Welcome to the University Policy Library.
If you are unable to find what you are looking for please use the 'search' function below.
Delegations of Authority Policy is the key document for who is responsible to exercise a delegation – Note: Policies and procedure documents may not reflect the current delegations. Please refer to the Delegations of Authority Policy to identify who the delegate is.
Privacy Policy
Purpose:
- We respect the privacy of the information of all individuals that provide their information to us or that we are otherwise required or permitted by law to collect. This Policy explains how we will manage that information and is to be read subject to any overriding provisions of law.
- The º¬Ðß²ÝÊÓƵ is a young University anchored in the national capital and works with government, business, and industry to serve our communities and nation. The º¬Ðß²ÝÊÓƵ challenges the status quo; always pursuing better ways to teach, learn, research, and add value – locally and internationally. Our purpose is to provide education which offers high quality transformative experiences; to engage in research which makes a difference to the world around us; and to contribute to the building of just, prosperous, healthy, and sustainable communities. The º¬Ðß²ÝÊÓƵ has recently established its long-term ambitions through its new decadal strategy: Connected. Through its three objectives (Connected to Canberra, Connected for life and Connected º¬Ðß²ÝÊÓƵ), the º¬Ðß²ÝÊÓƵ aims to build sustainable communities through deep collaborations that are locally focused and globally relevant, partner for life with our students to shape our economic, social and cultural futures.
Scope:
- This Policy applies to the personal information the University collects from and about individuals (your personal information), including staff and students of the University, affiliates, and any other person who interacts with the University in person or online (you).
- All members of University staff have a responsibility to carry out and abide by the principles and processes set out in this Policy.
- Except as set out in this Policy, other companies and organisations we associate with, including organisations whose services are in some way linked to us through online content or services (such as apps, social media platforms) do not have a responsibility to carry out and abide by the principles and processes set out in this Policy. You must refer to the relevant Privacy Policy of these other companies or organisations we associate with to understand how your personal information will be managed.
Principles:
What kind of personal information do we collect and hold?
Personal information – Students
Directly from you
Purposes for which we may collect, hold, use, and disclose your personal information
Generally
University website
Personal information – Students
- The types of personal information we may collect and hold include:
- your name, date of birth, address, phone numbers and email, and evidence of your identity
- other personal information provided when you seek student enrolment with us or after you commence studying with us including your photograph and visa status and information – we will comply with the Australian Privacy Principles in respect of this information.
- student records from our University, including information about your attendance at the Bruce Campus, your information that you provide to us when you use student services either online or in person, and when you complete assessment tasks and placements, and from other universities you have attended, if applicable
- banking and super details (if applicable), including credit or debit card, and tax details (including your TFN and ABN if applicable), noting there are additional legislative protections on collecting, using or disclosing TFN – for example we will comply with the Commonwealth Privacy Act 1998 requirements regarding a notifiable data breach in respect of a TFN.
- other personal information provided when you seek enrolment at childcare centre operated by us, including for example immunisation status and medical conditions
- internet protocol (IP) addresses, including via electronic signing platforms (for example, DocuSign)
- images of you taken on CCTV footage while on campus
- keystroke information
- your employment details (including your company name, job title and business sector) if applicable
- other personal information provided when you seek employment or placements with us or after you commence employment or placement with us (including your photograph) and payroll information
- personal information, including your name, image, likeness and audio testimonial obtained from background screening providers, electronic recruitment methods, and electronic assessment methods as part of your participation in courses of study and individual units, employment, due diligence or as relevant to a business relationship with us
- other personal information provided when you (or any entities that you represent or have a substantial beneficial ownership interest in) commence a business relationship with us if applicable
- contact and identification details of any third party that you have authorised to negotiate or provide your personal information on your behalf (including any attorneys appointed by you under a power of attorney)
- any correspondence between you and us, or
- any other personal information provided to us when you make an inquiry, request information, respond to marketing or lodge a complaint.
- The types of information we may collect and hold include:
- your name, date of birth, address, phone numbers and email, and evidence of your identity
- banking and super details, including credit or debit card, and tax details (including your TFN and ABN if applicable), noting there are additional legislative protections on collecting, using or disclosing TFN – for example we will comply with the Commonwealth Privacy Act 1998 requirements regarding a notifiable data breach in respect of a TFN.
