Privacy is everyone’s responsibility. This policy applies to all University members who may be required to collect, access, use or disclose personal information, who may manage projects or systems that impact on personal information management, or who are responsible for making policy decisions about the way the University manages personal information.
To ensure that all University members manage personal information in compliance with the Privacy Act 2020, other relevant laws, and the privacy promises the University has made to its data subjects.
Note – ‘Data subjects’ is the global term for the individual to whom personal information relates. We are using this term to ensure consistency. The Privacy Act 2020 uses the term ‘individual concerned’.
The policy is supported by a set of privacy procedures, standards, guidelines and associated documents which form the University’s Privacy Framework.
The University collects and processes personal information about students, alumni, donors, staff members, research participants and individuals who visit its websites or campuses. The University is required to comply with the Privacy Act 2020 and its associated regulations but it also wishes to lead by example and ensure that its privacy practices meet the expectations of its global community.
The University recognises that its data subjects will only relinquish control of their personal information if they trust it to use the information responsibly and treat it with care and respect. The University has made a number of promises to its data subjects in its Privacy Statements and must be able to keep these promises. This policy seeks to ensure:
- Data minimisation – limiting the amount of personal information the University collects and retains
- Transparency – being open and honest about what information the University collects and how it will be used
- Security – protecting the personal information the University holds from harm
- Use limitation – making sure the University uses and discloses personal information only when necessary and with a lawful basis
- Privacy rights – helping the University’s data subjects to exercise their privacy rights and maintain some control over their information.
1. University members must collect, or must design a process or system to collect, only the personal information they need for a lawful purpose.
2. Where a process or system can operate without the collection of personal information, the data subject will be permitted to use it anonymously.
3. Personal information should be collected from the data subject directly, unless an exception can be relied upon to collect it from a third party.
Note: Exceptions are listed in Principle 2 of the Privacy Act 2020. The usual basis on which we collect information from a third party is with the authorisation of the data subject.
4. At the time that personal information is being collected from a data subject, University members must ensure that data subjects are made aware:
- what information is being collected
- why the information is being collected
- how the information will be used
- who the information will be shared with, and
- what rights they have to access and correct that information.
5. If the information collected is a routine part of University process (that is, the collection of information is not unusual or ad hoc), it will be sufficient for compliance with item 4 above if the University member refers or provides the data subject with a link to the relevant Privacy Statement. Occasional or ad hoc collections, such as individual research projects, may require the provision of specific privacy notices relating to that collection.
6. Where a new collection, use or disclosure of personal information is to become a routine part of University process, the responsible University member must ensure that the Privacy Officer is notified and the relevant Privacy Statement is updated to reflect this.
Note - This would not be the case for ad hoc collections that are not to become routine.
Use and disclosure
7. Except as provided in item 8, personal information must only be used or disclosed by University members if that use or disclosure is the purpose for which it was collected and has been made clear to the data subject in the relevant Privacy Statement.
8. Before using or disclosing personal information in new ways, or in ways that are not part of the University’s routine business, University members must ensure that this is necessary for a lawful purpose or is otherwise permitted or required by law.
Note: Usually the best way to use or disclose information in new ways is to seek the authorisation of the data subject. If this is not practicable in the circumstances, University members must be able to rely on an exception to Principle 10 (use) or Principle 11 (disclosure) of the Privacy Act 2020. If this is not clear, consult the Privacy Officer.
9. University members must take reasonable steps to ensure that personal information is accurate and up to date before using or disclosing it, particularly where this use or disclosure could impact on the rights or interests of the data subject.
10. Before sharing personal information with a contracted service provider, or disclosing personal information to an overseas recipient (other than a data subject), University members must ensure that the service provider or recipient is required and able to provide an adequate level of protection to the personal information shared. For more information, refer to the Disclosure of Personal Information Procedures.
Access and correction
11. Every data subject, or their authorised representative, has the right to request a copy of the personal information the University holds about them, or to ask the University to correct their personal information if they think it is wrong. These requests are referred to as personal information requests (PIRs).
12. University members must ensure that they manage PIRs in compliance with the Personal Information Request Procedures.
Security and retention
13. All University members have a responsibility to protect the personal information they handle against loss, misuse, or unauthorised access, modification or disclosure.
14. Information security is an important part of good personal information management. University members must ensure that they have read and understood the University’s Information Technology policies, having special regard to the IT Acceptable Use Policy, and IT Security Policy and the Data Governance Policy.
15. University members must only access or use personal information – whether within an information system or in hard copy – when this is necessary for a legitimate business purpose.
16. University members must not retain personal information for longer than the University has a lawful purpose to use it, and must delete information in compliance with the University’s General Disposal Authority.
17. University members must ensure that any privacy breach they become aware of is reported promptly to the Privacy Officer in compliance with the Privacy Breach Management Procedures.
Collection and use of unique identifiers
18. University members must ensure that unique identifiers are collected, assigned and managed in compliance with Principle 13 of the Privacy Act 2020.
Note: “Unique identifiers” are identifiers other than a person’s name that uniquely identify them, such as the National Student Number (NSN), the National Health Index (NHI), the Social Welfare Number (SWN), the IRD number, the driver licence number, and the University’s Student ID and Universal Public Identifier (UPI).
