View Current

Privacy Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) We respect the privacy of the information of all individuals that provide their information to us  or that we are otherwise required or permitted by law to collect. This Policy explains how we will manage that information and is to be read subject to any overriding provisions of law.

(2) The University of Canberra is a young University anchored in the national capital and works with government, business, and industry to serve our communities and nation. The University of Canberra challenges the status quo; always pursuing better ways to teach, learn, research, and add value – locally and internationally. Our purpose is to provide education which offers high quality transformative experiences; to engage in research which makes a difference to the world around us; and to contribute to the building of just, prosperous, healthy, and sustainable communities. The University of Canberra has recently established its long-term ambitions through its Connected Decadal Strategy 2023–2032. Through its three objectives (Connected to Canberra, Connected for life and Connected UC), the University of Canberra aims to build sustainable communities through deep collaborations that are locally focused and globally relevant, partner for life with our students to shape our economic, social and cultural futures.

Top of Page

Section 2 - Scope

(3) This Policy applies to the personal information the University collects from and about individuals (your personal information), including staff and students of the University, affiliates, and any other person who interacts with the University in person or online (you). 

(4) All members of University staff have a responsibility to carry out and abide by the principles and processes set out in this Policy.

(5) Except as set out in this Policy, other companies and organisations we associate with, including organisations whose services are in some way linked to us through online content or services (such as apps, social media platforms) do not have a responsibility to carry out and abide by the principles and processes set out in this Policy. You must refer to the relevant Privacy Policy of these other companies or organisations we associate with to understand how your personal information will be managed.

Top of Page

Section 3 - Principles

What kind of personal information do we collect?

Personal information – students

(6) The types of personal information we may collect and hold include:

  1. your name, date of birth, address, phone numbers and email, and evidence of your identity
  2. other personal information provided when you seek student enrolment with us or after you commence studying with us including your photograph and visa status and information – we will comply with the Australian Privacy Principles in respect of this information.   
  3. student records from our University, including information about your attendance at the Bruce Campus, your information that you provide to us when you use student services either online or in person, and when you complete assessment tasks and placements, and from other universities you have attended, if applicable
  4. banking and super details (if applicable), including credit or debit card, and tax details (including your TFN and ABN if applicable), noting there are additional legislative protections on collecting, using or disclosing TFN – for example we will comply with the Privacy Act 1988 requirements regarding a notifiable data breach in respect of a TFN.
  5. other personal information provided when you seek enrolment at childcare centre operated by us, including for example immunisation status and medical conditions
  6. internet protocol (IP) addresses, including via electronic signing platforms (for example, DocuSign)
  7. images of you taken on CCTV footage while on campus 
  8. keystroke information
  9. your employment details (including your company name, job title and business sector) if applicable
  10. other personal information provided when you seek employment or placements with us or after you commence employment or placement with us (including your photograph) and payroll information
  11. personal information, including your name, image, likeness and audio testimonial obtained from background screening providers, electronic recruitment methods, and electronic assessment methods as part of your participation in courses of study and individual units, employment, due diligence or as relevant to a business relationship with us
  12. other personal information provided when you (or any entities that you represent or have a substantial beneficial ownership interest in) commence a business relationship with us if applicable
  13. contact and identification details of any third party that you have authorised to negotiate or provide your personal information on your behalf (including any attorneys appointed by you under a power of attorney)
  14. any correspondence between you and us, or
  15. any other personal information provided to us when you make an inquiry, request information, respond to marketing or lodge a complaint.

