Date approved: | March 2022 | ||||
Date Policy will take effect: | March 2022 | ||||
Date of Next Review: | March 2025 | ||||
Approved by: | Cheif Operating Officer | ||||
Custodian title: | Head of People & Culture | ||||
Author: | Head of People & Culture | ||||
Responsible Unit: | People & Culture | ||||
Supporting documents, procedures & forms of this policy: | Not applicable | ||||
References & Legislation: | Australian Privacy Principles (APP) Health Records and Information Privacy Act 2022 (NSW) (HRIPA) Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA) Public Interest Disclosure Act 1994 (NSW) UOW Pulse Code of Conduct | ||||
Audience: | Internal | ||||
Expiry Date of Policy (if applicable): | Not Applicable |
UOW Pulse Ltd carries out its functions and activities, collects personal and/or health information from employees, students, customers and third parties. It is the responsibility of UOW Pulse to ensure that the overall management of that information, which includes the collection, storage, access, use and disclosure, complies with relevant Australian privacy laws and regulations.
The purpose of this policy is to set out:
UOW Pulse’s commitment to compliance with the Privacy Act 1988 (Commonwealth), the Privacy and Personal Information Protection Act 1998 (“PPIPA”), the Health
Records and Information Privacy Act 2002 (“HRIPA”) and other relevant privacy laws.
TThe strategies to effectively respond to a Data Breach at UOW Pulse to ensure best practice data breach management, reduce possible harm to individuals and organisations and prevent future breaches;
This policy outlines the responsibilities of all employees when handling information to ensure that UOW Pulse complies with the relevant privacy laws.
This policy applies to the collection, storage, access, use and disclosure of information.
This policy defines the process, management and notifications associated with identified breaches of this Privacy & Data Breach Policy.
All UOW Pulse employees are bound by and must comply with the Privacy & Data Breach Policy.
A breach of this Privacy & Data Breach Policy would be considered very seriously by UOW Pulse and would be subject to investigation and possible disciplinary action.
Word/Term | Definition |
Data Breach | Data (whether held in digital or hard copy) is subject to unauthorised access, unauthorised disclosure or is lost in circumstances where the loss is likely to result in unauthorised access or unauthorised disclosure. A data breach may occur as the result of malicious action, systems failure, or human error. |
Customer | A member of the public who visits the campus and either purchases products or utilises the services or facilities under UOW Pulse management. |
Eligible Data Breach | An ‘eligible data breach’ under the MNDB Scheme requires two conditions to be met: 1. 1. There is an unauthorised access to, or unauthorised disclosure of, Personal information or Health information held by UOW Pulse or there is a loss of Personal information or Health information held by UOW Pulse in circumstances that are likely to result in unauthorised access to, or unauthorised disclosure of, the information, and reasonable person would conclude that the access or disclosure of the information would be likely to result in serious harm to an individual to whom the information relates i. |
Health Information | The Privacy Act defines ‘health information’ as follows: services to the individual; or service to an individual. |
Information or an opinion about:
The health, including an illness, disability or injury (at any time) of an individual; or
An individual’s expressed wishes about the future provision of health
A health service provided, or to be provided, to an individual, that is also personal information; or
Other personal information collected to provide, or in providing, a health
Information | Any health information, sensitive information and/or personal information that is collected by UOW Pulse about a student, employee, customer, visitor or third party in the course of its operations. |
Line Manager | An employee of UOW Pulse who acts in a supervisory or leadership capacity (whether acting or permanent) to other team members of UOW Pulse. |
Personal Information | Is defined by PIPPA and the Privacy Act as: “information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion”. Personal information does not include information: public sector official. |
Primary purpose | Means the main purpose for which the information was collected. |
Sensitive information | Defined by the Privacy Act as a subset of Personal Information, which includes: |
Serious harm | Defined in the context of a data breach, Serious Harm may include serious physical, psychological, emotional, financial or reputational harm. Assessing whether an eligible data breach is likely to result in serious harm, the following will be considered: |
Employee | All persons employed by UOW Pulse of any seniority and including those in continuing, part-time, maximum term, casual, trainee or contract roles. |
Students | A person registered for a course at the University of Wollongong. |
Use (of information) | Means the communication or handling of information within UOW Pulse. |
Visitor | An external person or business representative visiting the campus but not necessarily to purchase or utilise services, including but not limited to contractors, franchisees, members of the community and volunteers. |
About an individual who has been deceased for more than 30 years;
Which is publicly available;
About an individual contained in a public interest disclosure under the Public Interests Disclosure Act; or
An opinion about an individuals suitability for appointment or employment as a
Information or an opinion about an individuals:
Race, racial or ethnic origin;
Political opinions;
Membership of a political association;
Religious beliefs or affiliations;
Philosophical beliefs;
Membership of a professional or trade association;
Membership of a trade union;
Sexual preference or practices; or
Criminal record
Health information about an individual; or
Genetic information about an individual that is not otherwise Health Information
The kinds of information;
The sensitivity of the information;
Whether the information is protected by one or more security measures or technology;
The persons, or the kinds of persons, who have obtained or who could obtain the information;
The likelihood of the person who has obtained the information causing harm to any individuals to whom the information relates;
The nature of the potential harm; and
Any other relevant matters.