- other personal information provided when you seek enrolment at childcare centre operated by us, including for example immunisation status and medical conditions
- internet protocol (IP) addresses, including via electronic signing platforms (for example, DocuSign)
- images of you taken on CCTV footage while on campus
- keystroke information
- your employment details (including your company name, job title and business sector) if applicable
- other personal information provided when you seek employment with us or after you commence employment with us (including your photograph) and payroll information
- personal information, including your name, image, likeness and audio testimonial obtained from background screening providers, electronic recruitment methods as part of your employment, due diligence or as relevant to a business relationship with us
- other personal information provided when you (or any entities that you represent or have a substantial beneficial ownership interest in) commence a business relationship with us if applicable
- contact and identification details of any third party that you have authorised to negotiate or provide your personal information on your behalf (including any attorneys appointed by you under a power of attorney)
- any correspondence between you and us, or
- any other personal information provided to us when you make an inquiry, request information, respond to marketing or lodge a complaint.
- The types of information we may collect and hold include:
- your name, date of birth, address, phone numbers and email, and evidence of your identity
- banking and super details (if applicable), including credit or debit card, and tax details (including your TFN and ABN if applicable), noting there are additional legislative protections on collecting, using or disclosing TFN – for example we will comply with the Commonwealth Privacy Act 1998 requirements regarding a notifiable data breach in respect of a TFN.
- other personal information provided when you seek enrolment at childcare centre operated by us, including for example immunisation status and medical conditions
- internet protocol (IP) addresses, including via electronic signing platforms (for example, DocuSign)
- images of you taken on CCTV footage while on campus
- keystroke information
- your employment details (including your company name, job title and business sector) if applicable
- personal information, including your name, image, likeness and audio testimonial obtained from background screening providers and electronic recruitment or procurement methods as part of your engagement or association with us, due diligence or as relevant to a business relationship with us
- other personal information provided when you (or any entities that you represent or have a substantial beneficial ownership interest in) commence a business relationship with us
- contact and identification details of any third party that you have authorised to negotiate or provide your personal information on your behalf (including any attorneys appointed by you under a power of attorney)
- any correspondence between you and us
- any other personal information provided to us when you make an inquiry, request information, respond to marketing or lodge a complaint, or
- other personal information provided when you seek employment or a contract with us or after you commence employment or your contract with us (including your photograph) and payroll information.
- For staff, students, and individuals other than staff and students, we may also collect and hold a special subset of personal information, sensitive information, such as:
- your racial or ethnic origins, or
- criminal record information obtained through our background screening processes before you commence, or during, your business or employment relationship with us.
- We only collect personal information when it is reasonably necessary or directly related to one of our functions or activities. We recommend that you do not provide sensitive information to us unless specifically requested by us. We will only collect your sensitive information if:
- you have expressly consented to us doing so
- the information is reasonably necessary for, or directly related to our activities or functions as set out in the º¬Ðß²ÝÊÓƵ Act. For example, collection of personal information to facilitate student and staff recruitment, performance, management, professional development and the identification of products and services that may be of interest
- we are required or permitted to do so by law, or
- a permitted health or general situation exists, including where it is unreasonable to get your consent and we are collecting the information to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.
- When we intend to collect personal information from children (i.e. people who are under the age of 16), where possible, we take additional steps to protect their privacy, including by:
- notifying parents or guardians about our information practices about children, including the types of personal information we may collect from children, the uses to which we may put that information, and whether and with whom we may share that information
- obtaining consent from parents or guardians for the collection of personal information from their children, or for sending information about our products and services directly to their children, and
- limiting our collection of personal information from children to no more than is reasonably necessary to participate in our services.
- Parents and guardians can exercise privacy rights on their children’s behalf, but we may need to verify that you are authorised to act on their behalf and collect additional information from you to do so.
- Parents and guardians for children who are under the age of 16 are not third parties for the purposes of this Policy.
Directly from you
- When possible, we try to collect personal information directly from you, for example when you:
- submit an application for enrolment to study with us
- ask for information or contact us through our website or by telephone
- write to us (such as letters, emails or social media)
- submit an assessment or some other material related to your study or research
- engage with online systems that support study or research
- respond to a survey
- provide your business card, or pre-employment documentation or other documents to us (such as contracts, public records or identification information for the purposes of confirming your identity), or
- meet with us in person.
