VIDEO LINK
CASE STUDY
Case Study: Practical Applications of an Information Privacy Plan
XYZ University is a medium-sized tertiary education provider in the state of Queensland, Australia. In undertaking its normal business of teaching, learning, and research, the university collects, stores, and uses “personal information,” that is, anything that identifies a person’s identity.
With respect to students, this information may include, among other things, records relating to admission, enrollment, course attendance, assessment, and grades; medical records; details of student fees, fines, levies, and payments, including bank details; tax file numbers and declaration forms; student personal history files; qualifications information; completed questionnaire and survey forms; records relating to personal welfare, health, equity, counseling, student and graduate employment, or other support matters; records relating to academic references; and records relating to discipline matters.
The bulk of this information is retained in the student management information systems and in the file registry. Academic and administrative staff, at various levels, have access to these records only as required to carry out their duties. Portions of the information held in university student records are disclosed outside the university to various agencies, such as the Australian Taxation Office; the Department of Education, Employment and Workplace Relations; other universities; consultant student services providers; the Department of Immigration and Citizenship; and overseas sponsorship agencies.
The university has a well-documented information privacy policy in accordance with the community standard for the collection, storage, use, and disclosure of personal information by public agencies in Queensland. The policy relies on the 11 principles developed in the Commonwealth Privacy Act of 1988. These principles broadly state the following:
Personal information is collected and used only for a lawful purpose that is directly related to the collector’s function.
Before the information is collected, the individual concerned should be made aware of the purpose, whether it is required by law, and to whom the information will be passed on.
Files containing personal information should be held securely and protected against loss; unauthorized access, use, modification, or disclosure; or any other misuse.
Personal information can only be disclosed to another person or agency if the person concerned is aware of it and has consented and the disclosure is authorized or required by law.
Personal information should not be used without taking reasonable steps to ensure that it is accurate, up to date, and complete.
Presented below are three scenarios in which you need to decide how to apply the privacy policy and principles. The following scenarios were sourced from the Griffith University Privacy Plan (www.griffith.edu.au/about-griffith/plans-publications/griffith-university-privacy-plan/pdf/privacy-training-guide.pdf). The link to the privacy plan itself is www.griffith.edu.au/ua/aa/vc/pp. A complete statement of the relevant privacy principles can be found at www.dva.gov.au/health_and_wellbeing/research/ethics/Documents/ipps.pdf.
Scenario 1
Roger, a photocopier technician, has been asked to repair an office photocopier that just broke down while someone was copying a grievance matter against an employee of the agency. The officer who was copying the file takes the opportunity to grab a cup of coffee and leaves Roger in the photocopy room while the photocopier cools down. While waiting, Roger flips through the file and realizes that the person against whom the grievance was made lives on the same street as he does.
Scenario 2
Tom telephones a student at home about attending a misconduct hearing. The student is not at home; however, the student’s partner, Christine, answers the phone. She states that she knows all about the misconduct hearing but asks for clarification of the allegations. When pressed, Tom provides further details. Tom feels comfortable about providing this information to Christine because she is the student’s partner, and she has already told Tom that she knows all about her partner’s misconduct hearing.
Scenario 3
Brad works in a student administration center, and Janet is a student. They know each other, as they used to attend the same high school. Occasionally, they get together at the university to have coffee and chat about mutual friends. Brad knows that Janet’s birthday is coming up because Janet happened to mention that she’ll be another year older in the near future. Brad decides to access the student information system to find out Janet’s date of birth and home address. A few weeks later, Janet receives a birthday card from Brad sent to her home address.