Definitions will be used throughout the policy.
|Australian Privacy Principle||Any of the Australian Privacy Principles set out in the Privacy Amendment (Enhancing Privacy Protection) Act 2012.|
|Personal Information||Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent or can reasonably be ascertained, from the information or opinion.|
(a) Information or an opinion about:
(b) Other personal information collected to provide, or in providing, a health service; or
(c) Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
(d) Genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. Information means health information and/or personal information as the context permits.
(a) information or an opinion about an individual’s:
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information
One or all of the following:
(a) The Privacy Act 1988;
(b) The Privacy Amendment (Private Sector) Act, 2001; and
(c) The Privacy Amendment (Enhancing Privacy Protection) Act 2012.
|Law enforcement agency||
Law enforcement agencies include:
(a) The Police Force of NSW or of another State or Territory;
(b) The NSW Crime Commission;
(c) The Australian Federal Police;
(d) The Australian Crime Commission;
(e) The Director of Public Prosecutions of NSW, another State or Territory or the Commonwealth;
(f) The Department of Corrective Services;
(g) The Department of Juvenile Justice, or
(h) The Office of the Sheriff of NSW.
All employees of NTI, including:
(a) casual employees;
(b) conjoint and visiting appointees;
(c) consultants and contractors;
(d) agency staff;
(f) members of NTI committees, and
(g) any other person appointed or engaged by NTI to perform duties or functions for NTI.
The Nan Tien Institute (“NTI”), as a higher education provider, collects personal and/or health information from staff and students. It is the responsibility of NTI to ensure that the overall management of that information, which includes collection, storage, access, use and disclosure, complies with Australian privacy laws.
The purpose of this policy is to facilitate NTI’s compliance with the Privacy Act 1988, the Privacy Amendment (Private Sector) Act, 2001 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and other relevant privacy laws, including but not limited to regulations, statutory guidelines, codes of practice and privacy directions.
This policy states the NTI’s commitment to the protection of privacy and the compliant management of personal information.
This policy outlines the responsibilities of all staff when handling information to ensure that NTI complies with the Privacy Act 1988, the Privacy Amendment (Private Sector) Act 2001 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012.
1. NTI’s Commitment to Privacy
NTI will collect, store, use and disclose information in accordance with the Privacy Act 1988 and the Privacy Amendment (Private Sector) Act, 2001 and the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and other relevant laws and codes of practice.
2. Anonymity and Pseudonymity
Where practicable and allowed by law, NTI will deal with individuals who have not identified themselves or who have used a pseudonym.
3. Collection of Information
3.1 NTI will collect information in an open manner, including informing individuals that information is being collected, why it is being collected, how it will be used, who else might see it and any consequences that may apply if the information is not provided.
3.2 NTI will only collect information by lawful means where collection is:
3.2.1 For a lawful purpose which is directly related to one of its activities, and
3.2.2 Reasonably necessary for that purpose.
3.3 NTI will ensure that the information collected is relevant, accurate, up to date and not excessive, and that collection does not intrude to an unreasonable extent on the personal affairs of the individual.
3.4 NTI will collect information directly from the individual concerned unless it is unreasonable or impracticable to do so
4. Unsolicited Personal Information
If NTI receives personal information which it did not solicit, NTI will determine whether or not it could have collected the information under Principle 3, Collection of Infomation. If so, the information will be treated in the same way as solicited information; if not, the information will be destroyed.
5. Notification of Collection of Personal Information
At the time of collecting personal information from an individual, or as soon as possible thereafter, NTI will take reasonable steps to notify the individual of:
5.1 NTI’s contact details;
5.2 The circumstances of the collection of the information;
5.3 The purpose for which the information is being collected;
5.4 The consequences of not collecting all or some of the information;
5.5 Circumstances relating to the disclosure of the information;
5.6 Procedures for accessing and correcting the information, and
5.7 Procedures for handling complaints in relation to the collection of the information.
6. Use or Disclosure of Personal Information
6.1 In general terms, ‘use’ of information refers to the communication or handling of information within NTI.
6.2 In general terms, ‘disclosure’ of information refers to the communication or transfer of information outside NTI.
6.3 NTI will not use or disclose information it holds unless:
6.3.1 The use or disclosure of the information is directly related to the primary purpose for which the information was collected and there is no reason to believe that the individual concerned would object; or
6.3.2 The individual is reasonably likely to have been aware or has been made aware, that information of that kind is usually disclosed to a third party; or
6.3.3 The use or disclosure of the personal information is necessary to deal with a serious and imminent threat to any individual’s life or health; or
6.3.4 The use or disclosure of the health information is necessary to deal with a serious and imminent threat to any individual’s life, health or safety, or is necessary to lessen or prevent a serious threat to public health or public safety; or
6.3.5 The individual provides consent to any other use or disclosure.
6.4 NTI will only use or disclose information without an individual’s consent in limited circumstances, including:
6.4.1 Where the use or disclosure relates to law enforcement and related matters such as:
(a) disclosing information to a law enforcement agency for the purpose of ascertaining the whereabouts of an individual who has been reported to police as a missing person; or
(b) disclosing information to a law enforcement agency in order to investigate an offence where there are reasonable grounds to believe that an offence may have been committed; or
(c) where the use or disclosure is permitted or required under an Act or any other law; or
(d) for health information where the use or disclosure is necessary for the training of employees or for research purposes, in the public interest.
