Privacy Guidelines


Application


All University members who may be required to collect, access, use or disclose personal information, who may manage projects or systems that impact on personal information management, or who are responsible for making policy decisions about the way the University manages personal information.

Frequently asked questions


What is privacy, and why does it matter to us?

Privacy is about the way we handle personal information about the people we deal with, whether that’s our students, alumni, donors or our colleagues. It matters to us because it matters to our people. We need personal information to do our jobs, but people will only give us their information if they trust us to use it responsibly and treat it with care and respect.

But, privacy is not about secrecy or confidentiality. We must protect personal information from misuse, sure, but we must also use and share that information where necessary in order to deliver services and do our work. Privacy is really about the fair and responsible use of personal information. We’ve developed our Privacy Framework and procedures in a way that ensures:

  • Data minimisation – limiting the amount of personal information the University collects and retains.
  • Transparency – being open and honest about what information the University collects and how it will be used.
  • Security – protecting the personal information the University holds from harm.
  • Use limitation – making sure the University uses and shares personal information only when necessary and with a lawful basis.
  • Privacy rights – helping the University’s data subjects to exercise their privacy rights and maintain some control over their information.

If we all try our best to stick to these key principles, then we’ll have a good chance of getting privacy right and protecting our data and our people from harm.

Personal information is just phone numbers and email addresses, right?

Wrong. Personal information could be any information about an identifiable person (in our Privacy Policy, we refer to “data subjects”). Yes, it includes a person’s contact details, demographic information (race, gender etc) and financial information (credit card and bank account numbers, salaries etc), but it goes much further than that.

Information does not have to include identifiers (like a name or contact details) to be identifiable. If the information contains enough detail to connect it to a person, even if only a few people could make that connection, then it may be their personal information. If you are considering whether information is personal, ask yourself whether it tells you anything about the individual requesting it. If the answer is “yes” then is probably is.

In addition to the usual stuff, personal information may include:

  • Academic information about a student, including their results, exam answers and essays
  • Health information or information about a student’s or employee’s use of University facilities
  • Emails between staff about a student or an employee
  • Staff performance information, including legal advice obtained to manage a complaint or grievance
  • Meeting minutes, where a data subject has been the topic of discussion
  • Information generated by student or staff use of services, including CCTV footage, access card use, website use, library card use, the data obtained from desk sensors on an assigned desk, and email use

The safest thing to do is treat all the information we handle with care and respect, as it may be personal information about someone. It also means we must ensure that the information we record about people is respectful and appropriate, because it is likely that they could request it under the Privacy Act.

What’s the EU General Data Protection Regulation (“GDPR”) and do we need to worry about it?

The GDPR is the European privacy regulation. It applies to all agencies that are based in the European Union. Unusually, it also applies outside the European Union where an agency (like the University) is collecting and processing (that means keeping, using and sharing) personal information about EU residents.

For GDPR to apply to the University:

  • We need to be actively collecting personal information from EU residents while they are in the EU (for example, it does not apply to our collection of personal information from a Danish student when they are attending a course in Auckland).
  • We also need to be collecting personal information as part of the offering of goods and services to EU residents. This requires some clear intention on our part to target EU residents; it’s not enough that a person who lives in Madrid can access our NZ website and sign up to attend a conference.

So, for example, the GDPR might apply if we decided to offer a study programme specifically targeted at French students and we created a French (.fr) website for this purpose, gathered personal information about applicants via the website, and permitted applicants to pay fees in Euros. In this case, there may be some additional steps we would need to take to ensure that we were complying with the small number of additional obligations the GDPR contains.

Even where the GDPR does apply, we may need to think about it, but we don’t need to worry about it. This is because our Privacy Act 1993 already requires us to do most of the things the GDPR requires. In fact, the European Commission has given our Privacy Act “EU adequacy”, which means that it is recognised as providing an equivalent level of protection to personal information as EU law.

We strive to comply at all times with our Privacy Act, but we are also working to lift our privacy practices beyond local compliance, to ensure that we manage personal information in line with global best practice. For example, our privacy statements provide the privacy notices required by both NZ and EU law, and so we are comfortable to use them in respect of personal information collected from within NZ, the EU or anywhere else in the world we might be operating.

If you think the GDPR might apply to something you are doing, don’t panic and don’t start making changes you think are needed to comply. Instead, check with our Privacy Officer.