- While we will generally collect personal information from you directly, sometimes we might get it from other parties (for example when we check references or pre-employment checks). The other parties we may need to obtain information from include:
- other government bodies, including law enforcement agencies
- organisations and companies, including from their websites or
- our contracted service providers and suppliers as part of our procurement processes.
- When we collect personal information from third parties you refer to us, we will assume that you have consented to that third party disclosing that information to us. We will only use and disclose such information provided to it for the purpose for which it was given and other purposes only in accordance with this policy.
- If you are a contracted service provider or a partner who gives us personal information about individuals such as your employees, directors or owners, we may also ask you to advise them of the purposes of our collection, use and disclosure of their information in line with this Policy or with a specific collection notice we give to you.
- If we receive unsolicited information about you, we will retain it (and use disclose or destroy it) in line with our obligations under the law, including the privacy laws and Territory Records Act 2002 (ACT).
Purposes for which we may collect, hold, use, and disclose your personal information
- We collect, use and disclose your personal information to enable us to provide the education, services, products and information you request, and when it is reasonably necessary to enable us to perform our functions and activities. We may also use or disclose your personal information for a secondary purpose which is directly related (where there is sensitive information) or related (for non-sensitive information) to the reason you provided the information in the first place, but only where you would reasonably expect us to use your information for that purpose. In particular, we may collect, use and disclose your personal information for the purposes of:
- your student or other (e.g. employment, business or alumni) relationship with us
- enabling you to register to gain access to the web tools and publications of the University or to attend an event with us
- student account management and administering records
- responding to your requests or enquiries and providing you with any publications, information or other services requested by you
- communicating with you during your tenure as a student or other relationship with us, including payment of invoices
- taking action in relation to suspected misconduct by you, or action in relation to a complaint made by you
- safety and security purposes, for example when you enter a University room with your swipe card
- assessing your application for employment
- complying with our obligations under law
- any other purpose which relates to or arises out of requests or complaints made by you
- doing anything which you authorise or consent to us doing, or
- when establishing or defending a legal or equitable claim, or participating in confidential dispute resolution processes or taking any other action, we are required or authorised by law to take.
- We can also use it for a secondary purpose where permitted by law, including the privacy laws.
- We will not sell, trade or rent your personal information.
- We may disclose your personal information to:
- other Territory, or Commonwealth or State Government bodies, or Registration Bodies, including to the Australian Taxation Office
- the º¬Ðß²ÝÊÓƵ College
- accommodation service providers for example a lodge, college or hall of residence
- publishers about the award of certain prizes and scholarships
- publishers and conference conveners and other similar entities about your research activities including your involvement in academic papers, presentations or academic conferences at or involving the University
- our partners and contracted service providers, including entities who supply to us data processing and other administrative and support functions and services, our website, electronic signing platforms, IT, marketing, administration and other services, and our professional advisers (for example, our insurers, auditors, lawyers and consultants)
- in respect of internet protocol (IP) addresses collected via electronic signing platforms (for example, DocuSign), the counterparties to a document being executed electronically by you
- any entity to whom we are required or authorised by law to disclose your information (for example, law enforcement agencies and government and regulatory authorities)
- with your consent (express or implied), other entities – for example other universities where necessary (such as cross-institutional exchange or recognition programs)
- anyone who represents you (for example your power of attorney, or in the case of a child at a childcare centre their guardian), or
- third parties we engage to carry out activities you have requested, or
- for direct marketing purposes (unless you have opted-out of direct marketing communications). You can opt out of receiving marketing material from the University by contacting the University via the contact details in paragraph 30.
- The above entities may in turn disclose your information to other entities as described in their respective privacy policies or notices.
- We will only use or disclose your personal information for another purpose if:
- you have consented to the use or disclosure of the relevant information, or
- requested, for example, when you graduate from the University (the record of your graduation from the University is a public document), or
- another exception applies (including where the use or disclosure is required or authorised under an Australian law or where a permitted general situation applies, such as where it is unreasonable or impracticable to obtain consent, and it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety).
- From time to time, we may engage contracted service providers or partners located overseas (including, but not limited to providers or partners located in Indonesia) to perform certain functions and activities. Generally, this information is provided for the purposes of global student recruitment or under collaboration agreements for student exchanges. While they are providing services to or partnering with us, we may need to disclose your personal information to these recipients. If your personal information is sent overseas, we will take reasonable steps to ensure that our contracted service providers and partners have policies, procedures and systems in place to ensure your personal information is handled in accordance with the Privacy Act and other applicable legislation.
