
UNSW College operates in complex regulatory and privacy compliance regimes established under both the federal and state legislative frameworks.
As a not-for-profit organisation with an annual turnover exceeding $3 million, UNSW College falls within the definition of an ‘organisation’ in the Privacy Act 1988 (Cth) and is required to comply with that act as an “APP entity”. UNSW College is also:
As such, UNSW College may be also required to comply with PIPPA and HRIPA.
UNSW may also collect data on citizens in European Union (EU) countries or process personal data of European residents and as such may need to comply with the General Data Protection Regulation (GDPR).
The purpose of this policy is to outline:
This Policy applies to:
Note: definitions of personal, sensitive and health information in this policy are taken from the Privacy Act 1988 (Cth) unless stated otherwise.
Australian Privacy Principles (APPs) means the 13 Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth) which outline how APP entities must handle, use and manage personal information.
APP entity means an agency or an organisation, including all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses.
Business Partner means a person who is part of a business partnership, collaboration or similar arrangement with UNSW College.
Consent means ‘express consent or implied consent’. The four key elements of consent are:
Controller according to the GDPR means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
CRICOS Code means the Australian Commonwealth Register of Institutions and Courses for Overseas Students.
Direct marketing means the use and/or disclosure of personal information to communicate directly with an individual to promote goods and services. A direct marketer may communicate with an individual through a variety of channels, including telephone, SMS, mail, email and online advertising.
Express consent means consent given explicitly, either orally or in writing. This could include a handwritten signature, an oral statement, or use of an electronic medium or voice signature to signify agreement.
Eligible Data Breach means data breach where:
GDPR means the General Data Protection Regulation
Health Information as defined by the Privacy Act 1988 (Cth) means:
HRIPA means the Health Records and Information Privacy Act 2002 (NSW)
Information Protection Principles (IPPs) means the 12 Principles set out in Part 2, Division 1 of the PIPPA outlining legal obligations which NSW public sector agencies, statutory bodies, universities and local councils must abide by when they collect, store, use or disclose personal information.
Implied consent arises where consent may reasonably be inferred in the circumstances from the conduct of the individual and the APP entity.
Notifiable Data Breach means a scheme that requires agencies and organisations to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm and to notify Australian Information Commissioner of Eligible Data Breaches.
OAIC means the Office of the Australian Information Commissioner.
Overseas Recipients means a person or entity who is not in Australia or an external Territory, and is not the entity or the individual, and includes UNSW College staff in UNSW College’s subsidiary companies located overseas and education agents.
Permitted General Situation has the meaning in section 16B of the Privacy Act 1988 (Cth).
Personal Information as defined by the Privacy Act 1988 (Cth) means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
Examples of Personal Information include:
PIPPA means the Privacy and Personal Information Protection Act 1998 (NSW).
Privacy Laws means the Privacy Act 1988 (Cth), PIPPA and HRIPA.
Privacy Principles means Australian Privacy Principles and/or Information Protection Principles
Processor according to the GDPR means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
School Student means a person formally engaged in learning, usually one enrolled in a primary or secondary school.
Sensitive Information is defined in s.6 of the Privacy Act 1988 (Cth) to mean:
Serious harm means serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entity’s position would identify as a possible outcome of the data breach.
Service Provider means a third party that provides services on behalf of UNSW College to UNSW College Students and/ or staff under a written agreement.
UNSW College Student means a student who is enrolled with UNSW College or a person who has submitted an application for admission to UNSW College.
UNSW Sydney means the University of New South Wales (ABN 57 195 873 179).
UNSW Global Pty Ltd is committed to only collect, hold, use and disclose Personal Information that is needed to carry out its functions and activities and to handle the information in accordance with the Privacy Laws and other applicable data protection laws. It is UNSW College policy to:
UNSW College operates in educational areas that are ancillary to the core business (research and degrees) of UNSW. UNSW College’s core function is education though this is supported by a number of functions including IT, finance, human resources, legal & compliance and sales & marketing
5.2.1 UNSW College may collect the following information:
5.2.2 UNSW College may collect Personal Information, Sensitive Information and Health Information in a number of ways, including the following:
5.2.4 UNSW COllege informs individuals that it collects their Personal Information, either at or before the time of collection, or as soon as practicable thereafter, either through a form used to collect the information or by giving a notice to individuals or by otherwise ensuring that the individuals are aware of the collection of their Personal Information. The notification will be in writing wherever possible.
