Policy Version 1.0.0 (8-Mar-2017)
Parent document: http://www.mq.edu.au/privacy
This Policy provides guidance on the information handling practices of the Field Acquired Information Management Systems Project (FAIMS), a project group led by Macquarie University, New South Wales, Australia (University), in relation to the personal and health information of its mobile app users and others who interact with it.
FAIMS is committed to protecting personal and health information while undertaking its learning and teaching, research, engagement, and associated administrative procedures and activities. All members of FAIMS have an obligation to be aware of and implement the privacy principles and practices established by legislation and articulated in this Policy.
FAIMS, as part of the University, is required to comply with statutory obligations under the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) and the Health Records and Information Privacy Act 2002 (NSW) (HRIPA), in respect of personal and health information which it collects and uses. The University aligns its practices and activities with the Information Protection Principles (IPPs), and the Health Privacy Principles (HPPs) contained in those Acts (as outlined in the University’s Privacy Management Plan).
The University also follows any public interest directions and statutory guidelines issued by the Information and Privacy Commission NSW (or its equivalent or replacement body) in relation to personal and health information. The University’s Privacy Management Plan provides more information on how the University implements its obligations under the PPIPA and HRIPA, and how these acts apply to the University’s operations.
The scope of this Policy applies to the following:
- all employees of the University and its controlled entities,
- all students of the University including former students,
- all University researchers and HDR candidates, and
- any person who handles personal or health information for or on behalf of the University or its controlled entities, including contractors, agents, visitors, honorary, clinical or adjunct appointees and consultants of the University.
Commonly defined terms are located in the University Glossary. The following definitions apply for the purpose of this Policy:
Controlled entity/entities: a person, group of persons or body of which the University or the University Council has control within the meaning of Section 39 (IA) or 45A (IA) of the Public Finance and Audit Act 1983 (NSW).
Information: personal or health information (or both as the context requires).
Health information as defined in HRIPA is:
a. “personal information that is information or an opinion about: 1. the physical or mental health or a disability (at any time) of an individual; or 1. an individual’s express wishes about the future provision of health services to him or her, or 1. a health service provided or to be provided to an individual; or b. other personal information collected to provide, or in providing a health service, or c. other personal information about an individual collected in connection with the donation, or intended donation, of an individual’s body parts, organs or body substances, or d. other personal information that is genetic information about an individual arising from a health service provided to the individual that is or could be predictive of the health (at any time) of the individual or of any sibling, relative or descendant of the individual, or e. healthcare identifiers
Personal information as defined in PPIPA is:
“information or an opinion (including information or an opinion forming part of a database and whether or not recorded in a material form) about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information includes such things as an individual’s fingerprints, retina prints, body samples or genetic characteristics”. It does not include (this list is not exhaustive):
- information about an individual who has been dead for more than 30 years,
- information about an individual that is contained in a publicly available publication;
- information or an opinion about an individual’s suitability for appointment or employment as a public sector official,
- information about an individual that is contained in a public interest disclosure, health information within the meaning of HRIPA.
Privacy Framework: the suite of documents which inform individuals of the relevant privacy laws and how the University and its controlled entities collect, use, disclose and retain personal and health information and how access and correction requests are handled.
University: Macquarie University including its employees, students, University researchers, HDR candidates, and any person who handles personal or health information for or on behalf of the University.
5 POLICY STATEMENT
The University ensures those covered by the scope of this policy are made aware of their responsibilities under the PPIPA and HRIPA respectively and provides appropriate information and training opportunities.
In handling personal and health information, the University and its controlled entities align their practices with the IPPs and HPPs as follows:
Collection and use
The University may collect and use personal and health information only for lawful purposes that are directly related to a function or activity of the University and where the information is reasonably necessary for that purpose; for a directly related purpose that the individual would expect; or for a purpose for which the individual has given consent.
The University is not required to comply with the privacy principles relating to use if an exemption under the relevant legislation applies.
The University may disclose information held about an individual under various circumstances including the following:
a. if the disclosure is directly related to the purpose for which the information was collected and the University/controlled entity has no reason to believe that the individual concerned would object to the disclosure, or b. the individual concerned is reasonably likely to have been aware or is aware, or c. the University believes on reasonable grounds that the disclosure is necessary to prevent or lessen a serious or imminent threat to an individual’s life or health, or. d. consent has been given by the individual, or e. disclosure is otherwise authorised, permitted, or required by law.
Specific restrictions on disclosure apply when made to an overseas recipient.