UOW Pulse will collect information in an open manner, including informing individual’s why the information
is being collected and how it will be used.
The information we collect is directly related to our functions and activities and may include:
Registration details when you establish a membership account with Pulse Perks;
Personal and health information when you set up a membership account with UniActive;
Information captured at application, selection, recruitment or on-boarding processes;
Information provided when you participate in promotions, competitions or surveys;
Marketing preferences;
Transactional information from online services;
CCTV images from equipment in place in and around our facilities for the purpose of prevention and detection of crime and public safety;
The Children’s Services Group (Long Day Care Centres, After School Care and Vacation Care facilities) are a highly regulated industry and by laws are required to collect a comprehensive amount of information as part of the enrolment process. The information required is very specific and detailed covering personal and health information, developmental information and any court orders affecting custody of the child.
UOW Pulse will collect information directly from the individual to which it relates, unless:
The person has consented to information being collected on their behalf by a someone else;
The person is under 16 years of age and the information has been provided by a parent or guardian; or
It is unreasonable or impracticable to do so.
At the time of collection (or as soon as practicable thereafter) UOW Pulse will take reasonable steps to ensure that the individual is aware of:
The identity of UOW Pulse and how to contact the organisation;
The fact that individuals are able to obtain access to their information;
UOW Pulse will provide individuals with the option of not identifying themselves, or of using a pseudonym when it is practical and lawful to do so.
UOW Pulse may use information for the following purposes:
Improving the customer experience and our quality of service;
Collecting payment, processing and fulfilling your order, provided order tracking facilities, or otherwise providing you with the information, products and services you may request from us;
Complying with our legal and regulatory obligations (including fraud prevention, anti-money laundering and sanction screening). This may include checking the information you provide us against information from other sources.
Contacting you (including by email or SMS) with marketing messages to inform you of special promotions, events and programs on offer, which may be opted out of at any time.
Providing you with any alerts, in app messages or other messages you have registered to receive;
Providing you with service messages, notifying you about changes to our services or changes to our terms and conditions;
Data analysis to allow us to derive insight and opportunities to improve our business processes, product offerings and quality of service;
Personal information will only be collected in so far as it relates to the service’s activities and functions.
We do not share the information with companies, organisations or individuals outside of UOW Pulse for marketing purposes or otherwise, nor do we sell your personal information. The only time your personal information may be shared with a third party is if:
We have your prior consent to do so;
We are processing information externally, through a trusted business partner, based on UOW Pulse’s
explicit instruction and in compliance with our Privacy Policy, confidentiality and levels of security;
We have aggregated, identifiable information, which is to be used for segmentation, statistical modelling, general research or trend analysis;
We are under a duty to disclose or share personal information in order to comply with our legal obligations. This includes exchanging information with organisations and law enforcement agencies for the purpose of:
Anti-money laundering obligations and sanction compliance, fraud and credit risk reduction;
Reporting to the relevant authorities information about the child and its family or others where we have grounds for suspecting that the child is at risk of significant harm;
CCTV images from equipment in place in and around our facilities for the purpose of prevention and detection of crime and public safety.
