1. Purpose
This policy has been created to ensure compliance with relevant privacy legislation, Higher Education Standards, and the commitment of the Sydney College of Divinity (SCD) to transparency, responsibility, and fairness in its management of information.
The policy has also been created to guide the SCD in its application of the principles of respect for the privacy of individuals and the safeguarding of confidences in its oversight of staff, students, and others.
2. Scope
This policy applies to:
-
the SCD as a whole, including its Member Institutions (Mis), with all references to the SCD in this document incorporating its MIs;
-
all current staff and students of the SCD;
-
all persons currently connected to the SCD, such as partners, contractors, or volunteers, about whom information is kept;
-
all previous staff, students, and others, about whom information is still kept.
Clarification:St Andrew’s Greek Orthodox Theological College (St Andrew’s), located at 242 Cleveland Street REDFERN NSW 2016, is a Member Institution (MI) of the Sydney College of Divinity (SCD).
3. Statutory Obligations
The SCD is obliged to comply with the Higher Education Standards 2015, which require higher education providers, among other things:
-
to ensure adequate levels of student support;
-
to promote fairness, diversity and equality;
-
to support safety and wellbeing among staff and students;
-
to maintain records that are secure, accurate, and up-to-date;
-
to manage information responsibly.
These all have relevance to issues of privacy and confidentiality.
SCD is also subject to the requirements of the following legislation:
-
(National) Privacy Act 1988
-
NSW Privacy and Personal Information Act 1998
-
NSW Health Records and Privacy Act 2002
-
Freedom of Information Act 1982
4. Definitions
Personal informationis information that enables an individual to be identified within the SCD system. This includes, but is not restricted to, home address, contact information, place of origin, date of birth, marital status, education, employment and tax file number.
Health informationis information relating to an individual’s state of physical or psychological health, disability or overall wellbeing.
Sensitive informationis information about an individual’s character, identity, experience, history, lifestyle and so on, which might require higher levels of confidentiality when dealing with that individual. Sensitive information includes, but is not restricted to, criminal records, political views or associations, theological or philosophical beliefs, sexuality, racial/ethnic identity, and marital history.
5. Principles
The SCD affirms that:
-
there should be an overall culture of respect, trust and mutual support throughout the SCD, as an expression of its identity as a community of faith;
-
an individual has a reasonable right to and expectation of privacy, and that the SCD will respect that right;
-
any collection of information carried out by the SCD will be lawful;
-
any collection of information will be what is reasonably necessary to facilitate the goals and operations of the SCD;
-
collection of information will be done with the awareness and consent of the individual or his/her legal representative;
-
individuals are entitled to know the purpose and use of information collected about them, and who will have access to it;
-
collection of information will not unreasonably intrude into the personal affairs of the individual;
-
all information collected will be accurate, complete and up-to-date;
-
all information collected will be kept secure, to be accessed only by those authorized to do so;
-
information collected will not be used for any purpose other than that for which it was collected;
-
information held by the SCD will be discarded when it is no longer necessary to keep it.
6. Rights
The SCD affirms that:
-
The Sydney College of Divinity has the right to request, collect and keep information about individuals, where that information is relevant to its goals and operations
-
Individuals about whom information is kept have the right to access that information and request or make changes to that information if necessary
-
Individuals about whom information is kept have the right to know the purpose for which information is kept, and the way that information may be used.
-
Individuals about whom information is kept have the right to know any other parties to whom that information might be disclosed, and the purpose of that disclosure. Individuals have the right to give, withhold or withdraw consent for such disclosure.
7. Consent
The SCD confirms that:
-
Consent to collect, store and use information as part of normal college operations, is stated or implied in the terms and conditions of student enrolment or offers of employment.
-
Collection, storage and use of information for purposes other than what is reasonable as part of normal college operations, or other than that for which the information was collected, requires specific consent of the individuals concerned.
-
Disclosure of personal, health or sensitive information without consent may occur in cases of emergency, or to lessen specific threats to the safety or wellbeing of the individual.
8. Collection of Information
8.1 Normal Practice
As normal practice, information is to be collected:
-
directly from the individual;
-
in standardized formats, being the same in either hard or soft copy;
-
in ways that make the purpose of collection clear;
-
in ways that ensure there is no confusion about the type of information required;
-
in ways that ensure quick, efficient and secure collation and storage of the information.