5.2.5 Further examples of UNSW College’s functions and activities and the type of Personal Information collected are outlined in Annexure 1.
Where necessary and as required by law, UNSW College may seek specific consents from an individual to collect, use and disclose the individual’s information.
5.3.1 Consent must be sought when:
5.3.2 Consent is not required if there is a Permitted General situation, for example, UNSW College reasonably believes that the collection, use or disclosure is necessary:
When developing or reviewing a project, such as: new or amended programs, activities or databases, UNSW College may consider the need for a Privacy Impact Assessment (PIA). A PIA identifies how a project can have an impact on individuals’ privacy, and makes recommendations for managing, minimising or eliminating privacy impacts.
In the case of an Eligible Data Breach UNSW College will inform the OAIC and affected individuals in the manner required by the Privacy Act 1988 (Cth).
The GDPR and the Privacy Act 1988 (Cth) share many common requirements, however, there are also some notable differences. Where UNSW College is engaging in business in the European Union that is likely to result in data being collected or processed in relation to European residents, please contact the Legal and Compliance team, who can advise on the nature of responsibilities that UNSW College may have under the GDPR, before you start activities.
The GDPR and the Privacy Act 1988 (Cth) share many common requirements, however, there are also some notable differences. Where UNSW College is engaging in business in the European Union that is likely to result in data being collected or processed in relation to European residents, please contact the Legal and Compliance team, who can advise on the nature of responsibilities that UNSW College may have under the GDPR, before you start activities. Accessing and correcting Personal Information If an individual believes that the Personal Information which UNSW College holds about them is inaccurate, out-of-date, incomplete, irrelevant or misleading they have the right to request the information to be corrected. To request amendment of his/her Personal Information, the individual should:
By email: | legalandcompliance@unswcollege.edu.au |
By post: | Legal and Compliance Team UNSW Global Pty Limited 223 Anzac Parade Kensington NSW 2033 |
If an individual believes that UNSW College has misused their Personal Information they can contact the UNSW College Privacy Officer to discuss and try to resolve the issue informally, or lodge an application for a formal review with UNSW College, or complain to the OAIC. UNSW Global Pty Limited | ACN 086 418 582 | CRICOS Provider Codes 01020K and 00098G (UNSW) Page 13 of 22 Please note that the OAIC generally requires individuals to complain directly to the agency or organisation (in this case, UNSW College) and allow 30 days for it to respond before the individual can lodge a complaint with the OAIC. To lodge an application for a formal review with UNSW College, an individual should:
This Policy sets the foundation for UNSW College compliance with the following legal and regulatory requirements:
This policy is due for review three (3) years from its date of implementation or in case of legislative or regulatory changes.
N/A
Version Control | Date Effective / Approved by | Amendment Notes |
---|---|---|
2.0 | 01/09/2017 Theresa Kelly |
• Definitions of: APP entity, Business Partner, Consent, CRICOS Code, Direct marketing, Express consent, Health Information, Information Protection Principles (IPPs), Implied consent, Overseas Recipients Permitted General Situation, School Student, Service Provider, and UNSW College Student added • New points added: UNSWC functions, primary and secondary purposes of collecting Personal Information, consent, anonymity and pseudonymity, Privacy Impact Assessment and data breach response • Further information added about: UNSWC functions and activities and type of Personal Information collected (Annexure 1), accessing and correcting Personal Information and making complaints • Complaints Form added • Privacy Impact Assessment (PIA) form added |
N/A | N/A | • Administrative updates: change of a Policy template to reflect the new UNSW College Branding Guideline. |
3.0 | 23/02/2018 Rob Forage |
• Definitions pertaining to the NDB scheme and the GDPR added • Point 5.9 reviewed and aligned with the NDB scheme requirements UNSW Global Pty Limited | ACN 086 418 582 | CRICOS Provider Codes 01020K and 00098G (UNSW) Page 15 of 22 • Point 5.10 added • NDB form added to point 7 ‘Related documentation |
3.1 | 25/03/2021 N/A - Admin changes only |
Address update and removal of references to Assessments business |
3.2 | 30/03/2021 N/A - Admin changes only |
Updates to hyperlinks and form references |
3.3 | See page 1 L. Pearcey |