We only retain your personal information for as long as is necessary for us to use your information as described above or to comply with our legal obligations.
We have a number of security measures in place to protect your personal information. We may store your information in printed or electronic format in our business units. The information is protected from unauthorised access, use modification or disclosure.
Disposal of personal information is conducted securely in accordance with approved methods, which in some circumstances that may de-identify the information priori to disposal.
To request the deletion of your personal data in connection with the UOW Pulse App, submit your request via email to pulse-corporate-support.uow.edu.au.
We strive to ensure that the information we maintain is accurate, current and complete. We may periodically contact you to review and update the information that you have provided us to ensure our organisation can continue to provide the related products and services.
We respond to requests to access and correct inaccurate information in a timely manner. If you feel that your information that is held is incorrect, contact should be made with UOW Pulse via pulse-corporate- support@uow.edu.au
An individual who becomes aware of a suspected or known Data Breach at UOW Pulse is to immediately notify:
UOW Pulse CEO Office on +61 2 4221 8000 or at pulse-corporate-support@uow.edu.au
For Staff, their appropriate Line Manager.
A Data Breach includes:
Unauthorised access by Staff or sharing of data between teams within UOW Pulse without relevant authority
Human error
Letter or email sent to the wrong recipient.
System access is incorrectly granted to someone without appropriate authorisation.
Loss of a physical asset such as a paper record, laptop, USB stick or mobile phone containing data that is in the possession, control or the responsibility of UOW Pulse.
Failure to implement appropriate security measures such as password protection or sharing password and log in information.
System failure
A coding error allows access to a system without authentication, or results in automatically generated notices including incorrect information or being sent to incorrect recipients.
Systems not maintained through the application of known and supported patches.
Malicious or criminal attack
Cyber incidents such as ransomware, malware, hacking, phishing or brute force access attempts resulting access to or theft of data.
Social engineering or impersonation leading into inappropriate disclosure of data.
Insider threats from agency employees using their valid credentials to access or disclose data outside the scope of their duties or permission.
Theft of physical asset such as a paper record, laptop, USB stick or mobile phone containing data that is in the possession, control or the responsibility of UOW Pulse.
Where there are reasonable grounds to suspect that a Data Breach has occurred, UOW Pulse must:
Take immediate steps to contain the breach or suspected breach to minimise the possible damage
Report the breach to the CEO office who are authorised to receive and action a report of a suspected or known Data Breach;
Carry out an assessment of the breach to determine what has occurred and whether an Eligible Data Breach has occurred, within 30 days;
Make all reasonable attempts to mitigate any harm done by the suspected breach;
Consider whether notification under legislation or other policies, procedures or agreements may be required. This may include notification to:
affected individuals;
Privacy Commissioner;
other regulatory bodies;
third Parties with collaborative or contractual ties with the University; and
Carry out post incident review and preventative efforts, based on the type and seriousness of the breach.
Where a Data Breach has been assessed as an Eligible Data Breach, UOW Pulse must:
Notify the Privacy Commissioner immediately, using the form approved by the Privacy Commissioner; and
Notify affected individuals as soon as practicable. UOW Pulse may elect to notify either:
all individuals regardless of their risk of harm; or
only affected individuals (ie. those individuals who are likely to suffer Serious Harm as a result of the Data Breach that relates to them).
Each Data Breach should be assessed on a case by case basis and a response is to be determined, depending on the circumstances associated with the Data Breach.
UOW Pulse will comply with all relevant Statutory Guidelines issued by the NSW Information and Privacy Commission (IPC) under Part 6A of the PPIP Act.
The UOW Pulse CEO Office is responsible for receiving reports of a Data Breach, triaging, and leading the response as appropriate. Further responsibilities of the CEO Office are addressed at section 9.7 of this Policy.