Normal practice may vary depending on the type of information being collected, the circumstances in which it is being collected, and the source of the information (e.g. information received from third parties). Where information is collected in ways other than normal practice:
-
copies of source documents must be kept;
-
records of conversations, interviews etc., including date, time and circumstances must be kept;
-
sources of information must be clearly identified;
-
information must be transferred into standardized formats where possible;
-
the individual concerned must be made aware that the information has been received and stored.
Clarification: In most cases, the person responsible for privacy matters at St Andrew’s is the Registrar. In the first instance, all enquiries regarding privacy matters may be communicated to the Registrar for general discussion and further advice.
8.2 The Provider
The person who provides information is expected to:
-
clearly identify himself or herself as the provider of the information, and, if a third party, on whose behalf the information is being provided:
-
ensure that all information provided is accurate, complete and current;
-
ensure that all required information is provided by the date specified.
Failure to comply with these requirements may result in:
-
delays to, or rejection of, admission as a student or approval as an employee;
-
disciplinary action where appropriate.
In all cases, deliberately providing information that is false or misleading will be regarded as a serious breach of the Code of Conduct and will result in appropriate disciplinary action.
8.3 The Collector
The person who collects information is expected to:
-
collect information promptly, efficiently, and in accordance with guidelines given;
-
ensure that the information collected is clearly matched to the individual concerned;
-
respect and maintain the privacy of the individual during the collection process;
-
act to secure the information immediately, or as soon as possible after its collection.
Failure to comply with these requirements may result in:
-
the person being removed from the collection process;
-
disciplinary action where appropriate.
9. Storage and Security of Information
All information collected by the SCD will be stored in compliance with the College’s Record Keeping Policy. This includes, but is not restricted to,
-
ensuring that information stored electronically is protect by restricted access, and up-to-date security software;
-
keeping hard copy information in lockable cabinets, in lockable rooms;
-
maintaining diligent oversight of any third-party access to stored information;
-
ensuring that all persons associated with the SCD are aware of security and confidentiality requirements, protocols and procedures for accessing information, and regulations governing use of information.
10. Access to Information
10.1 General
Access to information kept by the SCD will be:
-
only for those authorized to have such access;
-
only for specific purposes related to college operations;
-
only for the time required to complete the purpose for which it is accessed.
10.2 Individual Access
Individuals about whom information is kept are entitled to access that information to review, correct and update it. Any such access must occur with the knowledge and approval of relevant staff.
10.3 Access by Third Parties
No person may access, or attempt to access, information about another person, unless that access:
-
has the knowledge and consent of the individual concerned;
-
has the approval and authorization of the relevant staff.
No individual may grant another person access to their personal information without the knowledge and approval of the relevant staff.
11. Use of Information
All information collected by the SCD is used for purposes related to the goals and operations of the College and is done so with the awareness and consent of individuals.
Personal information is collected and stored for the following reasons:
-
contact and communication as part of the normal operations of the SCD;
-
contact and communication in case of emergency;
-
distribution of information, newsletters or other promotional material related to SCD operations and activities;
-
other types of communication that may be reasonably undertaken within the context of the relationship between the college and the individual;
-
satisfaction of legal obligations.
Health information is collected and stored for the following reasons:
-
awareness of specific needs that an individual might have;
-
awareness of conditions that might affect an individual’s capacity to work or study;
-
informed support of an individual in health-related emergencies or challenges;
-
ability to provide assistance to other relevant parties in situations of medical emergency;
-
ability to provide assistance to individuals or other relevant parties where legal matters are involved.
Sensitive information is collected and stored for the following reasons:
-
awareness of specific challenges that an individual might face in carrying out work or study at the SCD;
-
informed support of an individual experiencing difficulties related to background, life experience and so on;
-
fulfillment of equality and fairness obligations related to disability, disadvantage or identity concerns;
-
ability to provide assistance to the individual and other relevant parties in situations of emergency, or where legal matters are involved.
12. Disclosure of Information
Disclosure of information to third parties will be with the full knowledge and consent of the individual, except:
-
in emergencies where disclosure of information is necessary to protect or ensure the wellbeing of the individual;
-
in situations where the individual is not capable of giving consent, but the disclosure of information is necessary to assist with the support, care or protection of the individual;
-
in legal cases where disclosure of information is required by law.
