University of Technology Sydney UTS: Rules, Policy and Legislation

The information in this site is maintained by Governance Support Unit

by classification
What's new in policies?
Standing Orders
Faculty Management
Controlled Entities and Commercial Activities
Legislation, Rules
and Policies home

GSU home
Privacy Policy

This policy is current and enforceable, however is under review.




Policy statements

Policy ownership and support


Approval information

PDF version


1. Purpose

1.1 The purpose of the Privacy Policy (the policy) is to provide a framework to protect the privacy of all individuals at UTS in compliance with relevant privacy acts.

2. Scope

2.1 This policy and its Privacy Management Plan (PDF) (the plan) apply to all staff (including contractors and contracted bodies) and students.

2.2 This policy does not cover bodies who operate independently of the UTS governance framework, including controlled or associated entities of UTS.

3. Principles

3.1 UTS will strive to create, promote and maintain a culture of respect for the privacy of all individuals.

3.2 The university will incorporate privacy requirements into processes, procedures and information systems.

3.3 Through management of privacy, the university aims to foster and support a relationship of trust between UTS and staff, students and members of the community.

4. Policy statements

Unless otherwise indicated, references to ‘personal information’ will include ‘health information’.

Privacy Management Plan

4.1 This policy is implemented by the Privacy Management Plan (PDF), which outlines the university’s approach to the protection of personal and health information under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA). Where applicable, the plan also considers the requirements of the Privacy Act 1988 (Cwlth).

4.2 A breach of the plan constitutes a breach of this policy.

Personal information management and use

4.3 UTS will appropriately manage personal information where it is held by the university. Personal information is considered to be ‘held’ by the university if:

  • the university is in possession or control of the information, or
  • the information is in the possession or control of a person employed or engaged by the university in the course of that employment or engagement.

4.4 Personal information will only be collected in line with the plan and where:

  • collection has been approved by the relevant dean, director or data steward
  • a privacy notice and/or consent as relevant to the situation is included as part of the collection process, and
  • information collected is relevant and necessary for a lawful activity of UTS.

4.5 Personal information must be accurate and complete when collected and kept up to date for the period in which it is used.

4.6 An individual has a right to know what personal information is held about them and a right to access that information for review or correction where appropriate.

4.7 A unique identifier or number may only be applied to a person’s health information where necessary for UTS to carry out its activities, and in line with the plan.

4.8 Personal information may only be used or disclosed in line with the plan.

4.9 The immediate use or disclosure of personal information is allowed in emergency situations in line with the plan.

4.10 Where the university discloses, transfers or stores personal information outside UTS, it is the responsibility of the relevant data and/or information systems stewards to ensure that (in line with the plan):

  • all privacy impacts are assessed and addressed, including the disclosure, transfer or storage of personal information outside NSW or to a Commonwealth agency, and
  • all contractual obligations with relevant third parties are established and appropriately managed and monitored.

4.11 Personal information may only be retained for as long as it may legally be used in line with the purpose for which it was collected and/or for which consent was received. Minimum legal retention requirements under the Records Management Policy also apply.

4.12 Exemptions to privacy requirements may only be applied where appropriate in the circumstances and in line with the plan and the privacy acts.

4.13 Data and/or information system stewards responsible for engaging and managing a contracted third party must ensure that:

  • the activity in question satisfies the privacy obligations outlined in this policy and the plan
  • relevant obligations are imposed through an enforceable contact, and
  • such contracts are adhered to.

Data breach reporting

4.14 An identified or suspected data breach must be responded to and reported to the UTS Privacy Officer and the relevant data and/or information system stewards in line with the plan and the university’s data breach response procedures.

4.15 Where a data breach is a public interest disclosure, refer to the Fraud and Corruption Prevention and Public Interest Disclosures Policy and Guidelines.

4.16 Breaches of this policy or the plan will be managed under the university’s Code of Conduct and relevant enterprise agreements.

Privacy complaints

4.17 Privacy complaints will be referred for resolution to the relevant data and/or information system stewards in the first instance.

4.18 A privacy complaint that meets the requirements of or is a request for a privacy internal review under NSW privacy legislation, will be dealt with as a privacy internal review in line with the plan.

5. Policy ownership and support

The statements in this section are consistent with the Delegations and are in addition to specific statements outlined in section four of this policy.