Personal information – staff

(7) The types of information we may collect and hold include:

  1. your name, date of birth, address, phone numbers and email, and evidence of your identity
  2. banking and super details, including credit or debit card, and tax details (including your TFN and ABN if applicable), noting there are additional legislative protections on collecting, using or disclosing TFN – for example we will comply with the Privacy Act 1988 requirements regarding a notifiable data breach in respect of a TFN.
  3. other personal information provided when you seek enrolment at childcare centre operated by us, including for example immunisation status and medical conditions
  4. internet protocol (IP) addresses, including via electronic signing platforms (for example, DocuSign)
  5. images of you taken on CCTV footage while on campus 
  6. keystroke information
  7. your employment details (including your company name, job title and business sector) if applicable
  8. other personal information provided when you seek employment with us or after you commence employment with us (including your photograph) and payroll information
  9. personal information, including your name, image, likeness and audio testimonial obtained from background screening providers, electronic recruitment methods as part of your employment, due diligence or as relevant to a business relationship with us
  10. other personal information provided when you (or any entities that you represent or have a substantial beneficial ownership interest in) commence a business relationship with us if applicable
  11. contact and identification details of any third party that you have authorised to negotiate or provide your personal information on your behalf (including any attorneys appointed by you under a power of attorney)
  12. any correspondence between you and us, or
  13. any other personal information provided to us when you make an inquiry, request information, respond to marketing or lodge a complaint.

Personal information – individuals other that staff and students

(8) The types of information we may collect and hold include:

  1. your name, date of birth, address, phone numbers and email, and evidence of your identity
  2. banking and super details (if applicable), including credit or debit card, and tax details (including your TFN and ABN if applicable), noting there are additional legislative protections on collecting, using or disclosing TFN – for example we will comply with the Privacy Act 1988 requirements regarding a notifiable data breach in respect of a TFN.
  3. other personal information provided when you seek enrolment at childcare centre operated by us, including for example immunisation status and medical conditions
  4. internet protocol (IP) addresses, including via electronic signing platforms (for example, DocuSign)
  5. images of you taken on CCTV footage while on campus 
  6. keystroke information
  7. your employment details (including your company name, job title and business sector) if applicable
  8. personal information, including your name, image, likeness and audio testimonial obtained from background screening providers and electronic recruitment or procurement methods as part of your engagement or association with us, due diligence or as relevant to a business relationship with us
  9. other personal information provided when you (or any entities that you represent or have a substantial beneficial ownership interest in) commence a business relationship with us
  10. contact and identification details of any third party that you have authorised to negotiate or provide your personal information on your behalf (including any attorneys appointed by you under a power of attorney)
  11. any correspondence between you and us
  12. any other personal information provided to us when you make an inquiry, request information, respond to marketing or lodge a complaint, or
  13. other personal information provided when you seek employment or a contract with us or after you commence employment or your contract with us (including your photograph) and payroll information.

(9) For staff, students, and individuals other than staff and students, we may also collect and hold a special subset of personal information, sensitive information, such as:

  1. your racial or ethnic origins, or
  2. criminal record information obtained through our background screening processes before you commence, or during, your business or employment relationship with us.

When we will collect personal information

(10) We only collect personal information when it is reasonably necessary or directly related to one of our functions or activities. We recommend that you do not provide sensitive information to us unless specifically requested by us. We will only collect your sensitive information if:

  1. you have expressly consented to us doing so
  2. the information is reasonably necessary for, or directly related to our activities or functions as set out in the University of Canberra Act 1989. For example, collection of personal information to facilitate student and staff recruitment, performance, management, professional development and the identification of products and services that may be of interest
  3. we are required or permitted to do so by law, or
  4. a permitted health or general situation exists, including where it is unreasonable to get your consent and we are collecting the information to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.

Children’s privacy

(11) When we intend to collect personal information from children (i.e. people who are under the age of 16), where possible, we take additional steps to protect their privacy, including by:

  1. notifying parents or guardians about our information practices about children, including the types of personal information we may collect from children, the uses to which we may put that information, and whether and with whom we may share that information
  2. obtaining consent from parents or guardians for the collection of personal information from their children, or for sending information about our products and services directly to their children, and
  3. limiting our collection of personal information from children to no more than is reasonably necessary to participate in our services.

