Making a privacy complaint
If you believe your privacy has been breached, or have concerns regarding the management of your personal information, you can:
- attempt to resolve the matter with the UTS area concerned
- for student-related matters, make a complaint by emailing the Student Complaints Resolution Office at email@example.com
- ask for an internal review.
In most cases, privacy complaints can be handled locally by the UTS area concerned with the assistance of the Student Complaints Resolution Office, without the need to lodge an internal review.
Students may also contact the Student Complaints Resolution Office for assistance.
If you've complained and you are not satisfied with the outcome, you may request an internal review in relation to the conduct in question.
UTS takes any alleged breaches of privacy seriously and will take appropriate action to rectify the situation quickly if an issue has been identified and the situation can be rectified. A request for an internal review is not always required to facilitate such action by UTS.
Requesting an internal review
An internal review is a formal process, undertaken in accordance with section 53 of the Privacy and Personal Information Protection Act 1998 (NSW), to investigate a privacy-related complaint relating to conduct that involves personal information or health information.
Deadline to lodge an internal review request
An internal review must be lodged within six months of the affected individual becoming aware of the conduct in question.
UTS may consider later applications if there is an acceptable reason for the application not being lodged before the deadline.
Lodging an internal review request
UTS has developed a request for internal review form (.docx, 161kB) to ensure applicants provide the necessary details to enable UTS to investigate the privacy complaint. The form is not mandatory. An applicant may provide the same information in a letter. Supporting documentation can be attached to provide further details where required.
Applications must be lodged with the UTS Privacy Officer.
Contact the UTS Privacy Officer if you wish to lodge an internal review and would like advice about:
- whether the situation you want reviewed relates to privacy
- the internal review process
- the information required to be provided in your application.
Internal review process
UTS undertakes internal reviews relating to privacy in line with the legislative requirements specified by Privacy NSW in their Internal Review Checklist form (available at Privacy NSW: Resources — Forms).
Privacy NSW: Complaints provides further information about the University's internal review obligations.
Internal review officer
An internal review will usually be undertaken by the UTS Privacy Officer. However, if there is a potential conflict of interest or the UTS Privacy Officer is unavailable, the Director Governance Support Unit or, in their absence, the Deputy Vice-Chancellor (Corporate Services) will appoint a different staff member to undertake the review.
Role of the NSW Privacy Commissioner
UTS is required to inform the NSW Privacy Commissioner about any internal review applications it receives and provide relevant documents, including the internal review application and the University’s draft and final internal review reports. The Commissioner will be given the opportunity before the internal review process is complete to make a submission to UTS in relation to the conduct in question and the University's findings in its draft final report.
Deadline for UTS to complete an internal review
UTS has 60 days from receipt of the internal review application to complete the internal review. UTS will inform the applicant of the outcomes of the internal review within 14 days of its completion. These deadlines may be extended by mutual agreement with the applicant.
If UTS has not completed its internal review by the required deadline, the applicant may lodge an appeal. See appealing an internal review decision.
How UTS conducts an internal review
A UTS internal review investigation relating to privacy will usually involve:
- an assessment of the information in question against the definitions of personal information or health information, as appropriate
- identifying the relevant Information Protection Principles (under Part 2 of the NSW Privacy and Personal Information Protection Act 1998) or the Health Privacy Principles (under Schedule 1 of the NSW Health Records and Information Privacy Act 2004), and assessing the conduct against the relevant principles
- a review of relevant information held in the University's recordkeeping systems, as well as business systems, network and email folders
- a review of relevant business processes, and
- interviews with relevant staff who may have been involved in the conduct in question or who provide or manage the related business process.
If it is considered that the information being investigated is not personal or health information, the conduct in question will not be investigated further.
The manager of the business process may include the relevant member of the senior executive responsible for the process or activity or implementation officer for a related policy where appropriate.
For Privacy NSW fact sheets in relation to Information Protection Principles and Health Privacy Principles, see Privacy NSW: Resources — Fact sheets.
Appealing an internal review decision
Appeals against the findings of an internal review are to be referred to the NSW Civil and Administrative Tribunal (NCAT).
An applicant who wishes to appeal an internal review finding must apply to the NCAT for a review within 28 calendar days of receiving notice about the decision.
Where an internal review is not completed within 60 days, the 28-day time limit to request an NCAT review starts from the later of following two dates:
- the date the applicant was notified of the outcome of the internal review, or
- the day on which the 60-day internal review time limit expires.
Note: In this section on privacy at UTS, the term ‘personal information’ refers to both personal and health information, unless specified otherwise. Both terms are explained in definitions of personal and health information.