- We are committed to protecting information we hold about you. We will (and we will require our contracted service providers to) take reasonable steps to protect your information (whether in physical or electronic form) from loss, misuse, unauthorised access, modification and/or disclosure.
- We may store your information in different forms, including in physical and electronic form, including using cloud-based storage services. We take steps to ensure the security of your personal information despite its form, including through our websites and service applications, but there is always some risk when transmitting information across the internet, including a risk that information sent to or from a website or other Internet of Things application may be intercepted, corrupted or modified by third parties.
- When your information is no longer required by law to be retained by us, we will take reasonable steps to destroy, delete or de-identify your information in a secure manner. The privacy laws and the Territory Records Act 2002 (ACT) are some examples of laws that may require us to retain certain information.
Generally
- It is important that the personal information we hold about you is complete, accurate, current and relevant. At any time while we hold your information, we may ask you to tell us of changes to your information. Alternatively, if you believe that any of the personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading and needs to be corrected or updated, please contact us (see the ‘Contact Us’ section below).
- We will respond to a request to access or correct your personal information within:
- any period prescribed by law, and
- otherwise within 30 days. If we cannot respond to you within 30 days, we will contact you and provide a reason for the delay and an expected timeframe for finalising your request.
- You may request to access or correct your personal information at any time by contacting us. We will give you access to the personal information unless an exception in the law, including the privacy laws, applies (or it is otherwise unlawful). Sometimes we may not be required to correct your personal information (for example, where it would be unlawful). Also, sometimes we may not be able to require our contracted service providers, partners or other third parties to give you access to the personal information they hold about you.
- If we do not give you access to your personal information and/or allow you to correct it, you can ask us to include with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.
- If we do not correct your personal information, we will give you our reasons for our decision.
- While the first step to ask us to give you access to or correct information we hold about you is described in paragraphs 24 – 28 above, an alternative way is to lodge a formal application under the Freedom of Information Act 2016. For more information on how to lodge a FOI application please visit our FOI webpage /about-uc/contacts/freedom-of-information. There may be fees associated with FOI requests.
- If you have a complaint or otherwise wish to contact us about our handling of your information or any of the matter covered by this Policy, please contact:
- by post at: Privacy Officer, º¬Ðß²ÝÊÓƵ, 11 Kirinari Street, BRº¬Ðß²ÝÊÓƵE ACT 2601, Australian Capital Territory
- by email: privacy@canberra.edu.au
- by phone: +61 2 6201 5569
- by TTY: +61 2 6251 4601 (for hearing impaired callers)
- We welcome your questions and any suggestions you may have about our Policy. If you would like to lodge a formal complaint, we:
- ask that you lodge it in writing
- will acknowledge receipt of your complaint as soon as possible, and
- will then investigate the circumstances of the complaint and respond to you in a reasonable timeframe.
- If you are not satisfied with how we have handled your complaint, then you may escalate the complaint to the Office of the Australian Information Commissioner (OAIC) at:
- telephone: 1300 363 992 (if calling from outside Australia including Norfolk Island please call: +61 2 9284 9749)
- National Relay Service: through the Contact Us page on the OAIC
- website:
- post: Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001
- fax: +61 2 9284 9666
- email: enquiries@oaic.gov.au
- website:
University website
- This Policy applies to your use of the University website – www.canberra.edu.au – and any personal information that you may provide to us via our website including our staff and student portals and any other subsites as part of the º¬Ðß²ÝÊÓƵ domain.
- We believe it is important for you to know how we treat this personal information and how we carry out data processing practices with the Internet and any other electronic communications networks.
