Privacy and Personal Information Protection Act

Privacy and Personal Information Protection Act

The University must comply with the Privacy and Personal Information Protection Act 1988 (NSW) (PPIPA). Controlled entities of the University must also comply with PPIPA.

Overview of the Act

Macquarie University must comply with PPIPA because it falls within the definition of "public sector agency" to which the Act applies. PPIPA provides for the protection of personal information and for the protection of the privacy of individuals generally. The key principles of the Act are contained in 12 Information Protection Principles (IPPs) in sections 8-19 of the Act, which are more fully described below.

What is personal information?

The Act only applies to personal information which the University collects and holds. Personal information is defined as "information or an opinion (including information or an opinion forming part of a database and whether or not in a material form) about an individual whose identity is apparent or can reasonably be ascertained from that information or opinion". It could include fingerprints or DNA, information written down about a person, information about a person that is not written down but which is in the possession or control of the University, or a photograph or image. It does not include:

  • information that is contained in a publicly available publication (such as in the newspaper);
  • information or an opinion about an individual's suitability for appointment or employment as a public sector official (for example a reference given by someone for a job with the University or by the University to another public sector agency or an individual applicant for a job with a public sector agency);
  • information which is "health information" within the meaning of the Health Records and Information Privacy Act 2002 (NSW); or
  • information about a person who has been dead for more than 30 years.

Privacy Code of Practice

The University has not adopted its own privacy code of practice. A privacy code of practice is a legal instrument made under Part 3 of PPIPA which allows an agency to modify an IPP or a public register provision or specify how that provision will apply in a particular circumstance. A list of codes of practice made in respect of some public sector agencies is available at the Office of the Privacy Commissioner website.

Privacy Management Plan

The University is required under PPIPA to have its own privacy management plan which sets out the compliance procedures of the University with respect to PPIPA and the Health Records and Information Privacy Act 2002 (NSW).

Section 41 Directions

Under s41 of PPIPA, the Privacy Commissioner may make a direction or modify the requirement for an agency to comply with an IPP or a code of practice. Three directions that apply to the University are:

  • Direction relating to the Information Transfers between NSW Public Sector Agencies;
  • Direction relating to the Processing of Personal Information by NSW Public Sector Agencies in relation to their Investigative Functions; and
  • Direction relating to the Disclosures of Information by NSW Public Sector Agencies for Research Purposes.

Directions can be found at the IPC website.

Formal application for review of conduct

In most instances the University will try to resolve any privacy complaint informally with the applicant without the need for a formal review.

However, any person who is aggrieved of conduct of the University is entitled to a formal review of that conduct by the University in accordance with section 5 of PPIPA.

An application for internal review of conduct must be provided in accordance with Part 5 of PPIPA. It must be addressed to the University in writing with a return address, within 6 months of the time when the applicant first became aware of the offending conduct. The University must inform the Privacy Commissioner of the application and keep the Privacy Commissioner informed as to the progress and findings of the University.

The University will appoint a person who is suitably qualified (such as the privacy officer) to conduct a review of the application as soon as reasonably practicable. If the review is not completed within 60 days, the applicant is entitled to make an application to the Administrative Decisions Tribunal.

Within 14 days after the completion of the review, the University must notify the applicant in writing of the:

  • findings of the review (and the reasons);
  • the action proposed to be taken; and
  • the right of the person to have those findings and the University's proposed action, reviewed by the Administrative Decisions Tribunal.

A person dissatisfied with the findings of the review or the action of the University may apply to the Administrative Decisions Tribunal (ADT) for a review of the conduct of the University. If the applicant is not satisfied with the findings of the ADT and orders made (if any), he/she may appeal to the Appeal Panel of the ADT.

12 Information Protection Principles

12 information protection principles (IPPs) form the central part of PPIPA. The IPPs are grouped under five main headings - collection, storage, access and accuracy, use, and disclosure. These are set out below.

IPP 1 - Collection of personal information for lawful purposes

Personal information that the University collects about you must be for a lawful purpose which is directly related to the University's activities and the information is reasonably necessary for that purpose. The University cannot collect your personal information because it might be necessary at some point in time. The University cannot collect your personal information for surveillance purposes, for example, without your consent, other than in accordance with applicable surveillance laws.

IPP 2 - Collection of information directly from individual

The University must only collect personal information directly from you, unless you have granted consent to collection from a third party. Parents and guardians can give consent for minors.
Where you give consent to your personal information being disclosed to us by a third party, it should be given in writing so that there is no doubt. It may be difficult to prove that verbal or implied consent has been granted if complications arise.  

The important elements of obtaining consent are:

  • that the individual has the capacity to consent,
  • that consent is given freely,
  • that the individual consenting is informed,
  • that the consent is specific; and
  • that the consent is current.

If the University does not collect personal information about you directly from you, the University will usually insist upon the third party providing evidence that you have consented to your personal information being collected from that third party.

IPP 3 - Requirements when collecting personal information

Before your personal information is collected or as soon as practicable after collection, the University must take reasonable steps to ensure that you are aware of the following:

  • that your information is being collected;
  • the purposes for which it is collected;
  • the intended recipients of the information;
  • whether the information is required by law or is voluntary and the consequences of not providing it;
  • the existence of your right to access and correct your information; and
  • our contact details.

The University does this by making available to you (either in person or on the University website) a privacy collection notice.

IPP 4 - Other requirements relating to collection of personal information

The University must ensure that the personal information it collects is relevant, not excessive, accurate, up-to-date and complete. The collection should not unreasonably intrude into your personal affairs. The University must only collect the details that it needs to fulfil the purpose of collection and not extraneous information.

