Hot Issues

Note: These summaries are intended to illustrate and inform UWS staff about common privacy issues at the University. Specific issues should be assessed against the privacy principles and formal advice sought where appropriate.

Privacy Issues for Youth

The Federal Privacy Commissioner is conducting an Australia-wide campaign to raise privacy awareness among young people.  Information about important privacy issues affecting young people is available at the Commissioner's Youth Portal at: http://www.privacy.gov.au/topics/youth

Using Third Parties

The University occasionally uses outside organisations to provide particular services and this can involve the provision of personal information to the third party by the University or its staff. An example of this would be the use of external travel agencies. The University is responsible for the personal information it holds, irrespective of whether a third party is involved. It is therefore essential that there is a specific agreement with any third party about privacy issues. This can be built into the overall contract or agreement on services or be a separate 'privacy agreement'. For more information, please contact the Privacy Officer or the Office of Legal Counsel.

Student Privacy and Student Results

A student’s results for examinations or any forms of assessment are personal information in terms of NSW privacy law (Privacy and Personal Information Protection Act 1998). All students’ marks must be managed, used and disclosed in accordance with the privacy principles in the Act and the UWS policy.

Conveying results to students must be done in a manner that ensures that other students are not informed of or able to deduce the results of others. The University has a legal obligation to ensure the privacy of this information.

To date this University has relied on the anonymity of the student ID number matched to the result. Assessment marks have commonly been produced in list form for all students in a unit and master lists have been uploaded to WebCT and also placed in hard copy lists on School notices, doors etc.

Recently UWS has required that staff communication with students be done via their UWS email accounts, which include the student ID number as part of the email address. UWS has also required students to communicate with us using their UWS email account. This extended communication to and from students and among the students themselves in various contexts, inevitably leads to disclosure of individual student ID numbers (often in combination with their name) to other students.

When staff publish any student marks in a master list form, either on the web or in hard copy format, students can readily identify the results of other students in the unit.

Consolidated or master lists of student marks by ID number should not be published in any form and procedures need to be developed to supply marks direct and securely to the individuals to which they relate.

In the WebCT environment there is already a tool (MyGrades) available for assessment marks to be published so that individuals can only access their own marks and that mechanism should be uniformly adopted for that purpose. In other contexts different dissemination procedures will be needed that do not breach our legislative duty to protect personal information. Note that final results must only be published via Platform Web and official hard copy results notices.

The question might be asked as to whether some alternative can be adopted to delete or suppress the ID number in the email address. This issue has been raised with the ITD for examination but the use of the unique ID number (for both students and staff) is the most practicable and necessary mechanism to establish identity and access in UWS IT systems. Students are able to change their email addresses through the configuration options on the web access page for student email and are, and should be, encouraged to do so if they have concerns about their privacy.

Students should be vigilant about protecting their own privacy but this does not negate the basic responsibility of the University under the Act to ensure that it has adequate security safeguards in place to protect personal information.

^ Back to top

Collection of Student Contact Details in Classes

It is often the case that lecturers collect student contact details during classes, sometimes for the purposes for facilitating group work among students.

From a privacy perspective it is not appropriate to circulate a list, or pass around a sheet of paper to collect personal details. Very simply this could result in uninvited or unwelcome contact between students.

Information that is collected by a lecturer should be collected individually. Where information may be circulated to other students, then the participants need to be advised of that in advance. They should only be asked to provide necessary information and be given the opportunity to provide contact details that they themselves are comfortable in releasing. So in a group work situation, it may only be necessary that an email address and/or contact telephone number (e.g. mobile) be provided. If a home address and home telephone number are not essential then they should not be collected.

^ Back to top

Return of Student Assignments

Marked student assignments containing information about the identity of the student on the cover would fall within the definition of personal information under the Privacy and Personal Information Protection Act 1998.

As such if students are able to access other students’ assignments and peruse the details, the University could be found in breach of the Privacy Principles. In particular Principle 5 requires the University to take “such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse”. Access by a student to another student’s personal information would most likely be found to be unauthorised access.

