Privacy FAQs

Commonly asked privacy questions that occur at the University

Why does the University collect personal information and what does it do with it?

The University is a public institution engaged in teaching, research, community service and engagement. In order to perform its functions, the University needs to collect, hold, use and manage the personal information of people who work or study here and/or access services. This includes students, staff, alumni and other members of the University community such as visitors. Examples of why the University needs to collect personal information are set out in detail in the Privacy Management Plan.

Once personal information is collected from a person, the University must store, use, disclose and destroy that information in accordance with privacy laws. For more information, please refer to the Privacy Management Plan (opens in a new window).

How do the University’s privacy requirements interact with technology?

While technology continues to rapidly evolve the way businesses operate, the University still must ensure that its processes comply with privacy laws. The University has policies in place about data storage, information technology security and systems approval and implementation to ensure it complies with the regulatory framework regarding data security. This includes arrangements involving the transfer of data outside New South Wales for cloud storage or other purposes. For more information, please refer to the Privacy Management Plan (opens in a new window).

If a police officer or government agency calls and asks for personal information that the University might hold, what should I do?

The University often receives telephone and written inquiries from law enforcement and government agencies seeking personal information, about students and staff members for example. This includes for criminal investigation or inquiries by Centrelink or the Australian Taxation Office. The University does not provide personal information unless the University is required by law to disclose it, or there is an appropriate exemption under privacy laws. Any requests should be referred immediately to the Privacy Officer (opens in a new window) or the Office of General Counsel (opens in a new window).

I am a student and I want to access and/or amend the personal information the University has about me, but I can't access it through my email or MySR. What do I do?

You can apply to inspect and/or amend your student record (excluding records held by Equity, Safety and Wellbeing) either:

1.  by writing, from your student email account (opens in a new window), to the Senior Manager Completion, Enrolment and Load Data or

2. with proof of identity, in person at Student Services Hub (opens in a new window) (which are the University’s face-to-face contact service points for students).

If you want to access the information held by any of the student support services, you should put your request in writing to Student Wellbeing Services (opens in a new window).

Please note that you may be asked to verify your identity before you are granted access.

How does the University know that the information it holds is up-to-date and still relevant?

The University must take steps to ensure the accuracy of the personal information it uses, and that the information is relevant, accurate, up to date, complete and not misleading.

If your personal details change, you need to update them. Usually, you can do this yourself in MySR or Staff Online. For anything that you can't change online, such as your tax file number, contact either Student Services Hub (opens in a new window) or the WesternNow portal (opens in a new window) for assistance.

What is the difference between use and disclosure?

“Use” of personal information means using it for a purpose related to the University’s functions, such as enrolment of students. “Disclosure” of personal information usually means providing it to another person or organisation. The distinction between the two can be blurred for the University.

In most cases, it is not “disclosure” of personal information if one organisational unit within the University provides or grants access to another organisational unit, as long as this is done for the purpose for which the information was collected in the first place, or to enable students or staff to access services offered by the University. Examples include the Graduations Unit using a student’s enrolment records to verify they are eligible to graduate.

There are also exemptions in privacy laws relating to disclosure of personal information, including if there is a serious and imminent threat to a person’s life or health, or where police need to investigate a crime.

For more information about how the University handles disclosure, please refer to the Privacy Management Plan (opens in a new window) or contact the Privacy Officer (opens in a new window) for more information.

How is health information different to personal information?

Health information is a form of personal information that is dealt with under separate privacy legislation to other personal information. Health information can include information about a person’s physical or mental health, disability, the health services provided to them, or the person’s wishes about health services they want to receive in the future. It also includes personal information collected as part of a health service, including organ donation, genetic information, and numbers assigned to an individual in relation to health information.

There are some differences to ways that health information is treated and this is explained in more detail in the Privacy Management Plan (opens in a new window).

Is live streaming of graduation ceremonies a disclosure of personal information?

No. Graduation ceremonies are attended by members of the general public invited by graduands and are considered public events. These are live streamed through the University’s website and can be viewed by people worldwide, which enables families of international students to enjoy the ceremony from overseas.

Why does my personal information appear in the Award Verification Service?

The University’s Award Verification Service is a public facing database that has basic information about graduates of Western Sydney University. In the context of privacy laws, it is a public register, and its purpose is to protect the value and integrity of qualifications conferred by the University.

Are there any exceptions for personal information collected for research purposes?

Yes. Under the NSW privacy laws, there are specific exemptions that apply to collection, use and disclosure for research purposes. There are, however, strict requirements for management of personal information used for research under privacy laws and under other University policies, such as the Research Code of Practice (opens in a new window), Research Data Management Policy (opens in a new window) and Research Conducted by External Parties Approval Policy (opens in a new window).

What are collection notices, when do we need them and how do I draft one?

The University must advise the purpose for which information is collected, who may receive it, whether the supply of information is required by law or voluntary, the rights of access to and correction of the information, and the name and address details of the party or entity holding the information (e.g., what section of the University). Further, the University needs to advise whether the supply of the information is required by law and the consequences for the individual if they fail to provide the information. These are collection notices. They should be written in plain English, have a clear layout and be University branded so it is clear who is asking for the information. Refer to the Privacy Management Plan (opens in a new window) and Privacy Training and Resources webpage (opens in a new window).

What are the 12 Information Protection Principles?

They are:

  1. Lawful Collection
  2. Direct Collection
  3. Open Collection
  4. Relevant Collection
  5. Secure Storage
  6. Transparent Access
  7. Accessibility
  8. Correction
  9. Accuracy
  10. Limited use
  11. Restricted Disclosure
  12. Security of Data.

More information is available on the IPC's Information Protection Principles (IPPs) for agencies webpage (opens in a new window).

What are the 15 Health Privacy Principles?

They are:

  1. Lawful Collection
  2. Relevant Collection
  3. Direct Collection
  4. Open Collection
  5. Secure Storage
  6. Transparent Access
  7. Accessibility
  8. Correction
  9. Accuracy
  10. Limited Use
  11. Limited Disclosure
  12. Not identified
  13. Anonymous service
  14. Controlled Transferrals
  15. Authorised Transferrals.

More information is available on the IPC's Health Privacy Principles (HPPs) for agencies webpage (opens in a new window).