6.5 NTI will only disclose sensitive information with the consent of the individual unless disclosure is necessary to deal with a serious and imminent threat to any individual’s life or health.
7. Direct Marketing
7.1 NTI will not use or disclose personal information for direct marketing to the individual from whom the information was collected unless such use was disclosed at the time of collection.
7.2 NTI will provide a means for an individual to opt-out of receiving direct marketing requests.
7.3 NTI will not use or disclose sensitive information for direct marketing unless the individual has consented.
8. Cross Border Disclosure of Information
8.1 Before disclosing personal information about an individual to an overseas recipient, NTI will take all reasonable steps to ensure that the overseas recipient does not breach the Australian Privacy Principles, unless:
8.1.1 NTI informs the individual that the information may be disclosed to an overseas recipient and the individual consents, or
8.1.2 The disclosure of the information is required or authorised under an Act or any other law
9. Adoption, Use or Disclosure of Government Identifiers
9.1 NTI will not adopt a government related identifier of an individual unless the identifier is required or authorised by an Act or any other law, or prescribed by regulations.
9.2 NTI will not use or disclose a government related identifier of an individual unless it is reasonably necessary to verify the identity of the individual, or to fulfil its obligations to an agency, or required by an Act or any other law, or reasonably necessary for enforcement related activities
9.3 In relation to health information, NTI will:
9.3.1 Provide individuals with the option of receiving health services anonymously; and/or
9.3.2 Assign a unique identification number to an individual, where it is reasonably practicable and lawful in the circumstances and it does not negatively affect the functions of NTI.
10. Quality of Personal Information
NTI will take all reasonable steps to ensure that information it collects, holds or discloses is accurate, complete, up to date and relevant, having regard to the purpose for which the information is collected, used or disclosed.
11. Security of Personal Information
11.1 NTI will take all reasonable steps to ensure that information is:
11.1.1 Held for no longer than is necessary;
11.1.2 Disposed of securely in accordance with approved methods; and
11.1.3 Protected to the extent reasonable in the circumstances from loss, unauthorised access, use, modification or disclosure, and against all other misuse.
12. Access to Personal Information
12.1 NTI will respond to enquiries from an individual as to whether it holds that individual’s information including any rights of access to it and allow an individual to access his/her own information held by NTI without unreasonable delay or expense, unless
12.1.1 NTI believes that giving access would pose a serious threat to the health or safety of any individual or to public health and safety, or impact on the privacy of other individuals, or
12.1.2 The request for access is frivolous or vexatious, or
12.1.3 The information relates to existing or anticipated legal proceedings between NTI and the individual and would not be discoverable in those proceedings, or
12.1.4 Giving access would prejudice commercially sensitive negotiations, or
12.1.5 Giving access would be unlawful, or
12.1.6 Giving access would be likely to prejudice enforcement related activities, or action in relation to serious misconduct.
13. Correction of Personal Information
13.1 When requested by an individual, NTI will take all reasonable steps to make appropriate amendments, corrections or updates to the individual’s information to ensure that it is accurate, up-to-date, complete, relevant and not misleading, having regard for the purposes for which the information for which it is held.
13.2 When requested by an individual, NTI will notify any other organisation to which it has disclosed the information of any corrections, unless it is impracticable or unlawful to do so.
13.3 If NTI refuses to correct the personal information as requested by an individual, NTI will provide a written statement of reasons and information on mechanisms for complaining about its actions.
13.4 If NTI refuses to correct the personal information as requested by an individual and the individual requests it to do so, NTI will attach a statement to the personal information stating that the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading .
14. Complaints and Enquiries
If an individual has any concerns about the way NTI is managing his/her information or believes that NTI may have breached his/her privacy, that individual may be directed to the NTI Privacy Officer via email at firstname.lastname@example.org. Additional contact details can be found on NTI’s privacy webpage.
15. Breaches of Policy
Failure to comply with this policy which results in a breach of the Australian privacy principles or the health privacy principles may constitute misconduct, and may result in disciplinary action being taken by NTI.
Systems and Procedures
15 Roles and Responsibilities
15.1 NTI is responsible for making staff and students aware of this policy.
15.3 The Administration Manager is responsible for NTI’s overall compliance with its privacy obligations.
15.4 NTI’s Privacy Officer is responsible for:
15.4.1 Providing privacy advice and education to staff;
15.4.2 Responding to enquiries or complaints from individuals on privacy matters;
Legislation & Regulation
|Version||Date Approved||Date Effective||Approved By||Amendment|