(12) Parents and guardians can exercise privacy rights on their children’s behalf, but we may need to verify that you are authorised to act on their behalf and collect additional information from you to do so.

(13) Parents and guardians for children who are under the age of 16 are not third parties for the purposes of this Policy.

How do we collect personal information?

Directly from you

(14) When possible, we try to collect personal information directly from you, for example when you:

  1. submit an application for enrolment to study with us
  2. ask for information or contact us through our website or by telephone
  3. write to us (such as letters, emails or social media)
  4. submit an assessment or some other material related to your study or research
  5. engage with online systems that support study or research
  6. respond to a survey
  7. provide your business card, or pre-employment documentation or other documents to us (such as contracts, public records or identification information for the purposes of confirming your identity), or
  8. meet with us in person.

From third parties

(15) While we will generally collect personal information from you directly, sometimes we might get it from other parties (for example when we check references or pre-employment checks). The other parties we may need to obtain information from include:

  1. other government bodies, including law enforcement agencies
  2. organisations and companies, including from their websites or
  3. our contracted service providers and suppliers as part of our procurement processes.

(16) When we collect personal information from third parties you refer to us, we will assume that you have consented to that third party disclosing that information to us. We will only use and disclose such information provided to it for the purpose for which it was given and other purposes only in accordance with this policy.

(17) If you are a contracted service provider or a partner who gives us personal information about individuals such as your employees, directors or owners, we may also ask you to advise them of the purposes of our collection, use and disclosure of their information in line with this Policy or with a specific collection notice we give to you.

Unsolicited information

(18) If we receive unsolicited information about you, we will retain it (and use disclose or destroy it) in line with our obligations under the law, including the privacy laws and Territory Records Act 2002.

Why do we collect, hold, use and disclose your information?

Purposes for which we may collect, hold, use and disclose your personal information

(19) We collect, use and disclose your personal information to enable us to provide the education, services, products and information you request, and when it is reasonably necessary to enable us to perform our functions and activities. We may also use or disclose your personal information for a secondary purpose which is directly related (where there is sensitive information) or related (for non-sensitive information) to the reason you provided the information in the first place, but only where you would reasonably expect us to use your information for that purpose. In particular, we may collect, use and disclose your personal information for the purposes of:

  1. your student or other (e.g. employment, business or alumni) relationship with us
  2. enabling you to register to gain access to the web tools and publications of the University or to attend an event with us
  3. student account management and administering records
  4. responding to your requests or enquiries and providing you with any publications, information or other services requested by you
  5. communicating with you during your tenure as a student or other relationship with us, including payment of invoices
  6. taking action in relation to suspected misconduct by you, or action in relation to a complaint made by you
  7. safety and security purposes, for example when you enter a University room with your swipe card
  8. assessing your application for employment
  9. complying with our obligations under law
  10. any other purpose which relates to or arises out of requests or complaints made by you
  11. doing anything which you authorise or consent to us doing, or
  12. when establishing or defending a legal or equitable claim, or participating in confidential dispute resolution processes or taking any other action, we are required or authorised by law to take.

(20) We can also use it for a secondary purpose where permitted by law, including the privacy laws.

(21) We will not sell, trade or rent your personal information.

To whom we may disclose your personal information

(22) We may disclose your personal information to:

  1. other Territory, or Commonwealth or State Government bodies, or Registration Bodies, including to the Australian Taxation Office
  2.  the University of Canberra College
  3. accommodation service providers for example a lodge, college or hall of residence
  4. publishers about the award of certain prizes and scholarships
  5. publishers and conference conveners and other similar entities about your research activities including your involvement in academic papers, presentations or academic conferences at or involving the University
  6. our partners and contracted service providers, including entities who supply to us data processing and other administrative and support functions and services, our website, electronic signing platforms, IT, marketing, administration and other services, and our professional advisers (for example, our insurers, auditors, lawyers and consultants)
  7. in respect of internet protocol (IP) addresses collected via electronic signing platforms (for example, DocuSign), the counterparties to a document being executed electronically by you
  8. any entity to whom we are required or authorised by law to disclose your information (for example, law enforcement agencies and government and regulatory authorities)
  9. with your consent (express or implied), other entities – for example other universities where necessary (such as cross-institutional exchange or recognition programs)
  10. anyone who represents you (for example your power of attorney, or in the case of a child at a childcare centre their guardian), or
  11. third parties we engage to carry out activities you have requested, or
  12. for direct marketing purposes (unless you have opted-out of direct marketing communications). You can opt out of receiving marketing material from the University by contacting the University via the contact details in Clause 35.

(23) The above entities may in turn disclose your information to other entities as described in their respective privacy policies or notices.

Why we disclose your personal information for another purpose

(24) We will only use or disclose your personal information for another purpose if:

  1. you have consented to the use or disclosure of the relevant information, or
  2. requested, for example, when you graduate from the University (the record of your graduation from the University is a public document), or
  3. another exception applies (including where the use or disclosure is required or authorised under an Australian law or where a permitted general situation applies, such as where it is unreasonable or impracticable to obtain consent, and it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety).

Overseas disclosure of information

(25) From time to time, we may engage contracted service providers or partners located overseas (including, but not limited to providers or partners located in Indonesia) to perform certain functions and activities.  Generally, this information is provided for the purposes of global student recruitment or under collaboration agreements for student exchanges. While they are providing services to or partnering with us, we may need to disclose your personal information to these recipients. If your personal information is sent overseas, we will take reasonable steps to ensure that our contracted service providers and partners have policies, procedures and systems in place to ensure your personal information is handled in accordance with the Privacy Act and other applicable legislation.

Data storage, retention, security and location of your information

(26) We are committed to protecting information we hold about you. We will (and we will require our contracted service providers to) take reasonable steps to protect your information (whether in physical or electronic form) from loss, misuse, unauthorised access, modification and/or disclosure.

(27) We may store your information in different forms, including in physical and electronic form, including using cloud-based storage services. We take steps to ensure the security of your personal information despite its form, including through our websites and service applications, but there is always some risk when transmitting information across the internet, including a risk that information sent to or from a website or other Internet of Things application may be intercepted, corrupted or modified by third parties.

(28) When your information is no longer required by law to be retained by us, we will take reasonable steps to destroy, delete or de-identify your information in a secure manner. The privacy laws and the Territory Records Act 2002 (ACT) are some examples of laws that may require us to retain certain information.

How to access and correct your personal information

Generally

(29) It is important that the personal information we hold about you is complete, accurate, current and relevant. At any time while we hold your information, we may ask you to tell us of changes to your information. Alternatively, if you believe that any of the personal information we hold about you is inaccurate, out-of-date, incomplete, irrelevant or misleading and needs to be corrected or updated, please contact us (see the ‘Contact Us’ section below).

(30) We will respond to a request to access or correct your personal information within:

  1. any period prescribed by law, and
  2. otherwise within 30 days. If we cannot respond to you within 30 days, we will contact you and provide a reason for the delay and an expected timeframe for finalising your request.

(31) You may request to access or correct your personal information at any time by contacting us. We will give you access to the personal information unless an exception in the law, including the privacy laws, applies (or it is otherwise unlawful). Sometimes we may not be required to correct your personal information (for example, where it would be unlawful). Also, sometimes we may not be able to require our contracted service providers, partners or other third parties to give you access to the personal information they hold about you.

(32) If we do not give you access to your personal information and/or allow you to correct it, you can ask us to include with the information a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading.

(33) If we do not correct your personal information, we will give you our reasons for our decision.