I am collecting personal information about people in Europe, do I need to create a new privacy statement for this purpose?

No. In fact, it’s very important that you don’t, because we have one set of comprehensive privacy statements (for students, alumni, donors, employees and user of our websites) that apply no matter where in the world we are collecting personal information from. We have ensured that our privacy statements comply with our Privacy Act and the GDPR.

However, if you are about to collect new personal information from EU residents, or use personal information we already hold in a new way, then you should check whether this is something we need to add to our existing privacy statements. Check with our Privacy Officer about how to do this.

We can only use and share personal information with consent, right?

Wrong. Consent (or authorisation) is one way to use information but it’s not the only way. We endeavor to collect only the personal information we need to meet our lawful purposes and we only use or share it in ways that are necessary to meet these purposes. Provided that we are open with people about this, we can use and share personal information in these ways without authorisation. 

That said, we may decide to permit people to opt out of having their personal information used or shared in a particular way. We may also need to ask for consent to use information in unexpected or very public ways.

For example, if you have taken photographs of your students during a field trip, you should only publish those photographs with their authorisation, as they may have good reason to keep their location confidential.

You might have heard a lot of “noise” about consent in relation to the GDPR, but even under the GDPR consent is only one basis on which to use personal information. The GDPR permits an agency to process personal information to meet its contractual obligations, meet its legitimate interests and comply with its legal obligations. None of these require the consent of the person concerned.

In summary, provided that we are using personal information for legitimate purposes, related to our lawful functions, then we do not need to rely on consent. However, we should consider asking data subjects before using personal information in new, unexpected or particularly public ways.

What is “automated processing” of personal information and can we do it?

Automated processing, which includes profiling and automated decision-making, is a hot privacy topic right now.

Profiling describes the use of personal information to evaluate certain criteria (such as personality, behavior, or demographics) in order to make predictions or decisions about a person. Examples of profiling include the use of marketing software to analyse online shopping habits and target advertising, or the use of machine learning by health agencies to predict patient health or the likelihood of treatment success.  

Automated decision-making describes the process of making a decision about a person by automated means, without any human involvement. Automated decision-making often involves, or follows, profiling. Examples of automated decision-making include the use of automated systems to mark multiple choice exams, or online aptitude tests used for recruitment.  

While automated processing can be a positive thing (it can lead to faster, more consistent and more predictable decision-making), it can also make people uncomfortable as the algorithms or criteria used are often not transparent. Privacy regulators are particularly concerned about automated processing that may have an adverse effect on the person concerned.

Principle 8 of the Privacy Act requires the University to take reasonable steps to ensure that personal information is accurate, complete and relevant before using it. In many circumstances (and particularly where the use of the information could have a significant impact on the person concerned), this could require human intervention in an automated decision-making process. The GDPR is even more prescriptive. It states that people have the right not to be subject to decisions based solely on automated processing, including profiling, where those decisions are significant.

All this means is that we need to take care when using automated processing. While it can be useful, we should not use it to make decisions that could adversely affect the people we deal with. If we do, then we should ensure that there is a way for affected people to challenge that decision – with a human. We must also be open and honest about the automated processing we use, so that people can understand it and challenge it if they are concerned.

For example, in our Student Privacy Statement, we provide the following notice:

Automated processing: We use automated processing tools to assist us to determine your eligibility for programmes of study, scholarships or other services. We may also use automated tools to assist us with the marking of multiple choice assessments. In most cases where we use automated processing as part of our admissions or course administration processes, the outcomes are reviewed by our employees.

What’s the difference between the Official Information Act and the Privacy Act?

As a public-sector agency, the University is subject to both the Official Information Act 1982 (“OIA”) and the Privacy Act 1993. Both laws relate to information and both give people the right to request information from us. The difference between the two can be confusing, particularly because the OIA is all about freedom of information whereas the Privacy Act is about protecting information. In practice, however, the two laws work well together.

All the information we hold is “official information” for the purposes of the OIA, even if it relates to natural people. However, while the OIA requires us to release official information on request, it also includes a withholding ground designed to protect the privacy of the people we deal with (section 9(2)(a) of the OIA).

When it comes to requests for information, we must make sure that we process the request under the right law. Put simply, the Privacy Act relates to requests from an individual (“the data subject”) for information about themselves. The OIA relates to requests from an individual or agency for information about someone or something else. We must consider requests from data subjects for their own information under the Privacy Act.  