More specific information about how the University applies the IPPs and HPPs can be found in the Privacy Management Plan.
Collection, Use and Disclosure for Research Purposes
The University may collect, use and disclose Personal Information for research purposes without obtaining consent in accordance with the exemption set out in section 27B of the PPIPA.
The University is required to comply with all the criteria set out in section 27B of the PPIPA, any Statutory Guidelines issued by the NSW Privacy Commissioner and obtain approval of the University’s Human Research Ethics Committee prior to conducting research.
Management of Personal Information
The University takes all reasonable steps to ensure that the Personal Information it holds is accurate, complete, relevant and up to date.
Retention, Security and Disposal
The University retains information for as long as necessary for the purpose for which it may lawfully be used, subject to the requirements of any other law.
The University holds Personal Information in both paper and electronic form. The University takes reasonable measures to protect the Personal Information it holds against loss, misuse, interference and unauthorized access, modification or disclosure. These steps include: holding paper records securely in accordance with government security requirments accessing Personal Information on a need-to-know basis, by authorized personnel ensuring our premises have secure access ensuring storage and data security systems and protections are regularly audited
The University may need to retain records for a significant period of time to comply with its legal obligations. Information that is no longer required will be securely disposed of in accordance with the University’s disposal procedures.
Access and Correction
The University allows an individual to access and/or updated, correct or amend personal information held about them by application under PPIPA subject to any exceptions in relevant legislation.
Access and/or correction requests can be made to the University’s Privacy Officer or their delegate by email at firstname.lastname@example.org
An individual may also request access to University records and information held about them by the University (but not with a controlled entity) under the Government Information (Public Access) Act 2009, subject to any exceptions, by contacting the Right to Information Officer by email at email@example.com
Information collected via our websites, mobile applications and emarketing applications
The University will not collect any Personal Information about users of our websites, mobile applications and e-marketing applications except when they knowingly provide it or as otherwise described below.
Click Stream Data
When you visit and browse the University web site, our website host may collect information for statistical, reporting and maintenance purposes. The information collected by our website host is used to administer and improve the performance of our website and will not be used to identify you. The information may include:
- the IP address of your computer;
- the date, time and duration of the visit to the site
- the pages accessed and documents downloaded
- the previous site visited, and
- the type of browser used.
“Cookies” are small text files that may be transferred to your computer’s hard drive by the websites you visit for the purpose of tracking and storing information about a user’s identity, browser type or website visiting patterns.
Cookies may be used on the University’s website to monitor web traffic, for example the time of visit, pages visited and some system information about the type of computer being used. We use this information to enhance the content and services offered on our website.
Cookies are sometimes also used to collect information about what pages you visit and the type of software you are using. If you access the University’s website or click-through an email we send you, a cookie may be downloaded onto your computer’s hard drive.
Cookies may also be used for other purposes on the University’s website but in each case none of the information collected can be used to personally identify you. You can configure your browser to accept all cookies, reject all cookies, or notify you when a cookie is sent. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences.
Web beacons are images that originate from a third party site to track visitor activities. The University may use web beacons to track the visiting patterns of individuals accessing our website.
The University will record your email address if you send us a message and use it for the purpose for which you have provided it.
You are reminded that email sent over the Internet is not secure, and could be intercepted without your knowledge. While the University takes reasonable steps to secure its websites and mobile applications, you are accepting this risk when choosing to communicate with us via any of these platforms. The University also has other methods of receiving information such as mail, fax, telephone, online forms or social media and you may prefer to use one of these methods.
Link to other Sites
External sites that are linked to or from the University website are not under our control and may collect your Personal Information so you are advised to view their privacy collection notices separately. The University is not responsible for any content contained in any external websites, or accidental or malicious damage that may arise to your local systems, data, software or hardware through accessing the University’s website or any external websites and their content.
Updates to this Policy
This Policy will be reviewed from time to time to take into account new laws and technologies, changes to our operations and business environment. The most current version of this Policy can be accessed from https://www.fedarch.org/privacy or can be provided to you on request.
We encourage you to check this page from time to time for any changes.
Complaints relating to privacy and confidentiality of users using the FAIMS mobile app or programs can be directed in the first instance to Brian Ballsun-Stanton at firstname.lastname@example.org.
Management of complaints is in accordance with the University’s Privacy Management Plan.
7 RELEVANT LEGISLATION
Privacy and Personal Information Protection Act 1998 (NSW)
Health Records and Information Privacy Act 2002 (NSW)
Government Information (Public Access) Act 2009 (NSW)