FOI Act

(34) While the first step to ask us to give you access to or correct information we hold about you is described in Clauses 29–33 above, an alternative way is to lodge a formal application under the Freedom of Information Act 2016. For more information on how to lodge a FOI application please visit our FOI webpage. There may be fees associated with FOI requests.

Contact us

(35) If you have a complaint or otherwise wish to contact us about our handling of your information or any of the matter covered by this Policy, please contact:

  1. by post at: Privacy Officer, University of Canberra, 11 Kirinari Street, BRUCE ACT 2601, Australian Capital Territory
  2. by email: privacy@canberra.edu.au
  3. by phone: +61 2 6201 5569
  4. by TTY: +61 2 6251 4601 (for hearing impaired callers).

(36) We welcome your questions and any suggestions you may have about our Policy. If you would like to lodge a formal complaint, we:

  1. ask that you lodge it in writing;
  2. will acknowledge receipt of your complaint as soon as possible; and
  3. will then investigate the circumstances of the complaint and respond to you in a reasonable timeframe.

(37) If you are not satisfied with how we have handled your complaint, then you may escalate the complaint to the Office of the Australian Information Commissioner (OAIC) at:

  1. telephone: 1300 363 992 (if calling from outside Australia including Norfolk Island please call: +61 2 9284 9749)
  2. National Relay Service: through the Contact Us page on the OAIC
  3. website: www.oaic.gov.au/about-us/contact-us/
  4. post: Office of the Australian Information Commissioner, GPO Box 5218, SYDNEY NSW 2001
  5. fax: +61 2 9284 9666
  6. email: enquiries@oaic.gov.au
  7. website: www.oaic.gov.au/privacy/privacy-complaints/make-a-privacy-complaint-in-the-act.

Dealing with us online

University website

(38) This Policy applies to your use of the University website – www.canberra.edu.au – and any personal information that you may provide to us via our website including our staff and student portals and any other subsites as part of the University of Canberra domain.

(39) We believe it is important for you to know how we treat this personal information and how we carry out data processing practices with the Internet and any other electronic communications networks.

(40) When you visit our website, we and/or our contracted service providers and partners may collect certain information about your visit. Examples of such information may include:

  1. Cookies: cookies are small amounts of information which we may store on your computer (after you register on our website) to enable our server to collect certain information from your web browser. Cookies in themselves do not identify the individual user, just the computer used. Cookies and other similar technology make it easier for you to log on to and use the website during future visits. It also allows us to monitor website traffic, to identify you when you visit our website and to personalise the content of the website for you and to enable you to both carry out activities and have access to information about you. The data collected through cookies is used as a basis for targeting online advertising and allows us to personalise your advertising experience. We use third party advertiser cookies for remarketing to advertise online. Cookies themselves only record which areas of the site have been visited by the computer in question, and for how long. Allowing us to create a cookie does not give us access to the rest of your computer and we will not use cookies to track your online activity once you leave our site. Cookies are read only by the server that placed them, and are unable to execute any code or virus
  2. Site visit information: we collect general information about your visit to our website; it may include your server address, the type of internet browser, the date and time of visit, and the pages accessed. We collect it not to use it to personally identify you. Instead, we aggregate it and use for system administration, to prepare statistics on the use of our website and to improve our website’s content and our services, and we may use it for marketing purposes, and
  3. Visitation restricted for some sites: some of our web services are restricted by user log-in protocols. We ask you to use your University ID to access these sites (and collect this information from you) to help us keep the information on these sites secure from unauthorised alteration, use or disclosure, to resolve problems with our IT systems, and to keep an auditable record of who has accessed this information.

(41) Our website may contain links to other websites which are outside our control and are not covered by this Policy. Though we scrutinise the links that are included on the UC website, we do not endorse, approve or recommend the information, services or products provided on other websites. If you access other websites using the links provided, the operators of these websites may collect information from you which will be used by them in accordance with their policy framework which may differ from ours.

(42) By using our website, or giving us information, you consent to us managing your information in the way described in this Policy.