5.1 Policy owners

The Deputy Vice-Chancellor (Corporate Services) is responsible for general oversight of records, information and privacy management at UTS, including the Privacy Management Plan (PDF). The Deputy Vice-Chancellor will also decide on external reporting in the event of a data breach.

Director, Governance Support Unit (GSU) is responsible for:

  • managing policy compliance
  • overseeing the implementation and review of this policy and the plan
  • delegating and resourcing the role of UTS Privacy Officer
  • overseeing and deciding the outcome of a privacy internal review conducted under PPIPA, and
  • statutory reporting on privacy related activities.

5.2 Policy contact

UTS Privacy Officer (GSU) is responsible for:

  • establishing the UTS privacy program in line with this policy and the plan
  • providing privacy training and other relevant education programs
  • providing advice on privacy to staff, faculties and units
  • assisting and providing advice to relevant data and/or information system stewards regarding privacy impact assessments
  • investigating privacy internal reviews and related complaints and referring outcomes to the Director, GSU
  • appointing a Privacy Contact Officer to assist in these duties as required.

To contact the UTS Privacy Officer, see privacy contacts.

5.3 Others

Deans, directors and heads of areas are responsible for:

  • advocating good privacy practices and ensuring they themselves, and their staff, are aware of privacy requirements
  • approving data collection activities and processes, including acceptable use
  • approving the disclosure of information other than disclosure in emergency situations, or otherwise delegating under procedures or in position descriptions this function to a staff position or role
  • providing appropriate training and education programs for all staff regarding the privacy needs of their relevant faculty or unit and its activities
  • completing privacy impact assessments on new or high-risk activities and addressing any privacy issues identified
  • dealing appropriately with informal privacy complaints in consultation with the UTS Privacy Officer.

Information system stewards responsibilities are defined in the Data Governance Policy.

6. Definitions

These definitions apply for this policy, the plan and all associated procedures.

Consent means the voluntary, provided freely with choice, informed, specific and current permission received from an individual (who has the capacity to understand and provide it), allowing the university to undertake certain actions in relation to their personal information.

Contracted third party or contractors mean another individual, organisation or agency engaged to undertake work on behalf of UTS.

Data breach (for data breach reporting purposes) means the loss and/or unauthorised access, disclosure or modification of personal information.

Data steward is defined in the Data Governance Policy.

Disclosure means providing personal information to a third party external to the university in circumstances where the information would not normally be accessible. Sharing personal information between business units of UTS is not considered a disclosure where it is required to conduct the legitimate business activities of the university, for which the information has been collected.

Emergency situation as used in the context of this policy and the plan refers to an imminent and serious threat to the life or health of any individual. With regards to health information, this includes a serious threat to public health and safety.

Health information is defined under section 6, HRIPA and is a subset of personal information that relates specifically to an individual’s health. Health information not only relates to data about the health of research participants or information held in medical records, it may also include information that relates to permanent or temporary physical or mental disabilities, workers compensation processes or accident reports, sick leave management, special considerations and other arrangements that relate to health issues.

Information system steward is defined in the Data Governance Policy.

Personal information is information as defined under section 4, PPIPA. Personal information refers to information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion, irrespective of whether the information is recorded in a material form or not, and including information or an opinion forming part of a database.

For the purposes of this policy ‘personal information’ includes ‘health information’ unless otherwise specified.

Privacy acts, for the purposes of this policy, means the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW) and other legislative privacy provisions, including the Privacy Act 1988 (Cwlth), as applicable.

Approval information

Policy contact UTS Privacy Officer
Approval authority Vice-Chancellor
Review date February 2021
Version 1.0
File number UR17/4140
Superseded documents Privacy Vice-Chancellor’s Directive (UR14/558)

Version history

Version Approved by Approval date Effective date Sections modified
1.0 Vice-Chancellor 20 December 2017 3 April 2018 New policy.

PDF version

Privacy Policy (PDF)


Code of Conduct

Data Governance Policy

Enterprise agreements

Fraud and Corruption Prevention and Public Interest Disclosures Policy and Guidelines

Health Records and Information Privacy Act 2002 (NSW) (HRIPA)

Privacy Act 1988 (Cwlth)

Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA)

Privacy at UTS (and privacy contacts)

Privacy for UTS staff (on Staff Connect)

Privacy Management Plan (PDF)

Records Management Policy