For example, Peter Potter, a student in our law faculty, makes a request for (1) a copy of his lecturer’s evaluative notes on his performance during the semester. He also asks for (2) a copy of her evaluations of other students in his class (he believes she is not being fair) and (3) a copy of the University’s policy on examination grading.

We must process request (1) under the Privacy Act (note, we may be able to withhold the lecturer’s evaluations in some circumstances – see FAQ on evaluative material). We must process requests (2) and (3) under the OIA. (Note, we would probably withhold the evaluations of other students under section 9(2)(a) of the OIA, to protect the privacy of the other students).

Do we have to provide students with copies of staff evaluations of, or correspondence about, their suitability for the award of a degree?

Not necessarily. While people have a very strong right to know what personal information we hold about them, and the assumption under the Privacy Act is that we will release any personal information we hold to the data subject if they ask for it, we also have the right to withhold personal information in some limited circumstances.

One such circumstance is where the information requested is “evaluative material” which has been provided on the understanding that it will be kept confidential. Evaluative material is defined in the Privacy Act, and would be likely to cover communications between academic staff about whether a student has earned a qualification or degree. This information could be withheld from a requester if the staff had an understanding that it would not be shared with the data subject before they gave their opinions.

For example, the Privacy Commissioner investigated a complaint about a university’s refusal to release email correspondence between thesis examiners to a PhD student. The Commissioner was satisfied that the emails were evaluative material, as they were written by the examiners as part of their process of determining the student’s suitability for the award of the PhD degree. The Commissioner was also satisfied that the examiner genuinely believed these emails would be kept confidential, and this was also confirmed as established practice by a senior professor. On this basis, the Commissioner decided the university could withhold the emails.

Can we share personal information about suspected student fraud with other tertiary education providers?

Occasionally, we might become aware that a student has provided incorrect or false information, for example, as part of the admission process, or by misrepresenting someone else’s research as their own. Where we are reasonably confident that dishonest activity has taken place, we may inform other tertiary education providers about the potential risk posed by this student. Dishonest activity can have an impact on the overall integrity of the tertiary education system.

In our Privacy Statement, we tell students that we will use their personal information to “support our academic integrity and discipline processes, and the overall integrity of the tertiary education system”. We also tell students that we may share their personal information with “other tertiary education providers where we believe that you may have engaged in dishonest activity, such as providing false or falsified admission documents.”

These notices will permit us to share personal information about dishonest activity by a student with other tertiary education providers in most circumstances, though we must be reasonably confident that the suspicion of dishonesty is well-founded, and we must limit the personal information shared to that which is necessary.

If we suspect that a student’s activities may constitute a criminal offence, principle 11(e)(i) of the Privacy Act permits us to share personal information with the Police for the purposes of assisting them to investigate the matter. Again, we must limit the personal information shared to that which is necessary.

In all such cases, we should check with the Privacy Officer before sharing personal information.

How long can we keep personal information, and what should we do with when we no longer need it?

The Privacy Act 1993 limits our maximum retention periods. Principle 9 of the Privacy Act states that we should retain personal information only for as long as we need it for a lawful purpose. This means we should get rid of personal information when we no longer need it, and we shouldn’t generally keep personal information indefinitely.

However, the University is subject to the Public Records Act 2005, which manages the way public sector agencies retain, destroy and archive public records, and to other employment and regulatory laws that require the retention of certain information. These laws set minimum retention periods for some categories of information we hold.  

New Zealand universities have developed a General Disposal Authority (‘GDA’) to manage the retention of all our records, including those containing personal information. The GDA sets minimum retention periods based on the Public Records Act and other regulatory or legislative requirements. In some cases, our business requirements mean we need to keep information longer. These reasons, and the approved retention periods, must be documented and approved by the business owner.  

The way we ultimately dispose of personal information depends on the requirements of our GDA. Most records should be securely destroyed but some need to be archived under the Public Records Act.

If you feel that you might have a future use for personal information that is close to its maximum retention period, and you don’t need the information to identify individuals (e.g. for monitoring trends or patterns), you could consider aggregating and de-identifying that information to protect individual privacy and keep the information for longer. You can find out more about de-identifying information in the de-identification FAQ. 

