Privacy Guidelines


All University members who may be required to collect, access, use or disclose personal information, who may manage projects or systems that impact on personal information management, or who are responsible for making policy decisions about the way the University manages personal information.

Frequently asked questions

What is privacy, and why does it matter to us?

Privacy is about the way we handle personal information about the people we deal with, whether that’s our students, alumni, donors or our colleagues. It matters to us because it matters to our people. We need personal information to do our jobs, but people will only give us their information if they trust us to use it responsibly and treat it with care and respect.

But, privacy is not about secrecy or confidentiality. We must protect personal information from misuse, sure, but we must also use and share that information where necessary in order to deliver services and do our work. Privacy is really about the fair and responsible use of personal information. We’ve developed our Privacy Framework and procedures in a way that ensures:

  • Data minimisation – limiting the amount of personal information the University collects and retains.
  • Transparency – being open and honest about what information the University collects and how it will be used.
  • Security – protecting the personal information the University holds from harm.
  • Use limitation – making sure the University uses and shares personal information only when necessary and with a lawful basis.
  • Privacy rights – helping the University’s data subjects to exercise their privacy rights and maintain some control over their information.

If we all try our best to stick to these key principles, then we’ll have a good chance of getting privacy right and protecting our data and our people from harm.

Personal information is just phone numbers and email addresses, right?

Wrong. Personal information could be any information about an identifiable person (in our Privacy Policy, we refer to “data subjects”). Yes, it includes a person’s contact details, demographic information (race, gender etc) and financial information (credit card and bank account numbers, salaries etc), but it goes much further than that.

Information does not have to include identifiers (like a name or contact details) to be identifiable. If the information contains enough detail to connect it to a person, even if only a few people could make that connection, then it may be their personal information. If you are considering whether information is personal, ask yourself whether it tells you anything about a person. If the answer is “yes” then it probably is.

In addition to the usual stuff, personal information may include:

  • Academic information about a student, including their results, exam answers and essays
  • Health information or information about a student’s or employee’s use of University facilities
  • Emails between staff about a student or an employee
  • Staff performance information, including legal advice obtained to manage a complaint or grievance
  • Meeting minutes, where a data subject has been the topic of discussion
  • Information generated by student or staff use of services, including CCTV footage, access card use, website use, library card use, the data obtained from desk sensors on an assigned desk, and email use.

The safest thing to do is treat all the information we handle with care and respect, as it may be personal information about someone. It also means we must ensure that the information we record about people is respectful and appropriate, because it is likely that they could request it under the Privacy Act 2020.

We can only use and share personal information with consent, right?

Wrong. Consent (or authorisation) is one way to use information but it’s not the only way. We endeavor to collect only the personal information we need to meet our lawful purposes and we only use or share it in ways that are necessary to meet these purposes. Provided that we are open with people about this, we can use and share personal information in these ways without authorisation.

That said, we may decide to permit people to opt out of having their personal information used or shared in a particular way. We may also need to ask for consent to use information in unexpected or very public ways.

For example, if you have taken photographs of your students during a field trip, you should only publish those photographs with their authorisation, as they may have good reason to keep their location confidential.

You might have heard a lot of “noise” about consent in relation to the GDPR, but even under the GDPR consent is only one of several lawful bases on which to use personal information. The GDPR permits an agency to process personal information to meet its contractual obligations, meet its legitimate interests and comply with its legal obligations. None of these require the consent of the person concerned.

In summary, provided that we are using personal information for legitimate purposes, related to our lawful functions, then we do not need to rely on consent. However, we should consider asking data subjects before using personal information in new, unexpected or particularly public ways or when we want to use health information for any purpose other than delivering health services.

What is “automated processing” of personal information and can we do it?

Automated processing, which includes profiling and automated decision-making, is a hot privacy topic right now.

Profiling describes the use of personal information to evaluate certain criteria (such as personality, behavior, or demographics) in order to make predictions or decisions about a person. Examples of profiling include the use of marketing software to analyse online shopping habits and target advertising, or the use of machine learning by health agencies to predict patient health or the likelihood of treatment success.

Automated decision-making describes the process of making a decision about a person by automated means, without any human involvement. Automated decision-making often involves, or follows, profiling. Examples of automated decision-making include the use of automated systems to mark multiple choice exams, or online aptitude tests used for recruitment.

While automated processing can be a positive thing (it can lead to faster, more consistent and more predictable decision-making), it can also make people uncomfortable as the algorithms or criteria used are often not transparent. Privacy regulators are particularly concerned about automated processing that may have an adverse effect on the person concerned.

