staff and the broader community, in relation to access to and amendment of personal information held by the University
  2. processing of and response to applications to access or amend personal information as provided by the Access to and Amendment of UQ Documents Procedure.
Top of Page

Section 4 - Monitoring, Review and Assurance

(39) Monitoring of the effectiveness of this Policy will be undertaken by way of:

  1. collation and analysis of relevant data.
    For example, this might include statistics relating to how many times the Policy has been accessed, training provided in relation to the Policy, notifications made by staff having regard to the requirements of the Policy, complaints and the occurrence of breaches of UQ’s privacy obligations.
  2. feedback from users of the Policy (either internal or external).

(40) UQ has established a range of measures to enable it to manage its privacy obligations including:

  1. mandatory staff training on UQ’s privacy obligations
  2. internal resources to help staff to identify and manage privacy obligations.

(41) UQ has a privacy obligation to report eligible data breaches to the Office of the Information Commissioner. This reporting will occur consistent with UQ’s Data Breach Policy.

(42) The Chief Operating Officer is responsible for ensuring that this Policy is regularly reviewed, particularly having regard to issues being identified through regular monitoring and reporting.

(43) Assurance activities will be undertaken:

  1. through quarterly reporting by the Chief Operating Officer to the University Senior Executive Team and the Senate Risk and Audit Committee as outlined in this Policy
  2. through monitoring compliance with the Policy by the policy owner
  3. as required by UQ’s Internal Audit function to consider the effectiveness of this Policy and controls established to support it.
Top of Page

Section 5 - Appendix

Definitions

Defined Term Meaning
Data breach As defined in the IP Act is where, in relation to information held by UQ, there has been either:

- unauthorised access to, or unauthorised disclosure of, the information; or
- the loss of the information in circumstances where unauthorised access to, or unauthorised disclosure of, the information is likely to occur.
Disclosure As defined in the IP Act is where UQ:

- gives personal information to an entity who does not know the personal information and is not in a position to be able to find it out; and
- ceases to have control over who will know the personal information in the future.
Eligible data breach As defined in the IP Act is a data breach where personal information held by UQ is:

- accessed or disclosed without authorisation and this is likely to result in serious harm to the individual that it relates to; or
- lost, and unauthorised access or disclosure is likely, and this is likely to result in serious harm to the individual that it relates to.
IP Act The Information Privacy Act 2009 (Qld).
Personal information As defined in the IP Act to be information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion:

- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
Privacy obligations The range of privacy laws that apply to the University including:

- the IP Act
- the Privacy Act 1988 (Cth)
- the European Union’s General Data Protection Regulation (GDPR).
Privacy Officer The UQ staff who have day to day responsibility for the management of privacy matters, including privacy complaints.
QPPs Queensland Privacy Principles as set out in Schedule 3 of the IP Act.
RTI Act The Right to Information Act 2009 (Qld).
Sensitive information As defined in the IP Act to mean, for an individual:

- information or an opinion, that is also personal information, about the individual’s:
    • racial or ethnic origin; or
    • political opinions; or
    • membership of a political association; or
    • religious beliefs or affiliations; or
    • philosophical beliefs; or
    • membership of a professional or trade association; or
    • membership of a trade union; or
    • sexual orientation or practices; or
    • criminal record;

- health information about the individual;

- genetic information about the individual that is not otherwise health information;

- biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or

- biometric templates.
UQ / the University The University of Queensland
UQ Staff Includes:

- members of the UQ Senate
- all UQ employees, including continuing, fixed-term, research (contingent funded) and casual employees
- persons acting in an honorary or voluntary capacity for or at UQ, including work experience students
- affiliates.
Use As defined in the IP Act to include where the University:

- manipulates, searches or otherwise deals with personal information; or
- takes the personal information into account in the making of a decision; or
- transfer the personal information between UQ business units which have different functions,

but does not include the action of disclosing the personal information to another entity.