The Information Privacy Act 2009 - What it
means for you.
The Information Privacy Act 2009 was enacted on 1 July 2009 and applies to all Queensland
Government agencies and public authorities including Universities. The Act has two parts. Firstly, it
has an access and amendment scheme which allows people to access their personal information
and amend it where it is inaccurate, incomplete or out of date. This scheme replaces the now
repealed Freedom of Information Act 1992.
The second scheme is an information protection scheme which has, as its objective, the protection
of personal information in the possession of the University from unauthorised access, use,
modification and disclosure.
The University can be subject to significant penalties if it does not comply with the IP Act,
including the payment of compensation for any loss or damage caused by breaches of privacy.
What is "Personal Information" ?
One of the primary objectives of the Information Privacy Act 2009 is to protect personal
information held by the University.
Personal information is defined as information or an opinion, including information or an opinion
forming part of a database, whether true or not, and whether recorded in a material form or not,
about an individual whose identity is apparent, or can reasonably be ascertained, from the
information or opinion.
In conducting its business, the University holds a wide range of personal information including:

Human Resources information;

Student enrolment and attendance information;

Community participation records including Alumni and users of University facilities;

Research data involving human participants;

Information technology records; and

Business and financial records;
To determine whether information is "personal information", ask yourself these questions:



does the information tell you something about someone ?
does the information identify a person directly ?
could someone find out, through reasonable steps, to whom the information refers ?
The Information Privacy Principles (IPPs)
The IPPs are a set of eleven rules which regulate the way in which personal information is to be
managed by the University throughout its lifecycle from initial collection to eventual disposal. The
Information Privacy Principles cover the following functional activities:


collection of personal information;
storage and security;

access and amendment;

use within the University of personal information;

disclosure of personal information to person's outside the university.
The IPA requires all employees and contractors of the University to comply with the IPPs in dealing
with personal information. Failure to comply with the IPPs may not only expose the University to a
privacy breach, but could also constitute misconduct under the University's Code of Conduct.
Collecting Personal Information
Collection refers to any process by which the University obtains personal information. It can
include:

Asking a person to fill in a form;

Obtaining information over the telephone and making a file note;

Closed circuit television monitoring.
Personal information can be collected directly from the person concerned (e.g. a student) or it can
be obtained indirectly from a third party (e.g. another educational institution).
The collection of personal information is regulated by IPPs 1-3. The rules are:


Only collect personal information for a lawful purpose that is directly related to a function
or activity of the University;
Collect only the information that you need;

Collection must be fair and lawful

When collecting information directly from the person concerned (ie a student or staff
member), the person from whom information is collected must be informed why the
information is needed, how it will be used, and those persons or organizations outside the
University to which it is the usual practice to disclose information of this kind.
Before collecting personal information, ask yourself these questions:

Do I really need to collect personal information to perform this university related function
?

If yes, what information do I actually need (rather than want) ?

How should I collect this information to make sure the collection is lawful and fair ?

If I am collecting the information directly from the person concerned, what do I need to
tell them ?
Security of Personal Information
The IPA requires that the University take reasonable steps to protect personal information from
unauthorised access, use, modification, disclosure or any other misuse.
Some of the things which you can do to protect personal information include:

Institute a 'clean' policy for desks, fax machines, printers and photocopiers. Lock away
files at the end of the workday and ensure that documents are not left on fax machines,
printers and photocopiers;

Use lockable filing cabinets and receptacles to store personal information when it is not
needed;


Lock your office when you are not in attendance;
Ensure that physical files are appropriately classified and marked;

Properly dispose of records in accordance with the University's Retention and Disposal
Schedules;

Limit access to databases and systems to those persons with a legitimate work-related
need to know. Remove access from those persons who now longer need it;



Wear your UQ identification tag whenever at work;
Log-off your computer when you are not in your office;
Don't share your UQ password;