Principle 8 of the Privacy Act requires the University to take reasonable steps to ensure that personal information is accurate, complete and relevant before using it. In many circumstances (and particularly where the use of the information could have a significant impact on the person concerned), this could require human intervention in an automated decision-making process. The GDPR is even more prescriptive. It states that people have the right not to be subject to decisions based solely on automated processing, including profiling, where those decisions are significant.

All this means is that we need to take care when using automated processing. While it can be useful, we should not use it to make decisions that could adversely affect the people we deal with. If we do, then we should ensure that there is a way for affected people to challenge that decision – with a human. We must also be open and honest about the automated processing we use, so that people can understand it and challenge it if they are concerned.

For example, in our Student Privacy Statement, we provide the following notice:

Automated processing: We use automated processing tools to assist us to determine your eligibility for programmes of study, scholarships or other services. We may also use automated tools to assist us with the marking of multiple choice assessments. In most cases where we use automated processing as part of our admissions or course administration processes, the outcomes are reviewed by our employees.

The New Zealand government has developed an Algorithm Charter that sets out a few important principles to be applied when creating and using algorithms for profiling, automated decision-making or other purposes, that support an ethical approach.

What’s the difference between the Official Information Act and the Privacy Act?

As a public-sector agency, the University is subject to both the Official Information Act 1982 (“OIA”) and the Privacy Act 2020. Both laws relate to information and both give people the right to request information from us. The difference between the two can be confusing, particularly because the OIA is all about freedom of information whereas the Privacy Act is about protecting information. In practice, however, the two laws work well together.

All the information we hold is “official information” for the purposes of the OIA, even if it relates to natural people. However, while the OIA requires us to release official information on request, it also includes a withholding ground designed to protect the privacy of the people we deal with (section 9(2)(a) of the OIA).

When it comes to requests for information, we must make sure that we process the request under the right law. Put simply, the Privacy Act relates to requests from an individual (“the data subject”) for information about themselves. The OIA relates to requests from an individual or agency for information about someone or something else. We must consider requests from data subjects for their own information under the Privacy Act 2020.

For example, Peter Potter, a student in our law faculty, makes a request for (1) a copy of his lecturer’s evaluative notes on his performance during the semester. He also asks for (2) a copy of her evaluations of other students in his class (he believes she is not being fair) and (3) a copy of the University’s policy on examination grading.

We must process request (1) under the Privacy Act 2020 (note, we may be able to withhold the lecturer’s evaluations in some circumstances – see FAQ on evaluative material). We must process requests (2) and (3) under the OIA. (Note, we would probably withhold the evaluations of other students under section 9(2)(a) of the OIA, to protect the privacy of the other students).

Do we have to provide students with copies of staff evaluations of, or correspondence about, their suitability for the award of a degree?

Probably. Under the Privacy Act 1993, we were able to withhold “evaluative material” – which we took to include internal communications about whether or not a student had earned a qualification or degree - on the basis that it was provided under an understanding that it would be kept confidential.

However, the Privacy Act 2020 has changed the definition of “evaluative material” to expressly exclude any evaluative or opinion material “that is compiled by a person employed or engaged by an agency in the ordinary course of that person’s employment duties”. This change is intended to ensure that the evaluative material withholding ground may only be relied upon in relation to evaluative or opinion material that has been received from a person outside the agency, such as a third party referee.

So, if you feel the need to withhold staff evaluations or communications, make sure you check this with our Privacy Officer.

Can we share personal information about suspected student fraud with other tertiary education providers?

Occasionally, we might become aware that a student has provided incorrect or false information, for example, as part of the admission process, or by misrepresenting someone else’s research as their own. Where we are reasonably confident that dishonest activity has taken place, we may inform other tertiary education providers about the potential risk posed by this student. Dishonest activity can have an impact on the overall integrity of the tertiary education system.

In our Privacy Statement, we tell students that we will use their personal information to “support our academic integrity and discipline processes, and the overall integrity of the tertiary education system”. We also tell students that we may share their personal information with “other tertiary education providers where we believe that you may have engaged in dishonest activity, such as providing false or falsified admission documents.”

These notices will permit us to share personal information about dishonest activity by a student with other tertiary education providers in most circumstances, though we must be reasonably confident that the suspicion of dishonesty is well-founded, and we must limit the personal information shared to that which is necessary.

If we suspect that a student’s activities may constitute a criminal offence, - principle 11(1)(e)(i) of the Privacy Act permits us to share personal information with the Police for the purposes of assisting them to investigate the matter. Again, we must limit the personal information shared to that which is necessary.

In all such cases, we should check with the Privacy Officer before sharing personal information.

Can we disclose personal information to people or agencies overseas?

