The University's Privacy Management Plan

The requirements of section 33 of the Privacy and Personal Information Protection Act 1988 (NSW) to have a privacy management plan are set out in clause 8 of the University's Privacy Policy 2017.

This policy also:

  • states the University's commitment to protecting privacy, in compliance with its legal and regulatory obligations;
  • provides for the appropriate and compliance management of personal and health information; and
  • sets out the privacy responsibilities of the University, our staff, students and affiliates.

Supporting this policy is the Privacy Procedures 2018 which details how we manage the disclosure of the personal information that we hold.

NSW Privacy Laws

Two key laws in NSW govern the way the University handles personal information:

  • Privacy and Personal Information Protection Act 1988 (NSW) and
  • Health Records and Information Privacy Act 2002 (NSW)

The Privacy and Personal Information Protection Act 1988 (NSW) contains principles that govern the way we handle personal information, known as the Information Protection Principles. The Health Records and Information Privacy Act 2002 (NSW) contains principles that govern the way we handle health information, known as the Health Privacy Principles. The principles are collectively known as the Privacy Principles.

These principles set out legal obligations for the:

  • collection of personal and health information;
  • storage of personal and health information;
  • access and accuracy of personal and health information;
  • use of personal and health information; and
  • disclosure of personal and health information.

There are also additional Health Privacy Principles concerning:

  • the use of identifiers to protect identity;
  • the right to anonymity in receiving health services;
  • the flow of health information across the NSW border; and
  • the consent to link health records of an individual in a system.

Commonwealth Privacy law

We also have obligations under the Privacy Act 1988 (Cth) in relation to notifiable data breaches with respect to tax file numbers.