Updates include removal of Assessments business and Institute of Languages, and the inclusion of student identification checks for assessments and staff work location |
Business Group | Functions and Activities | Type of Personal Information Collected |
---|---|---|
Academic, student administration / services and recruitment | Delivering English language programs and university pathway programs to UNSW Sydney and other universities International student recruitment, admissions, academic administration and student services Examples of activities
|
Examples: UNSW College Students
• in the context of a complaint, Personal Information about the complainant and others who are involved, in order to deal with the complaint |
Business Group | Functions and Activities | Type of Personal Information Collected |
---|---|---|
Other UNSW College Business Groups perform business support functions such as Human Resources, Finance, IT, Marketing and Legal and Compliance. These Business Groups support UNSW College’s core activities | Human Resources
|
Examples of types of Personal Information about staff or applicants
|
Finance and Facilities
|
Examples of types of Personal Information • information in relation to staff salaries and benefits • Payee identity checks for refunds • staff bank account information • work location (as updated from time to time across authorised worksites) |
|
IT
|
Examples of types of Personal Information about staff, visitors and UNSW College Students IT has a role in supporting all College’s systems which contain Personal Information. Examples of Personal Information which IT handles in a more direct way include:
|
|
Marketing
|
Examples of types of Personal Information about UNSW College Students, staff and School Students
|
|
Legal and compliance Advising UNSW College on the following:
|
All the types of Personal Information we hold, including the examples in this table. |
Business Group | Functions and Activities | Type of Personal Information Collected |
---|---|---|
All Business Groups | Engaging third party suppliers (e.g. cloud service providers, IT providers and consultants) to enable UNSW College to improve its infrastructure, systems, processes, products and services |
All the types of Personal Information we hold, including the examples in this table. |
All interactions with UNSW as UNSW College’s parent entity, including:
|
All the types of Personal Information we hold, including the examples in this table. |
|
Any other purpose for which Personal Information was provided to UNSW College or for any purpose related or ancillary to any of the above. |
All the types of Personal Information we hold, including the examples in this table. |
Full Name | |
Postal Address | |
Phone Number | |
Email Address | |
Please tick which of the following describes your complaint: (you may tick more than one option): □ collection of my Personal, Sensitive or Health Information □ security or storage of my Personal, Sensitive or Health Information □ refusal to let me access or find out about my own Personal, Sensitive or Health Information □ accuracy of my Personal, Sensitive or Health Information □ use of my Personal, Sensitive or Health Information □ disclosure of my Personal, Sensitive or Health Information □ other (please specify): |
|
Please describe the details of your complaint and dates where relevant | |
Attached documents | □ I am attaching supporting documents □ I am not attaching supporting documents |
Signature | |
Date |
Office Use Only
Received By | Date | ||
Signature | Date |
Privacy Policy | |
---|---|
Category/Business Group | Corporate Services |
Published Externally (Yes/No) | Yes |
Approver | Chief Executive Officer |
Responsible Officer | Head of Legal and Compliance |
Contact Officer | Associate Legal Counsel |
Effective Date | 17/05/2021 |
Next Review Date | 17/05/2024 |
Version | 3.3 |
Privacy Approval | Responsible Officer | Legal Officer |
---|---|---|
Laurie Pearcey | Dominic Carew | Dominic Carew |
Date: 2/05/2021 |
Date: 11/05/2021 |
Date: 11/05/2021 |
UNSW Global Pty Limited ABN 62 086 418 582 trading as UNSW College™.
Diploma & Foundation Studies
UNSW College™ currently delivers Diplomas and Foundation Studies on behalf of UNSW Sydney - CRICOS Provider Code 00098G; UNSW Sydney TEQSA Provider ID: PRV12055 (Australian University).
From 26 August 2024, UNSW College™ will commence delivery of Diplomas and Foundation Studies under its own CRICOS Provider Code - 01020K and TEQSA Provider ID: PRV13020 (Institute of Higher Education).
Pre-Masters
From 6 May 2024, UNSW College™ will commence delivery of the Pre-Masters Program under CRICOS Provider Code 01020K and TEQSA Provider ID: PRV13020 (Institute of Higher Education).
Academic English
UNSW College™ delivers Academic English under CRICOS Provider code 01020K. See unswcollege.edu.au/esos for more information.
© 2023 UNSW Global Pty Limited