Yes, but there are now a few more things we need to think about before doing so. Principle 12 of the Privacy Act 2020 requires us to ensure that a foreign person or entity is subject to privacy safeguards comparable to those required by the NZ Privacy Act. In short, this principle is about taking accountability for sending personal information overseas, where there may be lesser protections in place for the people we deal with.

We can share personal information with a foreign person or entity only if:

  • The recipient is storing or processing the information on our behalf (for example, Microsoft Azure, AWS or Zoom);
  • The recipient is subject to the NZ Privacy Act, because it carries on business in NZ even though it is located overseas;
  • The recipient is in Australia, the United Kingdom, any EU Member State or any country that has EU Adequacy (this is because these countries have comparable privacy laws in place);
  • The recipient has signed a contract with the University that includes express privacy or data protection requirements, that are comparable to the requirements of the NZ Privacy Act; or
  • The data subject authorises us to disclose it to a foreign person or entity (for example as part of a student exchange with a university in a country that has no comparable privacy law in place).

If we’re unsure about whether any of the above conditions may apply, we should check with the Privacy Officer before disclosing the information.

How long can we keep personal information, and what should we do with when we no longer need it?

The Privacy Act 2020 limits our maximum retention periods. Principle 9 of the Privacy Act states that we should retain personal information only for as long as we need it for a lawful purpose. This means we should get rid of personal information when we no longer need it, and we shouldn’t generally keep personal information indefinitely.

However, the University is subject to the Public Records Act 2005, which manages the way public sector agencies retain, destroy and archive public records, and to other employment and regulatory laws that require the retention of certain information. These laws set minimum retention periods for some categories of information we hold.

New Zealand universities have developed a General Disposal Authority (‘GDA’) to manage the retention of all our records, including those containing personal information. The GDA sets minimum retention periods based on the Public Records Act and other regulatory or legislative requirements. In some cases, our business requirements mean we need to keep information longer. These reasons, and the approved retention periods, must be documented and approved by the business owner.

The way we ultimately dispose of personal information depends on the requirements of our GDA. Most records should be securely destroyed but some need to be archived under the Public Records Act.

If you feel that you might have a future use for personal information that is close to its maximum retention period, and you don’t need the information to identify individuals (e.g. for monitoring trends or patterns), you could consider aggregating and de-identifying that information to protect individual privacy and keep the information for longer. You can find out more about de-identifying information in the de-identification FAQ.

How do we de-identify personal information effectively?

Privacy laws and our privacy policy and procedures regulate the way we can use and share personal information about our data subjects. Personal information is information about identifiable individuals. The Privacy Act 2020 permits us to use and share personal information for statistical or research purposes, provided that it does not identify data subjects. Protecting research participants in this way is an important part of ethical research practices. It recognises the people behind the data.

It is possible to remove identifiers or identifying information from a data, or a dataset, to allow us to use or share the information in ways that we could not if it was identifiable. De-identifying personal information is a complex process. There’s no black and white line between personal information and de-identified data – it’s an exercise in risk management rather than an exact science. The use or disclosure of poorly de-identified data could expose the University to legal and reputational risk and impact on our ability to conduct robust research across institutions and experts.

The key is to think about the data itself and the environment into which that data is to be released. The goal is to remove enough identifiers to effectively minimise the risk of re-identification within the release environment. With these factors in mind, there are a number of widely accepted methods to de-identify datasets:

  • Perturbation – adding random noise to data outputs.
  • Aggregation – combining and/or simplifying data outputs.
  • Suppression – not reporting some data outputs.
  • Limiting data access – putting conditions and/or limits on access to data.

For more information about properly de-identifying personal information, read this confidentiality guidance from Stats NZ.

However, de-identification does not only apply to datasets or large research projects. It can also apply to the publication of case studies or stories. At its most basic, de-identification requires the removal of any information that might lead to the identification of a data subject. This can require care, as removing simple identifiers may not be enough.

For example, Geoff lives in a rural town called Niceville, with a population of 600. He is one of 73 European males between the age of 50 and 60 in the town. He works for the local council as a park ranger in a nearby regional park. Geoff has a relatively rare degenerative medical condition that affects his bone density and may ultimately impact on his ability to do his job. Clearly, Geoff would have an interest in deciding how and when he informs his employer about this condition.

The doctor from the local DHB who is treating Geoff is writing a paper about the condition and wants to publish his case as part of the paper. She removes all the standard identifiers, including name, exact age (though she leaves the age group as it’s relevant to his treatment), NHI and contact details. However, she leaves the other facts in place, including that the patient is a European male over 50 from Niceville who works for the local council. There’s some speculation that the condition may have stemmed from contamination in the water supply some 25 years earlier, so the local newspaper also runs an article on it, which refers to the publication and Geoff’s case.