Hence lecturers and administrative staff within Schools need to ensure that there are processes in place to enable students individually to collect their assignments. Leaving assignments in a bundle where students can view the assignments of others is contrary to the privacy legislation.

^ Back to top

Use of Case Studies of Individuals in Teaching

In areas such as nursing and health it is common practice to use case histories of individuals in teaching. In terms of privacy it is essential that these cases be fully de-identified through the permanent removal of any identifying information.

If it is necessary to use identified information, then the consent of the person is necessary. However, even where consent is readily obtainable, best practice in terms of privacy would dictate that one should not use identified material if it is not essential to do so, and even then only to use what is needed leaving out other material. So for example, if a patient consented to the use of photographs depicting them receiving medical treatment as an example of proper procedure and the photographs contain other information such as name, date, identity number etc., the superfluous material should be removed, notwithstanding the fact that the patient had consented to the use of the images with all of the details.

The use of visual images of individuals also warrants some consideration. While the use of an image of a person’s foot may not present privacy issues, the use of a person’s face certainly does. In the latter case, if the facial image is necessary to the study then consent should be obtained. If the facial image is not necessary then it should be removed or obscured.

An over-riding principle with respect to the use or disclosure of a person’s information is to respect the dignity and privacy of the individual. Hence even where de-identified material is being used, the consent of the ‘subject’ should be obtained if it is practicable to do so.

^ Back to top

Use of Visual Images of Individuals

Care should be taken with respect to the photographing/filming of individuals and any subsequent publication of those images.

Where it is intended to use a person’s image in a University publication, be it in-house or external, the consent of the individual should be obtained. Also, consideration should be given to the nature of the publication. Publication for instance of a photograph in AroundUWS, which is an in-house publication with limited distribution, is very different to publication of the same image on the internet. Once material is on the public internet, the University, and the individual, lose any control over how that information might be accessed and used. Digital images can be readily modified.

In some instances it may not be realistic to obtain consent such as in the case of a photograph depicting a crowd at Open Day. The need for consent will depend on issues such as whether the individuals could be identified and the context in which the photograph was taken. An image of staff members at an official University ceremony may not require consent but it would not be appropriate to publish photographs from the Christmas party without consent. It depends on context and whether the image intrudes upon a person’s privacy. Cultural issues may also warrant consideration.

In circumstances such as a student prize and award evening where photographs are routinely taken, good practice would be to advise the students of this in the letter that invites them to the ceremony and which indicates to them how the image will be used. It would not be appropriate to publish photographs and other information on the internet without the students having received this notification.

Finally extreme care should be taken with respect to publication of images involving children on the internet given the ease with which such images can be modified and manipulated and used for other purpose, such as pornography. Consent should be obtained to the use of images depicting children.

Also if images are published and it is not necessary to identify the persons involved, then it is better to err on the side of caution and not publish the names. Privacy is about only using information necessary to the purpose and a 'minimalist' approach should be adopted.

A very useful Information Sheet has been produced by Privacy Victoria on this issue, titled “Images and Privacy”. It can be downloaded from the Privacy Victoria website.

^ Back to top

Publication of Student Details on the Internet

Disclosure of information about students is dealt with under the document “Disclosure and Use of Student Personal Information Guidelines”. Occasionally units within the University wish to publish details of students on the internet. This could range from notice of the recipients of the Dean’s Medal through to research achievements of postgraduate students.

Generally in these circumstances the prior consent of the students should be obtained.

In the case of Dean’s Medal or other prize recipients, these are normally presented at a public ceremony. Further the Dean’s Medal holders should be identified as such in the Graduation Book that represents the public information that the University routinely releases on request to persons with a legitimate interest.

However, publication of award information on the internet is much more public than say the publication of a list of award recipients in a program produced for the awards night. In these circumstances good practice would dictate that if information of this kind is intended to be published to the internet, that students are advised of this in advance and have the opportunity to not have their information published if they have concerns.

Consideration should be given to the need or benefit to be derived from the publication in this public form.