Where required, the Data Breach Response Team (CEO Office) will be convened and will include key subject matter experts, depending on the nature and impact of the Data Breach. Key subject matter experts may include:
Lead coordinator – UOW Pulse Senior Managers, UOW Pulse Senior Executives, the CEO Office or delegate, to lead the response. Where a suspected Eligible Data Breach has occurred, the Senior Manager or the CEO Office will carry out required actions as outlined at section 9.7 of this policy;
General Counsel – responsible for reporting to UOW Pulse Senior Executives and the CEO Office, providing legal support and supporting team members. Where a suspected Eligible Data Breach has occurred, the General Counsel will carry out required actions as outlined at section 9.7 of this policy;
Records and evidence support – maintain records of all actions taken by the Data Breach Response Team and providing administrative support;
Technical support – a member of UOW Pulse IT to facilitate response and containment actions, assist with root cause analysis and provide forensic support, CEO office to involve UOW IMTS when and If relevant;
Communication support – Senior Executives and the CEO Office to assist with communication to stakeholders and affected individuals, where relevant;
Data Guardian – senior leadership with high-level knowledge, expertise and tactical decision making in data within their responsibility, where relevant;
Data Specialist –business and technical subject matter experts who typically provide ongoing technical support as a part of their day-to-day role, where relevant;
Other Staff, depending on the context of the breach.
The Data Breach Response Team will be convened in the event of a Data Breach, or suspected or potential Eligible Data Breach and will coordinate the response in accordance with the severity of the Data Breach.
UOW Pulse has 30 days from the date it becomes aware of a possible Data Breach to assess whether that Data Breach is an Eligible Data Breach. Whilst making this assessment, all reasonable attempts must be made to mitigate any harm already done.
Where a public notification is made on the UOW Pulse Public Notification Register, UOW Pulse will advise the Privacy Commissioner how to access the public notification on its website.
If UOW Pulse is unable to notify the individuals as described at 9.2.2 directly, it will publish a public data breach notification onto the UOW Pulse website and take all reasonable steps to publicise the notification through appropriate channels available to UOW Pulse.
The public data breach notification will provide details of:
the circumstances of the Data Breach, including a description of the breach and the type of Information impacted,
the actions UOW Pulse has taken or plans to take to control or mitigate the harm to individuals,
steps that an affected individual should consider taking in response to the Data Breach, and
how the individual may contact the University for any additional information.
The public notification will remain on UOW Pulse’s Website for a period of at least 12 months.
In some cases, UOW Pulse may have reporting obligations under both the NSW MNDB Scheme as well as the Notifiable Data Breaches Scheme under the Privacy Act 1988 (Cth). For example, a Data Breach involving TFN numbers, where it is likely to result in Serious Harm, would be reportable to
both the Office of the Australian Information Commissioner and the NSW Information and Privacy Commission (IPC).
Depending on the circumstances of the Data Breach UOW Pulse will ensure that its reporting obligations, either by other laws or administrative arrangements is included as part of its Data Breach response actions. Examples of organisations that these arrangements may assist with may include:
Australian Cyber Security Centre (ACSC)
NSW Police Force
Australian Federal Police
Department of Health
Foreign regulatory agencies
Professional associations, regulatory bodies or insurers
Financial service providers
Any third party organisations or agencies whose data may be affected.
The MNDB Scheme assigns various responsibilities to the head of an agency (the person responsible for the agency’s day to day management). In accordance with section 59ZJ of the PPIP Act, the head of an agency may delegate the exercise of those responsibilities to relevant Staff.
The CEO, as UOW Pulse’s head of an agency, has delegated the exercise of those responsibilities to relevant Staff as outlined in this policy and as below;
The COO (Chief Operating Officer) is responsible for:
deciding whether a Data Breach is an Eligible Data Breach, or there are reasonable grounds to believe the Data Breach is an Eligible Data Breach;
escalating Data Breach response actions to the CEO, as appropriate;
making determinations regarding the application of any exemptions and approval of any extension periods, as outlined in the MNDB Scheme;
where UOW Pulse is unable to notify, or it is not practicable to notify, any or all of the affected individuals, making a determination to publish a public notification via the UOW Pulse website
General Counsel is responsible for:
conducting an assessment of whether the Data Breach is, or there is reasonable grounds to believe the Data Breach is an Eligible Data Breach, within 30 days after being made aware that a Data Breach has occurred;
where an assessment confirms an Eligible Data Breach, escalating the assessment to The CEO.