Social media

(43) We compile and categorise a list of our followers on social media platforms. We may also receive information from you on Social Media where you give it to us. Additionally we may also receive aggregate, non-personalised statistics on the University’s coverage in social media.

Legislation

(44) The law deals with personal information, including sensitive information, differently from personal health information (see definitions below). Generally, the way we manage your personal including sensitive information is governed by:

  1. the Information Privacy Act 2014, and
  2. the Territory Privacy Principles (TPPs) established under the Information Privacy Act 2014.

(45) We also manage your personal information including sensitive information in compliance with other relevant legislation, including:

  1. the federal Privacy Act 1988; and
  2. Australian Privacy Principles (APPs) as required (for example, under the Higher Education Support Act 2003).

(46) The way we manage your personal health information is governed by, and we will act in accordance with:

  1. the Health Records (Privacy and Access) Act 1997 (HRPA Act); and
  2. the Health Privacy Principles (HPPs) established under that Health Records (Privacy and Access) Act 1997.

Changes to this policy

(47) We may revise or supplement this Policy from time to time. Any updated version of this Policy will be posted on the University’s Policy Library and will be effective from the date of posting. You should bookmark and periodically review this page to ensure that you are familiar with the most current version of this Policy and so you are aware of the way we handle your information.

Top of Page

Section 4 - Responsibilities

WHO RESPONSIBILITIES
Vice-Chancellor
  • Approval source of this Policy
Chief Operating Officer and Vice-President Operations
  • Policy Sponsor of this Policy
Chief Operating Officer and Vice-President Operations
  • Policy Custodian of this Policy
Privacy Officer
  • Manage the investigation and resolution of complaints submitted under this Policy.
  • Provide advice and guidance to staff on the implementation and compliance with this Policy.
Staff and Affiliates
  • Collect, handle, store and destroy personal and sensitive information in accordance with this Policy.
Individuals who provide personal information to us
  • Provide the University with correct personal and sensitive information. 
Top of Page

Section 5 - Definitions

TERM DEFINITION
contracted service provider means an entity or person engaged by us to provide services to the Australian Capital Territory or us, and includes their subcontractors.
our partners means our wholly or partly owned companies, including for example UCX Ltd, other universities and other organisations that we partner with, including software and hosting service providers.
personal health information means information or an opinion about a consumer (or from which their identity is apparent) whether true or not, and whether recorded or otherwise, which relates to their health or an illness or disability of theirs. You are a consumer when you use, or have used, a ‘health service’ or a ‘health record’ about you has been created (as those terms are defined in the Health Records (Privacy and Access) Act 1997).
privacy laws mean the Information Privacy Act 2014 and the TPPs contained in the Act, the Health Records (Privacy and Access) Act 1997 and the HPPs contained in the Act, and the Privacy Act 1988 in respect of Tax File Numbers (TFN) and as applicable under the Higher Education Support Act 2003.
reasonably necessary means that the personal information is collected because it is required to perform a function or activity and the University could not properly undertake the function or activity without collecting the personal information.
we, our or us means the University of Canberra, including the Medical and Counselling Centre, Wiradjuri Preschool and Child Care Centre and Health Clinics, our controlled entities, Council members, employees (and those of controlled entities), volunteers, students on a placement facilitated by the University of Canberra, officers and agents and contracted service providers
your personal information means your personal information, including sensitive information, but excluding any personal health information. When we use ‘personal information’ and ‘sensitive information’, we use them in the same sense as the Privacy Act – in short:
  1. personal information: is information or an opinion about you (or from which you are reasonably identifiable) whether true or not, and/or whether recorded in material form or not, but it does not include personal health information, and
  2. sensitive information: is a subset of personal information that is about your racial or ethnic origin, political opinions, membership of political associations, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, genetic information (except personal health information), biometric information (to be used for the purpose of automated biometric verification or biometric identification) or biometric template.