Geoff’s manager happens to read the article. While there are a few people at the council who match that description, Geoff’s manager knows that Geoff had some time off recently to seek medical treatment. The manager joins the dots and pulls Geoff into a meeting to ask why he hadn’t disclosed his medical condition. Geoff is not happy.  

What’s the EU General Data Protection Regulation (“GDPR”) and do we need to worry about it?

The GDPR is the European privacy regulation. It applies to all agencies that are based in the European Union. It also applies outside the European Union where an agency (like the University) is collecting and processing (that means keeping, using and sharing) personal information about people in the EU.

For GDPR to apply to the University:

  • We need to be actively collecting personal information from people while they are in the EU (for example, it does not apply to our collection of personal information from a Danish student when they are attending a course in Auckland).
  • We also need to be collecting personal information as part of the offering of goods and services to people in the EU. This requires some clear intention on our part to target people in the EU; it’s not enough that a person who lives in Madrid can access our NZ website and sign up to attend a conference.

So, for example, the GDPR might apply if we decided to offer a study programme specifically targeted at students in France and we created a French (.fr) website for this purpose, gathered personal information about applicants via the website, and permitted applicants to pay fees in Euros. In this case, there may be some additional steps we would need to take to ensure that we were complying with the small number of additional obligations the GDPR contains.

Even where the GDPR does apply, we may need to think about it, but we don’t need to worry about it. This is because our Privacy Act 2020 already requires us to do most of the things the GDPR requires. In fact, the European Commission has given our Privacy Act “EU adequacy”, which means that it is recognised as providing an equivalent level of protection to personal information as EU law.

We strive to comply at all times with our Privacy Act, but we are also working to lift our privacy practices beyond local compliance, to ensure that we manage personal information in line with global best practice. For example, our privacy statements provide the privacy notices required by both NZ and EU law, and so we are comfortable to use them in respect of personal information collected from within NZ, the EU or anywhere else in the world we might be operating.

If you think the GDPR might apply to something you are doing, don’t panic and don’t start making changes you think are needed to comply. Instead, check with our Privacy Officer. Also check the FAQ below on research projects that target participants in the EU or the UK.

Does the University have a Data Protection Officer, as required by the GDPR?

Yes, the University is already required by the NZ Privacy Act 2020 to have a Privacy Officer, which is essentially equivalent to the Data Protection Officer requirement in the GDPR. So, our Privacy Officer is also our Data Protection Officer.

I am collecting personal information about people in Europe, do I need to create a new privacy statement for this purpose?

No. In fact, it’s very important that you don’t, because we have one set of comprehensive privacy statements (for students, alumni, donors, employees and user of our websites) that apply no matter where in the world we are collecting personal information from. We have ensured that our privacy statements comply with our Privacy Act 2020 and the GDPR.

However, if you are about to collect new personal information from people in the EU, or use personal information we already hold about people in the EU in a new way, then you should check whether this is something we need to add to our existing privacy statements. Check with our Privacy Officer about how to do this.

If we’re running a research project that targets participants in the EU, does the GDPR apply?

If we’re targeting a research project at participants located in the EU or the UK, then GDPR (or the UK GDPR – which is essentially the same) would apply to this activity. “Targeting” means that we must be actively seeking participants located in the EU or the UK, and collecting information from them while they are there. Collaborating with another institution in the EU or the UK – for example to obtain research funding – would not be enough to bring our activities under the scope of the GDPR, if we were not also collecting information about people in the EU.

As noted above, our Privacy Act 2020 already requires us to do most of the things the GDPR requires. In fact, the European Commission has given our Privacy Act “EU adequacy”, which means that it is recognised as providing an equivalent level of protection to personal information as EU law. We strive to comply at all times with our Privacy Act, but we are also working to lift our privacy practices beyond local compliance, to ensure that we manage personal information in line with global best practice.

Every research project undertaken by the University must comply with the University’s Privacy Framework. This Framework already requires us to manage personal information in accordance with generally accepted global privacy principles, including data minimisation, transparency and use limitation. However, when we are actively targeting research participants in the EU – particularly in relation to health or clinical research – there are a few additional things we should consider.

Consult with our Privacy Officer

First, inform our Privacy Officer about the research project. The Privacy Officer might ask you to complete a Privacy Impact Assessment to ensure that privacy risks are adequately addressed.