How do we de-identify personal information effectively?

Privacy laws and our privacy policy and procedures regulate the way we can use and share personal information about our data subjects. Personal information is information about identifiable individuals. The Privacy Act permits us to use and share personal information for statistical or research purposes, provided that it does not identify data subjects. Protecting research participants in this way is an important part of ethical research practices. It recognises the people behind the data. 

It is possible to remove identifiers or identifying information from a data, or a dataset, to allow us to use or share the information in ways that we could not if it was identifiable. De-identifying personal information is a complex process. There’s no black and white line between personal information and de-identified data – it’s an exercise in risk management rather than an exact science. The use or disclosure of poorly de-identified data could expose the University to legal and reputational risk and impact on our ability to conduct robust research across institutions and experts. 

The key is to think about the data itself and the environment into which that data is to be released. The goal is to remove enough identifiers to effectively minimise the risk of re-identification within the release environment. With these factors in mind, there are a number of widely accepted methods to de-identify datasets: 

  •  Perturbation – adding random noise to data outputs.
  •  Aggregation – combining and/or simplifying data outputs.
  •  Suppression – not reporting some data outputs.
  • Limiting data access – putting conditions and/or limits on access to data.

For more information about properly de-identifying personal information, read this confidentiality guidance from Stats NZ. 

However, de-identification does not only apply to datasets or large research projects. It can also apply to the publication of case studies or stories. At its most basic, de-identification requires the removal of any information that might lead to the identification of a data subject. This can require care, as removing simple identifiers may not be enough. 

For example, Geoff lives in a rural town called Niceville, with a population of 600. He is one of 73 European males between the age of 50 and 60 in the town. He works for the local council as a park ranger in a nearby regional park. Geoff has a relatively rare degenerative medical condition that affects his bone density and may ultimately impact on his ability to do his job. Clearly, Geoff would have an interest in deciding how and when he informs his employer about this condition. 

The doctor from the local DHB who is treating Geoff is writing a paper about the condition and wants to publish his case as part of the paper. She removes all the standard identifiers, including name, exact age (though she leaves the age group as it’s relevant to his treatment), NHI and contact details. However, she leaves the other facts in place, including that the patient is a European male over 50 from Niceville who works for the local council. There’s some speculation that the condition may have stemmed from contamination in the water supply some 25 years earlier, so the local newspaper also runs an article on it, which refers to the publication and Geoff’s case. 

Geoff’s manager happens to read the article. While there are a few people at the council who match that description, Geoff’s manager knows that Geoff had some time off recently to seek medical treatment. The manager joins the dots and pulls Geoff into a meeting to ask why he hadn’t disclosed his medical condition. Geoff is not happy. 

Note: This document is a ‘living document’. We will continue to develop FAQs in response to questions asked.

Definitions


The following definitions apply to this policy: 

Data subject means any natural person about whom the University collects and holds personal information and includes students, staff members, contractors, alumni and friends, donors, and visitors to the University’s websites or campuses.

Lawful purpose means a purpose that is directly connected with any of the University’s lawful functions, and includes, but is not limited to considering applications for admission to, or employment with, the University; administering programmes of study; managing staff and ensuring the health and safety of students and staff members; and meeting the University’s reporting requirements. 

Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff performance information, emails and other correspondence, and opinions about the data subject.

Privacy Framework means this policy and any procedures, standards or guidelines issued to support it, including but not limited to the Personal Information Request ProceduresPrivacy Breach Management Procedures, Disclosure of Personal Information Procedures, Privacy Impact Assessment Guidelines, and  Privacy Guidelines.

Privacy Statement means a notice the University has provided to a particular category of data subjects that outlines in general the matters set out at item 4 of this policy, and includes the  Privacy Statement (covering personal information about students, alumni and friends, donors and website users) and the Employee Privacy Statement (covering personal information about staff and contractors). 

University means the University of Auckland and includes all subsidiaries.

University member includes members of Council, committee members, staff members, committee appointees, the University’s companies’ staff and board members and contractors working for and on behalf of the University and, for the purposes of this procedure, includes students who collect or process personal information in the course of their studies or research, or who are otherwise permitted access to personal information held by the University.

Document management and control


Owner: Registrar

Content manager: General Counsel and Privacy Officer

Approved by: Registrar

Date approved: 20 February 2019

Review date: 20 February 2022