19. The steps the University must take to manage unique identifiers include the following:
- We must not use another agency’s unique identifier to generally identify our data subjects within our systems (such as using the driver licence number as our Student ID). The University uses the UPI to identify our data subjects within our systems.
- We may use another agency’s unique identifier for the purposes of communicating with that other agency about the relevant data subject (such as where we collect and use the IRD number to communicate with Inland Revenue about an employee’s tax obligations).
- We must not require data subjects to give us their unique identifiers assigned by other agencies unless we can establish that this is one of the purposes for which the identifier was assigned by the other agency (such as the NSN, which was assigned for the purpose of enabling education providers to search for and modify information about their students, and which the University has a lawful basis to collect and use as a tertiary education provider).
- We must ensure that we have established the identity of a person before assigning a unique identifier to them, particularly if this identifier will then be used to enable access to systems or personal information.
- We must protect unique identifiers from misuse (such as by truncating or masking them in correspondence).
Privacy impact assessments
20. Wherever possible, the University endeavours to take a “privacy by design” approach to the development of new or changed processes or systems. This means that we adhere to the following principles:
- Proactive not reactive; Preventative not remedial
- Privacy as the default
- Privacy embedded into design
- Full functionality – Positive-sum, not zero-sum
- End-to-end security – Lifecycle protection
- Visibility and transparency
- Respect for user privacy
Note: An explanation of the “privacy by design” principles is provided at Privacy by Design
21. Any University member responsible for creating or changing a process or system, that involves a new collection, use or disclosure of personal information or that may impact the security or integrity of personal information already held by the University, must consider the Privacy Impact Assessment Guidelines.
22. All University members must:
- understand and comply with the Privacy Framework
- actively participate in any privacy training provided by the University, and
- keep their manager and/or the Privacy Officer informed of any PIRs, privacy breaches or other privacy issues.
23. Managers must:
- support staff to understand and comply with this policy and participate in any privacy training provided by the University, and
- ensure PIRs, privacy breaches and other privacy issues are identified and managed in accordance with the Privacy Framework.
24. The Privacy Officer must:
- support all University members to understand and comply with the Privacy Framework, including by maintaining and developing relevant procedures, standards and guidelines
- assist with the management of PIRs, privacy breaches and other privacy issues by University members
- assist with the management of privacy complaints from data subjects
- report on privacy breaches and general privacy compliance to the Vice-Chancellor and the Registrar, and
- liaise with third parties in respect of privacy matters, including the Privacy Commissioner or other relevant regulators and data subjects.
The following definitions apply to this policy:
Data subject means any natural person about whom the University collects and holds personal information and includes students, staff members, contractors, alumni and friends, donors, and visitors to the University’s websites or campuses.
Note - This is a global term which we are using to ensure consistency. The Privacy Act 2020 uses the term “individual concerned”.
Lawful purpose means a purpose that is directly connected with any of the University’s lawful functions, and includes, but is not limited to considering applications for admission to, or employment with, the University; administering programmes of study; managing staff and ensuring the health and safety of students and staff members; and meeting the University’s reporting requirements.
Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff performance information, emails and other correspondence, and opinions about the data subject.
Privacy breach means an event (whether intentional or unintentional) in which personal information is lost or is accessed, altered, disclosed or destroyed without authorisation, or is at increased risk due to poor security safeguards, including but not limited to:
- accidental disclosure of personal information to the wrong recipient;
- employee browsing of personal information without a legitimate business reason;
- an external attack on a University system; or
- a lost or stolen University device or document.
Privacy Framework means this policy and any procedures, standards or guidelines issued to support it, including but not limited to the Personal Information Request Procedures, Privacy Breach Management Procedures, Disclosure of Personal Information Procedures, Privacy Impact Assessment Guidelines, and Privacy Guidelines.
Privacy Statement means a notice the University has provided to a particular category of data subjects that outlines in general the matters set out at item 4 of this policy, and includes the Privacy Statement (covering personal information about students, alumni and friends, donors and website users) and the Employee Privacy Statement (covering personal information about staff and contractors).
University means the University of Auckland and includes all subsidiaries.
University member includes members of Council, committee members, staff members, committee appointees, the University’s companies’ staff and board members and contractors working for and on behalf of the University and, for the purposes of this procedure, includes students who collect or process personal information in the course of their studies or research, or who are otherwise permitted access to personal information held by the University.
Key relevant documents
Include the following:
- Health Information Privacy Code 2020
- Privacy Act 2020
- Public Records Act 2005
- Employee Privacy Statement
- Data Governance Policy
- IT Acceptable Use Policy
- IT Security Policy
- Personal Information Request Procedures
- Records Management Policy
- Privacy by Design
- Privacy Centre
- Privacy Guidelines
- Privacy Impact Assessment Guidelines
- Privacy Statement
- Personal Information Request Form
- Privacy Breach Reporting Form
- Privacy Impact Assessment Checklist
Document management and control
Content manager: General Counsel and Privacy Officer
Approved by: Vice-Chancellor
Date approved: 10 November 2020
Amended: 20 October 2023
Review date: 10 November 2025