Personal information about students, assessment results, addresses, contact details should not be published on the internet at any time.

^ Back to top

Privacy and Confidentiality – What’s the Difference?

One of the oldest definitions of privacy in its contemporary context is that it is ‘the right to be left alone’. The term privacy always attaches to individuals and refers to the rights that individuals have to control information that is personal to them. Hence there is emphasis in the legislation on defining personal information in terms of the capacity for it to enable identification of individuals.

Privacy law is about the balance between empowering individuals in terms of providing them with statutory control over their personal information and on the other hand establishing a framework under which organisations can collect, store use and disclose such information for legitimate purposes.

Confidentiality on the other hand is a much broader concept. Information may be confidential that is not personal. Confidentiality can also refer to organisations and to maintaining the integrity of processes and protecting the confidentiality of sources. Legally, organisations do not have ‘privacy rights’, individuals do. Confidential material is usually confined or restricted in its use depending on the circumstances and the needs of both individuals and organisations. Personal information may become subject to confidentiality processes or edicts within an organisation but that will not affect the rights of the individual who is the owner of that information.

So, for instance, in the health system information about an individual may be circulated among medical practitioners and others for legitimate purposes and under ethical standards of confidentiality. Confidentiality provisions will dictate how that material is handled. However, privacy is an obligation to the individual who is the ‘owner’ of the information and applies irrespective of who is providing the information. Note that even though in this case the medical practitioners are the creators of this information, it falls within the legal definition of ‘personal information’ relating to an individual who retains legal rights in relation to it.

^ Back to top

The UWS Golden Rules of Privacy

In dealing with any issue that has privacy considerations it is essential that the matter be tested against the principles dealing with the collection, storage, access and accuracy, use, and disclosure of personal and health information. These are summarised in the Privacy Policy and detailed in the Privacy Management Plan.

However, in the training seminars on privacy that are run each year we have developed six 'Golden Rules' for UWS. These are:

  • always test against the principles in the policy
  • if you have valid consent, privacy is not an issue. 'Valid' means voluntary, informed, specific and current
  • only collect or disclose the minimum amount of information necessary for the particular and legitimate purpose
  • when you can - de-identify
  • always advise individuals in advance about how their information will be used and/or disclosed
  • seek advice if you are unsure - privacy@uws.edu.au.

^ Back to top

Transfer of Personal or Health Information Collected in one area of the University to another area

When any area of the University collects personal or health information from an individual, the use of that information is basically restricted to the purpose for which the information is collected. While there are some exemptions in special circumstances such as in genuine emergencies, or for the purpose of an investigation, the basic rule is that information cannot be passed from one area of the University to another unless the intended use falls within the parameters of the purpose of the original collection.

So for instance the loan records of students from the Library, where those records contain personal information, cannot be provided to other areas of the University in normal circumstances. A formal application would need to be made to the University Librarian that would then be assessed in accordance with privacy law and the exemptions that exist. One such exception would be where the University is conducting an investigation. If the information is properly de-identified then the privacy issues are less relevant.

Note also that privacy legislation provides individuals with certain rights with respect to the handling of their personal information. It does not provide any rights of access to personal information to organisations or individuals, other than the person who is the ‘owner’ of the personal information. So in the example of the Library above while privacy law may allow the Library to release personal information in particular circumstances, there is no compulsion on it to do so. The issue would need to be assessed and determined in accordance with the purpose of the intended use.

There has been a recent case on the issue of the disclosure of personal information within a large organisation in the NSW Administrative Decisions Tribunal (ADT) that highlights these issues. A summary of the case (KJ –v- Wentworth Area Health Service [2004] NSWADT 84) and a link to the full text of the decision can be found on the Privacy NSW (Lawlink) website.

^ Back to top

Research Ethics and Privacy

The Health Report program on ABC Radio National recently considered privacy issues in an examination of a research project conducted by a university involving surveying of individuals. The program provides an interesting insight into some of the issues and problems that can arise. The program and the transcript are available at The Health Report (ABC) website.

^ Back to top