Where information about an individual is disclosed, the purpose of that disclosure must be made clear.
13. Confidentiality
All persons associated with the SCD are entitled to expect that any information they may disclose as part of their relationship with the SCD will be held in confidence. Contexts for such disclosure include, but are not restricted to:
-
private conversations where it is clearly understood that the conversation is private and confidential;
-
face-to-face interviews;
-
phone conversations;
-
correspondence, whether paper or electronic;
-
online forms;
-
communication via electronic means, such as messaging.
Maintaining of confidence is important, and should be upheld:
-
as part of respect for the integrity of the individual;
-
as part of an overall culture and atmosphere of trust and support throughout the SCD;
-
in line with the pastoral care goals of the SCD.
Information given in confidence should only be disclosed:
-
with the knowledge and consent of the individual concerned;
-
to those with a legitimate interest in the information as part of college operations, or pastoral support for the individual, and who can also be expected to maintain its confidentiality.
Disclosure of information given in confidence may occur without consent:
-
where the disclosure serves to prevent or lessen a genuine threat to the individual’s safety or wellbeing (e.g. police, medical personnel, emergency services);
-
where the disclosure serves to assist others with a legitimate connection to the individual in matters of personal support, immediate treatment or ongoing care (e.g. family, professional care givers, medical practitioners);
-
where the disclosure is required by law.
14. Breaches of Policy
Any action will be regarded as a breach of this policy when:
-
it compromises the integrity of information held securely by the SCD;
-
it gains, or attempts to gain, without authorization, access to information held securely by the SCD;
-
it uses, or attempts to use, information held by the SCD, without authorization, or for purposes apart from those for which the information was collected;
-
it violates the right to privacy and confidentiality of any individual associated with the SCD;
-
it causes distress, embarrassment or loss of reputation to the SCD, or any individual associated with the SCD.
Breaches of policy include, but are not restricted to:
-
opening filing cabinets without permission;
-
copying information without permission;
-
procuring, or attempting to procure, the passwords or log in details of others;
-
interfering, or attempting to interfere, with information security systems;
-
gaining, or attempting to gain, access to another’s personal records;
-
changing, or attempting to change, the information of another person;
-
giving false information;
-
accessing one’s own personal records without permission;
-
assisting unauthorized persons to gain access to information held securely by the SCD;
-
recklessly or maliciously sharing information without consent, by word-of-mouth, written, or electronic means;
-
disclosing personal information, without consent, to third parties not legitimately connected to the individual concerned;
-
using personal information held by the SCD for the purpose of marketing, solicitation, recruitment, or promotion of personal viewpoints;
-
sharing confidential or securely held information to media organizations, social media platforms or websites.
Breaches of this policy will result in appropriate disciplinary action, in accordance with the SCD’s Code of Conduct, such as:
-
imposition of appropriate restrictions;
-
suspension or termination of enrolment or employment;
-
referral to legal bodies.
Breaches of this policy should be reported immediately and accurately to the relevant staff member.
15. Complaints
Individuals who want to lodge a complaint about possible breaches of privacy or confidentiality, or mishandling of information, are to follow the procedures set out in the College’s Complaints and Grievances Policy.
16. Responsibilities
The SCD is responsible for:
-
collecting and storing information relevant to its goals and operations;
-
ensuring the security and integrity of all information held;
-
using information in accordance with the principles and guidelines set out in this policy;
-
overseeing and implementing this policy;
-
reviewing and adjusting this policy.
Individuals (staff, students, and others) are responsible for:
-
providing information that is correct, complete and current;
-
fulfilling all requirements set out by the SCD, relating to the provision of information;
-
advising the SCD of any changes to information;
-
complying with all aspects of this policy;
-
reporting breaches of policy where appropriate.
17. Related Documents
Key related documents are:
-
Acceptable Use of Technology Policy
-
Code of Conduct
-
Complaints and Grievances Policy
-
Record-Keeping Policy
-
Wellbeing Policy
18. Monitoring and Review
-
This policy will be reviewed at least every five years.
-
This policy may be adjusted in response to specific cases, where an adjustment is deemed necessary by Council.
-
Those reviewing the policy will seek guidance where appropriate from experts in the field or from other credible information sources.