notifying the Privacy Commissioner immediately in the approved form , if the Data Breach is an Eligible Data Breach;
notifying each individual to whom the Information the subject of the breach relates, or each affected individual;
providing written notice to the Privacy Commissioner regarding the application of any exemptions, any extension periods, or how to access any public notifications made by UOW Pulse, as outlined in the MNDB Scheme;
identifying whether other external notification is required ie law enforcement or other third parties;
identifying legal obligations and providing advice, as required. Senior Executive Team is responsible for:
receiving Data Breach notifications and confirming preliminary assessment reports;
assessing the containment and/or remediation measures already undertaken (if any) and taking further actions as required to mitigate any further compromise of the data;
where a preliminary assessment confirms a suspected or known Eligible Data Breach, escalating the preliminary assessment to General Counsel;
making a determination to convene the Data Breach Response Team, in consultation with General Counsel. Where a determination has been made to convene the Data Breach Response Team, the following actions at 6e-6h will be conducted by the Senior Manager, Information Compliance in the capacity of lead coordinator of the team;
ensuring Data Breach response actions are conducted in accordance with this policy and the Data Breach Response Plan;
ensuring that all response actions are recorded in the Data Breach Report form and retained in accordance with the Records Management Policy;
ensuring any relevant evidence of the Data Breach is preserved and securely stored, as appropriate;
conducting and leading the post-response assessment of UOW Pulse’s response to the Data Breach;
establishing, maintaining and recording Data Breaches through the Audit, Risk Management and Compliance Committee.
managing any complaints received as a result of the Data Breach;
reviewing, testing and updating this policy at least annually. Senior Management Team is responsible for:
receiving notifications of a suspected or known Data Breach and taking local immediate containment steps to prevent any further compromise of the data;
conducting an initial assessment of the Data Breach, notifying the relevant Data Guardian and consulting with the Information Compliance Unit to determine appropriate response actions;
completing the relevant sections in the Data Breach Report form at Appendix C;
where a Data Breach can be/is being managed appropriately locally, ensuring that the completed Data Breach Report form is submitted to the Information Compliance Unit and retained in accordance with the Records Management Policy;
participating in response actions, in accordance with this policy and associated incident management processes.
Line Managers are responsible for:
receiving notifications of a suspected or known Data Breach and taking local immediate containment steps to prevent any further compromise of the data;
conducting an initial assessment of the Data Breach, notifying the relevant Data Guardian and consulting with the Information Compliance Unit to determine appropriate response actions;
completing the relevant sections in the Data Breach Report form at Appendix C;
where a Data Breach can be/is being managed appropriately locally, ensuring that the completed Data Breach Report form is submitted to the Information Compliance Unit and retained in accordance with the Records Management Policy;
participating in response actions, in accordance with this policy and associated incident management processes.
All Staff are responsible for:
reporting any suspected or known Data Breaches immediately, as per section 9.2 of this policy;
assisting in response actions in accordance with this policy and the Data Breach Response Plan.
CEO Office | |
General | Email: pulse-corporate-support@uow.edu.au Phone: +61 2 4221 8000 |
CEO | Chief Executive Officer Email: Alfonso Maccioni (alf@uow.edu.au) Phone: +61 2 4221 8002 |
COO | Chief Operation Officer Email: wtony@uow.edu.au Phone: +61 2 4221 5662 |
All employees of UOW Pulse are required to follow this Policy and understand that during their employment that may obtain information that is of a confidential nature and that it must be kept confidential and that any breach of confidentiality may result in disciplinary action. All employees are required to acknowledge their responsibilities by signing a confidentiality declaration.
UOW Pulse Management group is responsible for the overall compliance with our privacy and confidentiality obligations.
All line managers and members of the Management group are required to:
Implement this policy in their work area and ensure all team members are aware of their responsibilities in regards to the Privacy Policy and confidentiality;
Ensure that any potential/actual breach to the Privacy Policy is dealt with promptly;
Ensure all new starters read the Privacy Policy and sign the confidentiality declaration.
All employees have a responsibility to:
Comply with this policy;
Maintain confidentiality when managing information provided to, or collected by UOW Pulse and its business units;
Report any potential or actual breach of this policy to the line manager or the People & Culture team.