Before sending personal information by email over the internet, consider whether this is
the most appropriate form of communication, given the sensitivity of the information.
Access and Amendment of Personal Information
Under IPPs 6 and 7, the University is required to inform persons what kind of information is held
about them, how they can access this information, and how they can correct this information if it
is inaccurate, out of date or misleading. The University has a number of administrative schemes
whereby persons can access and amend their personal information. In addition, the University is
subject to the Right to Information Act 2009 and the access scheme in the Information Privacy Act
2009.
Using Personal Information
'Use' means any action taken with respect to the information within the University. This includes

searching records;

using personal information in a record to make a decision

passing a record from one part of the University to another part with a different function;
and

publishing information within the University.
The use of personal information is regulated by IPPs 8-10. The rules are:

subject to limited exceptions such as consent, personal information is only to be used for
the purpose for which it was collected;

only use that personal information which is relevant to the task you want to perform; and

before using personal information, take reasonable steps to ensure that it is up to date
and accurate.
When information is collected for a particular purpose, it cannot ordinarily be used for another
purpose without authorisation. If the University wants to use the information for another purpose,
then one of the following exceptions must apply:

the person concerned consents to the other use;

the other use is authorised or required by legislation;

the other use is necessary to reduce a risk of harm to the individual or the public safety;

the other use is necessary for a law enforcement purpose;

the other use is necessary for research purposes and it is not practicable to obtain the
consent of the person concerned.
Before using personal information, ask yourself these questions:


for what legitimate university-related purpose am I going to use the personal information ?
do I actually need personal information to achieve that purpose ?

of all the personal information I have, what specific pieces do I need to use ?

is it likely that this information is up to date, accurate and complete for the purpose I
want to use it ?
Disclosure of Personal Information
Disclosure of personal information occurs when information is released to a person or an
organisation outside of the University.
The IPA states that, subject to limited exceptions, personal information must not be disclosed to
persons outside the University other than to the person concerned.
The University has in place a number of processes for the orderly disclosure of personal
information. Bear in mind that releasing information outside of these processes may constitute
misconduct under the University's Code of Conduct.
Disclosure may be deliberate or inadvertent. Wrongful deliberate disclosure is rarely malicious
and often occurs with the best of intentions (e.g. providing student information to a concerned
parent). Nevertheless, wrongful disclosure, even with the best of intentions, is still wrongful
disclosure.
So, before disclosing personal information to someone other than the person concerned, ask
yourself - what is the authority for this disclosure ? The IPA outlines a number of circumstances in
which it is lawful to pass on information to third parties. These include:

Where the person was aware that the information would be disclosure (e.g. they were told
at the time of collection that this would happen);

Where the person consents to the disclosure;

Where the disclosure is authorised or required by law;

Where the disclosure is necessary to reduce the risk of harm to the individual or to public
safety;

Where the disclosure is reasonably necessary for law enforcement purposes;

Where the disclosure is reasonably necessary for research purposes and it is not
practicable to obtain the consent of the person concerned.
Enquires about whether disclosure of personal information is authorised may be directed to the
University's Right to Information and Privacy Coordinator.
Inadvertent disclosure often occurs simply because a staff member is not fully aware of the
privacy risks of their environment (e.g. reading a file on the train, or discussing a sensitive
personal matter in a corridor where other people can overhear).
The following steps can be taken to reduce the risk of accidental or inadvertent disclosure:

make sure that technology which contains personal information (e.g. USBs, laptops,
harddrives etc) are properly secured;

guard against indiscreet comments concerning staff or students;

avoid discussing personal information about staff or students in areas which are, or in
close proximity to, public access areas (e.g. counters, corridors, cafeterias and coffee
shops);

where possible, don't send sensitive personal information over the internet.
Privacy Complaints
A Person who believes that their privacy has been breached can complain to the University. If they
are dissatisfied with the University's response, they can take their complaint forward to the Office
of the Information Commissioner and the Qld Civil and Administration Tribunal (QCAT). If QCAT is
satisfied that a privacy breach has taken place, it can make various orders, including an order for
the award of compensation.
Further Information
For more information on how the University deals with privacy, consult the University's Privacy
Management Policy or contact the University's Right to Information and Privacy Coordinator on
3365 2571 or email rtip@uq.edu.au.