- When you visit our website, we and/or our contracted service providers and partners may collect certain information about your visit. Examples of such information may include:
- cookies: cookies are small amounts of information which we may store on your computer (after you register on our website) to enable our server to collect certain information from your web browser. Cookies in themselves do not identify the individual user, just the computer used. Cookies and other similar technology make it easier for you to log on to and use the website during future visits. It also allows us to monitor website traffic, to identify you when you visit our website and to personalise the content of the website for you and to enable you to both carry out activities and have access to information about you. The data collected through cookies is used as a basis for targeting online advertising and allows us to personalise your advertising experience. We use third party advertiser cookies for remarketing to advertise online. Cookies themselves only record which areas of the site have been visited by the computer in question, and for how long. Allowing us to create a cookie does not give us access to the rest of your computer and we will not use cookies to track your online activity once you leave our site. Cookies are read only by the server that placed them, and are unable to execute any code or virus
- site visit information: we collect general information about your visit to our website; it may include your server address, the type of internet browser, the date and time of visit, and the pages accessed. We collect it not to use it to personally identify you. Instead, we aggregate it and use for system administration, to prepare statistics on the use of our website and to improve our website’s content and our services, and we may use it for marketing purposes, and
- visitation restricted for some sites: some of our web services are restricted by user log-in protocols. We ask you to use your University ID to access these sites (and collect this information from you) to help us keep the information on these sites secure from unauthorised alteration, use or disclosure, to resolve problems with our IT systems, and to keep an auditable record of who has accessed this information.
- Our website may contain links to other websites which are outside our control and are not covered by this Policy. Though we scrutinise the links that are included on the º¬Ðß²ÝÊÓƵ website, we do not endorse, approve or recommend the information, services or products provided on other websites. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their policy framework which may differ from ours.
- By using our website, or giving us information, you consent to us managing your information in the way described in this Policy.
- We compile and categorise a list of our followers on social media platforms. We may also receive information from you on Social Media where you give it to us. Additionally we may also receive aggregate, non-personalised statistics on the University’s coverage in social media.Changes to this policy
- We may revise or supplement this Policy from time to time. Any updated version of this Policy will be posted on the University’s Policy Library accessible here and will be effective from the date of posting. You should bookmark and periodically review this page to ensure that you are familiar with the most current version of this Policy and so you are aware of the way we handle your information.
Responsibilities:
Who | Responsibilities |
Vice-Chancellor | Approval source of this Policy |
General Counsel | Policy Sponsor of this Policy |
Deputy General Counsel | Policy Custodian of this Policy |
Privacy Officer |
|
Staff and Affiliates | Collect, handle, store and destroy personal and sensitive information in accordance with this Policy. |
Individuals who provide personal information to us | Provide the University with correct personal and sensitive information. |
Legislation:
- The law deals with personal information, including sensitive information, differently from personal health information (see definitions below). Generally, the way we manage your personal including sensitive information is governed by:
- the Information Privacy Act 2014 (ACT) (Privacy Act), and
- the Territory Privacy Principles (TPPs) established under the Privacy Act.
- We also manage your personal information including sensitive information in compliance with other relevant legislation, including:
- the federal Privacy Act 1988, and
- Australian Privacy Principles (APPs) as required (e.g. under the Higher Education Support Act 2003 (Cth)).
- The way we manage your personal health information is governed by, and we will act in accordance with:
- the Health Records (Privacy and Access) Act 1997 (ACT) (HPRA Act), and
- the Health Privacy Principles (HPPs) established under that Act.
Definitions:
TERM | DEFINITION |
contracted service provider | means an entity or person engaged by us to provide services to the Australian Capital Territory or us, and includes their subcontractors. |
our partners | means our wholly or partly owned companies, including for example º¬Ðß²ÝÊÓƵX Ltd, other universities and other organisations that we partner with, including software and hosting service providers. |
personal health information | means information or an opinion about a consumer (or from which their identity is apparent) whether true or not, and whether recorded or otherwise, which relates to their health or an illness or disability of theirs. You are a consumer when you use, or have used, a ‘health service’ or a ‘health record’ about you has been created (as those terms are defined in the HPRA Act). |
privacy laws | mean the Privacy Act and the TPPs contained in the Privacy Act, the HPRA Act and the HPPs contained in the HPRA Act, and the Commonwealth Privacy Act 1998 in respect of Tax File Numbers (TFN) and as applicable under the Higher Education Support Act 2003 (Cth). |
reasonably necessary | means that the personal information is collected because it is required to perform a function or activity and the University could not properly undertake the function or activity without collecting the personal information. |
we, our or us | means the º¬Ðß²ÝÊÓƵ, including the Medical and Counselling Centre, Wiradjuri Preschool and Child Care Centre and Health Clinics, our controlled entities, Council members, employees (and those of controlled entities), volunteers, students on a placement facilitated by the º¬Ðß²ÝÊÓƵ, officers and agents and contracted service providers |
your personal information | means your personal information, including sensitive information, but excluding any personal health information. When we use ‘personal information’ and ‘sensitive information’, we use them in the same sense as the Privacy Act – in short:
|