IPP 5 - Retention and security of personal information

Personal information must be stored securely, not kept any longer than necessary, and be disposed of appropriately. It should be protected from loss, unauthorised access, use, modification or disclosure and any other misuse. This means that the University should have appropriate access restrictions in place.
The University endeavours to ensure that:

  • Access to information is restricted according to level of responsibility within the University;
  • Individuals are encouraged to change Computer passwords regularly;
  • Entry to buildings where important information is stored is by card access;
  • Sensitive information is securely stored and locked;
  • Offices unattended are locked;
  • Personal information is stored away and not left exposed; and
  • Staff are aware of their privacy obligations.

The University's records and archives department (Macquarie Memory) stores information for so long as it is required to do so pursuant to the State Records Act 1998 (NSW) and other legislation.

IPP 6 - Information about personal information held by agencies

The University must provide you with enough details about what personal information it is storing, why it is storing it and what rights you have to access it.

IPP 7- Access

The University must allow you access to your personal information without unreasonable delay and expense subject to any applicable exemptions. The University may require that your application be in writing and that it state your name or the name of the person whose information is sought and (if relevant) the authorisation of the person on whose behalf the application is made. To make a formal application please write to our privacy officer at You may also apply for access to your personal information pursuant to the Government Information (Public Access) Act 2009 (NSW).

IPP 8 - Alteration of personal information

The University must allow you to update, correct or amend your personal information where necessary upon your reasonable request.

IPP 9 - The University must check accuracy before use

The University must ensure before using personal information that it holds, that it is relevant, accurate, up to date and not misleading, before using it.

IPP 10 - Limits on use of personal information

Generally, the University can only use your personal information for the purpose for which it was collected. The purpose for which your information was collected should have been communicated to you at the time when your information was collected (for instance through the University's privacy policy and procedure), or as soon as practicable thereafter, in accordance with IPP 3.
The University may use your information for other purposes where you:

  • consent to that use;
  • where it is for a purpose directly related to the purpose for which it was collected;
  • where it is necessary to prevent or lessen a serious and imminent threat to the life or health of an individual; or
  • where that use is authorised, otherwise permitted or required by law.

Consent should be given in writing. Where this is not practicable verbal or implied consent can be relied upon, however it is more difficult to prove if complications arise. When receiving your consent the University must be sure that you have the capacity to consent, that it is voluntarily given, that you are fully informed, that the consent is specific and is current.

IPP 11 - Limits on disclosure of personal information

In the absence of consent from you and subject to limited exemptions under the Act, the University may only disclose your information to third parties where:

  • the disclosure is directly related to the purpose for which the information was collected and the University has no reason to believe that you would object;
  • you are likely to be aware, or have been made aware, that information of that kind is usually disclosed;
  • where the University believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to the life or health of you or another person; or
  • where that disclosure is authorised, otherwise permitted or required by law.

If the University discloses personal information under this IPP to another public sector agency, then that agency must not use the information for a purpose other than the purpose for which it was given. For example, if the University disclosed personal details to the NSW police or ambulance service, and if they are a public sector agency, they cannot use the information for any other purpose other than to provide the response required for that situation.

Consent should be given in writing. Where this is not practicable verbal or implied consent can be relied upon, however it is more difficult to prove if complications arise. When receiving your consent the University must be sure that you have the capacity to consent, that it is voluntarily given, that you are fully informed, that the consent is specific and is current.

You are likely to be aware or have been made aware that your information is disclosed to certain third parties if you have been informed as to the uses and purposes of collection of your information in accordance with IPP 3. The University's privacy collection notices advise you as to the likely parties to whom the University may disclose the information that it collects from you upon enrolment, admission, when you are employed by the University and when you access a University website.

The circumstances pursuant to which your information will be disclosed to a third party because of a serious and imminent threat to your life or health or to others will be rare and uncommon. The University will only disclose your personal information to others when the circumstances are serious and impending, such as in a life threatening situation in which you are involved where you could be seriously injured or others might be injured as a result of your actions. Some likely parties to whom your information might be disclosed include the ambulance services or the police.

The Act also provides for other exemptions where your information might be used or disclosed, which are not covered in the IPPs.

IPP 12 - Special restrictions on disclosure of sensitive personal information

The University cannot disclose sensitive personal information about you without your consent, for example information about your ethnic or racial origin, political opinions, religious or philosophical beliefs, health or sexual activities or trade union membership unless that disclosure is necessary to prevent a serious and imminent threat to any person's life or health or is otherwise permitted under PPIPA , for example, if it is necessary to comply with another law.

Exemptions from compliance with the IPPs

The Act also contains exemptions from compliance with the IPPs in specific circumstances:

  • exemptions from IPP 10 and IPP 11 for law enforcement and related matters;
  • exemptions from IPP 3, 10 and 11 for investigative agencies;
  • exemptions where non-compliance with IPPs 2, 3, 6, 7, 8, 10, 11 or 12 is lawfully authorised or otherwise permitted by another law; and
  • exemption from IPP 2 and 3 if compliance by the University would prejudice the interests of the individual to whom the information relates.

Examples of where the University may not comply with the IPPs based on the exemptions are:

  • where the University is investigating or otherwise handling a complaint or other matter that could be referred to an investigative agency (such as the Ombudsman, Independent Commission Against Corruption and the Health Care Complaints Commission) or that has been referred to such an investigative agency, the University is not required to comply with IPP2, 3, 10 or 11 in fulfilling those purposes;
  • where the University is issued with a subpoena for release of certain information, it is required by law to respond to the terms of the subpoena and release the information;
  • where a government department requests by formal notice certain personal information held by the University pursuant to its governing legislation, for example, information about an international student required under laws administered by the Department of Immigration and Citizenship.
Back to the top of this page