As a statutory authority, QUT must comply with the requirements of Information Standard 42 – Information Privacy (IS42), which is designed to protect the privacy of an individual's personal information held by a government department or agency. Personal information is defined by IS42 as “information or opinion, whether true or not, about an individual whose identify is apparent, or whose identify can reasonably be ascertained from the information or opinion”.
IS42 requires the University to maintain the following:
- QUT Privacy Plan
- Privacy Contact Officer
- A privacy and security statement on the QUT website
- A privacy complaint resolution mechanism
- A mechanism for accessing and amending records
The University must also comply with IS42's 11 Information Privacy Principles (IPPs) which provide guidance on the collection, storage, management, use and disclosure of personal information.
Collection of personal information
- QUT can only collect personal information which is relevant to a lawful purpose necessary to its functions and activities.
- QUT must not collect information by an unlawful or unfair means.
- The collection of information must not intrude unreasonably on the personal affairs of the individual concerned.
- QUT must provide individuals with a privacy notice when collecting information, informing them of:
- The purpose of collecting the information;
- Whether the information is required by law; and
- Any person, body or agency to whom the information is routinely disclosed.
Storing and managing personal information
- QUT must ensure that the information it holds is protected by reasonable security safeguards against loss, unauthorised access, use, modification or disclosure.
- If QUT gives information to others in the course of an activity or function, it must take reasonable steps to prevent unauthorised use or disclosure of the information.
- Staff must take reasonable steps to ensure that personal information is accurate, up-to-date and complete before using it.
Using personal information
QUT must not use personal information for any purpose other than the purpose for which it was collected, unless:
- the individual concerned has been advised in a privacy notice that this is the University's routine practice;
- written consent has been received from the individual; or
- it is required by law.
Disclosing personal information
QUT must not disclose personal information, unless:
- the individual concerned has been advised in a privacy notice that this is the University's routine practice;
- written consent has been received from the individual; or
- it is required by law.
Access to personal information and rights to amendment
IS42 requires that QUT provides an individual with access to their own personal information held by the University, except if this is not permitted by law. QUT must also allow an individual to request alteration of any inaccurate, irrelevant, out-of-date, incomplete or misleading information about them.
At QUT these rights are administered through either the Freedom of Information processes or the University's administrative access scheme.