Privacy at Western Sydney University

Western Sydney University has legal obligations to individuals whose personal information it collects, stores, uses, discloses and destroys and the way in which it does this is detailed in the University’s Privacy Policy (opens in a new window) and the Privacy Management Plan (opens in a new window) (PMP).

The University’s privacy obligations primarily fall under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA). However the Privacy Act 1988 (Cth) also applies to the University in some respects, as do some foreign privacy regulations, such as the European Union General Data Protection Regulation 2016/679 (GDPR).

Privacy Management Plan

Under the PPIPA, the University is required to have a Privacy Management Plan (opens in a new window) and embraces this obligation as an exercise of good governance and transparency in the way in which the University collects and deals with the personal information of its staff, students, and other members of the University community.

The PMP applies to all personal information and health information, of any person, that has been collected or received by the University. All academic and organisational units of the University must collect, store, use and disclose personal or health information in accordance with the procedures set out in the PMP, or in other University policies and procedures (such as the Records and Archives Management Policy (opens in a new window)). The obligations of the University extend to third parties who handle personal information on its behalf, including volunteers, contractors and other organisations engaged by the University.

The PMP also applies to the University’s controlled entities, which currently include Western Sydney University Enterprises Pty Ltd, Western Sydney University Early Learning Ltd, Whitlam Institute within Western Sydney University Ltd, Western Growth Development (Parramatta Innovation Hub) Pty Ltd and Western Growth Development (Westmead) Pty Ltd.

The PMP sets out in detail the way in which the University collects, uses, stores, secures, discloses and destroys personal information and health information. It also provides information about how a person can access their personal information and how to make complaints about privacy matters.

The Privacy Policy and Privacy Management Plan can be found in Policy DDS (opens in a new window).

Privacy Impact Assessments (PIAs)

The PMP also sets out the University’s obligations to assess the potential privacy impacts of any new or revised projects, be they technology or digital systems, products, services, programs and/or initiatives. A Privacy Impact Assessment (PIA) is a risk assessment tool that identifies the impact that the technology or project may have on the privacy of individuals and for identifying and evaluating solutions to mitigate privacy risks.

PIAs must be undertaken for any new or revised project or process which has the potential to impact on the collection, storage, access to, use or destruction of personal information, or when making changes to existing ways of handling personal information. If you manage or are responsible for a new or revised project, it is your responsibility to comply with the Privacy Impact Assessment Procedures (opens in a new window). Steps that support completing a PIA are covered in these documents:

1. Privacy Impact Threshold Assessment (opens in a new window)
2. How to Complete a Privacy Impact Assessment (opens in a new window)
3. Privacy Impact Assessment Report Template (opens in a new window)

FAQS - common privacy issues

Here are some of the commonly asked privacy questions that occur at the University.

Expand all

Privacy Officer

The University's privacy contact point is the Privacy Officer. The Privacy Officer helps to create a privacy compliant culture at the University, and:

• assists with inquiries about how personal information can and cannot be used by the University;
• gives advice when requested about whether personal information can be disclosed, including in emergency situations;
• receives requests about disclosure of information to law enforcement, government or other organisations when the University is compelled to do so;
• manages complaints about the conduct of the University in relation to privacy matters;
• manages privacy breaches made by or on behalf of the University;
• reviews the University’s Privacy Policy and Privacy Management Plan as required.

The University’s Privacy Officer can be contacted as follows:

By phone:      (02) 4570-1428
By email:       privacy@westernsydney.edu.au

Reporting potential privacy breaches

If any person is concerned about a potential or verified breach of the University's Privacy Policy (opens in a new window) or privacy laws, they should contact the University’s Privacy Officer without delay.

Privacy complaints

The Privacy Officer will investigate complaints from individuals about the way in which the University handles their personal or health information. Complaints can be made by making a request for an Internal Review. All complaints are investigated in accordance with the procedures outlined in the Privacy Management Plan (opens in a new window).

A person may also contact the NSW Information and Privacy Commissioner (IPC) to make a complaint at www.ipc.nsw.gov.au (opens in a new window). Please be aware that the IPC will usually refer matters back to be handled internally by the University.

For further information, download an Internal Review application form (PDF, 43.49 KB) (opens in a new window) or you may review the Privacy NSW Internal Review Checklist (opens in a new window).

Contact the University’s Privacy Officer for more information.

Privacy training

The University’s privacy training program is mandatory for staff, researchers, contractors and staff of the University's controlled entities.  University staff must complete the training module via MyCareer Online. Others, such as researchers, contractors and entity staff who do not have access to Staff Online, must complete the training via vUWS.

The Privacy Officer can also provide tailored training to ensure a privacy compliant culture. Any staff requiring additional training should contact the Privacy Officer.

Other privacy related policies and documents

Other University policies and documents relevant to privacy include:

• Acceptable Use of Digital Services Policy (opens in a new window);
• Consent to Release Personal or Health Information to Third Parties (Students) (opens in a new window);
• Consent to Release Personal or Health Information (Staff) (opens in a new window);
• Cyber Security Policy (opens in a new window):
• Death Response Policy (opens in a new window);
• Digital Information Security Policy (opens in a new window);
• Digital Services Implementation Policy (opens in a new window);
• Information about Health Privacy for Students Undertaking Clinical Experience (or Other Placement) in the Health Sector (opens in a new window);
• Records and Archives Management Policy (opens in a new window);
• Research Code of Practice (opens in a new window);
• Research Data Management Policy (opens in a new window);
• Student Declaration (opens in a new window);
• Workplace Surveillance Policy (opens in a new window).