The Office of the Student Identifiers Registrar privacy obligations require us to:
- be open and transparent about how we hold, use and disclose personal information.
- take reasonable steps to ensure the security of personal information and protect it against intentional or unintentional misuse, loss, interference, unauthorised access, modification or disclosure.
- take reasonable steps to ensure the personal information that is held, used or disclosed is accurate, up to date, complete and relevant.
The 13 Australian Privacy Principles (APPs) are particularly important for the Office of the Student Identifiers Registrar staff and their work. The APPS are specified in Section 14 of the Privacy Act, which details the obligations and rights attached to the collection, access, maintenance and disclosure of personal information with which the Office of the Student Identifiers Registrar staff must comply, and principally APPs 1, 3, 6, 10, 11, 13.
APP 1 – Open and transparent management
APP 3 – Collection of personal information
Outlines when an APP entity can ask for personal information. It applies higher standards to the collection of ‘sensitive’ information.
APP 6 – Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information.
APP 10 – Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. It must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant.
APP 11 – Security of personal information
An APP entity must take reasonable steps to protect personal information from misuse, interferences and loss, and from unauthorised access, modification or disclosure. It is obliged to destroy or de-identify personal information in certain circumstances.
APP 13 – Correction of personal information
Outlines obligations when an individual requests their information be corrected or an entity considers the information inaccurate, out-of-date, incomplete, irrelevant or misleading.
Meeting our obligations
Ensure the identity of the person you are speaking to is correct (APPs 3, 10, 11, 13)
- Answers to security questions can assist you to identify if the caller is the person that USI Registry System personal details and records apply to.
- If you have any doubts about a person’s identity, check with a supervisor about whether what you plan to do to resolve the matter is appropriate.
Take reasonable steps to protect personal information (APPs 1, 6 & 11)
- Lock your computer when you leave your desk (APPs 6 & 11), even if you are just going to the kitchen or bathroom, it ensures the security of personal information.
Shred personal identification information and material as soon as it is no longer required. Do not bin it, not even in the secure bin.
- Make sure you observe a ‘clear desk’ policy. Do not leave personal identification information lying around and open to inappropriate access or use by another person.
- Do not chat about work matters in public areas. For example, at the coffee shop or the bus stop where you may be overheard.
- Do not chat about a person’s personal details with colleagues or friends (APPs 6 and 11).
Only access a person’s record when you need to for work purposes (APPs 1, 6 & 11)
- Accessing a record when it is not required for work may be considered browsing, which is not appropriate.
- Browsing the system for people mentioned in the media or looking up someone’s personal details for a friend are the sort of activity that would breach APPs 6 and 11.
- Make a file note if you enter a person’s record by mistake, or it is someone you know.
Be open and transparent (APPs 1, 6, 10 & 11)
- Do not edit records without permission from the person concerned.
- Make a file note when you alter a record.
Solicited personal information (APP 3)
- Personal Information can be collected if it is reasonably necessary for, or directly related to, USI functions. For example, soliciting information that is irrelevant, such as the course a person is studying, the type of car they drive or their mobile number, because you might want to meet them is inappropriate.
Legislation specifying the standards, rights and obligations about how the Student Identifiers Registrar must manage personal information includes the:
- Student Identifiers Act 2014 (Cth)
- Freedom of Information Act 1982 (Cth)
- Archives Act 1983 (Cth)
- Public Service Act 1999 (Cth)
- Privacy Act 1988 (Cth)