Remember that sensitive information is treated differently

The GDPR treats sensitive personal information – called “special categories of personal data” – differently. If a research project involves the collection of the following types of information, then greater care will need to be taken:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a person
  • Health data
  • Data about sex life and sexuality

The GDPR prohibits the use of special categories of personal data, unless an exception applies to permit this. The most appropriate exception for University research projects will be that the participant has given explicit consent for the data to be collected and used.

Make sure consents meet GDPR requirements

However, the GDPR also strictly defines consent, and so the University must ensure that its participant consents meet this definition. To apply, participant consent must be:

  • Express – Consent must be given explicitly, and in writing. Such consent must be demonstrated by a clear affirmative act.
  • Freely given – Consent must be given in the absence of any undue pressure or duress, and participants must not be compelled to consent to the collection or use of personal information that is not necessary for the research.
  • Informed – We must ensure that the participant is made fully aware of what personal information is being collected and processed, for what reason, and who it may be shared with.
  • Meaningful – We must ensure that participants have the capacity to consent. It will be more difficult to establish that children or elderly participants have the capacity to give meaningful consent.

Further, the GDPR notes that it is often not possible to fully identify the purpose of processing for scientific research purposes at the time of data collection. Therefore, participants should be allowed to give their consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Participants should have the opportunity to give their consent only to certain areas of research or parts of research projects to the extent allowed by the intended purpose.

The GDPR gives participants additional rights

We also need to remember that the GDPR gives people the right to withdraw their consent at any time. The GDPR also gives people the right to request the deletion of information that has been collected and processed on the basis of consent. The University may be able to retain and continue to use research data if it has another lawful basis to do this, so any such requests should be escalated to the Privacy Officer as soon as possible.

Be careful about using third party service providers

The GDPR places limitations on transferring personal information overseas. It’s ok for us to process personal information – including special categories of information – in NZ because we already have EU adequacy. However, we should not use service providers (such as data storage providers) in other countries without checking that this complies with the GDPR. The best way to do this will be to ask the Privacy Officer before transferring research data to a service provider. The Privacy Officer might request that we enter into a contractual agreement with the service provider to ensure that the data is adequately protected.

Keep a record of the data processed for the project

As part of its accountability provisions, the GDPR requires us to keep a Record of Processing Activities (RoPA), which documents what personal information we are collecting from participants and how we are processing it. This is good practice for any research project, even if the GDPR does not apply. The RoPA for a research project that targets participants in the EU or the UK must include:

  • the categories of participants included in the research
  • the categories of personal information collected and processed about these participants
  • the purposes of the processing;
  • the legal basis for the processing (usually consent);
  • the recipients to whom the information has or will be disclosed;
  • details of any transfers of the information outside NZ;
  • how long the information will be retained; and
  • a general description of the technical and organisational security measures applied to the information.

Consider anonymising the information if possible

If possible, the University should consider anonymising research data before using it. This will generally bring it outside the scope of the GDPR and other privacy laws, provided that it has been meaningfully anonymised (such that the risk of re-identification is eliminated). For more information on this, see the FAQ on how we de-identify personal information effectively.

Note: This document is a ‘living document’. We will continue to develop FAQs in response to questions asked.


The following definitions apply to this policy:

Data subject means any natural person about whom the University collects and holds personal information and includes students, staff members, contractors, alumni and friends, donors, and visitors to the University’s websites or campuses.

Lawful purpose means a purpose that is directly connected with any of the University’s lawful functions, and includes, but is not limited to considering applications for admission to, or employment with, the University; administering programmes of study; managing staff and ensuring the health and safety of students and staff members; and meeting the University’s reporting requirements.

Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff performance information, emails and other correspondence, and opinions about the data subject.

Privacy Framework means this policy and any procedures, standards or guidelines issued to support it, including but not limited to the Personal Information Request Procedures, Privacy Breach Management Procedures, Disclosure of Personal Information Procedures, Privacy Impact Assessment Guidelines, and Privacy Guidelines.

Privacy Statement means a notice the University has provided to a particular category of data subjects that outlines in general the matters set out at item 4 of this policy, and includes the Privacy Statement (covering personal information about students, alumni and friends, donors and website users) and the Employee Privacy Statement (covering personal information about staff and contractors).

University means the University of Auckland and includes all subsidiaries.

University member includes members of Council, committee members, staff members, committee appointees, the University’s companies’ staff and board members and contractors working for and on behalf of the University and, for the purposes of this procedure, includes students who collect or process personal information in the course of their studies or research, or who are otherwise permitted access to personal information held by the University.

Key relevant documents

Document management and control

Owner: Registrar
Content manager: General Counsel and Privacy Officer
Approved by: Vice-Chancellor
Date approved: 25 August 2021
Review date: 25 August 2024