Managing Access
-
The basics
As an educator, employer, government and industry partner, research hub, and repository of knowledge, the University handles a huge amount of information - some of which may be of a personal, confidential, commercial, legally privileged, classified or sensitive nature. There will therefore be times where it is appropriate to restrict access to particular records or information. However, the University must take great care to restrict access only where there is a good reason - and to carefully balance restrictions on access with the University's public accountability and its academic mission as a disseminator of knowledge.
Keeping the following basic principles in mind will help you manage access to your records in the most balanced and appropriate way:
- Only restrict access where there is a good reason - such as privacy, commercial confidence, legal privilege or intellectual property protection - and only restrict those portions of a file or document that truly need to be restricted.
- Only restrict access for as long as the restriction is properly required.
- If something is confidential, make sure the file or document says so and explains why in a way that other University personnel looking at the file or document would understand.
- Make sure that you fully understand the rules surrounding privacy, especially if you work with student or staff records.
- Throughout the life of a file or document, keep asking yourself if it still needs to have its access restricted.
- Use electronic records where possible, to improve locatability and the proper management of access.
- Remember that if access is sought to any University records by someone from outside through Freedom of Information, the request must be escalated promptly to the University's FOI officer who will assist you in processing the application within the strict time limits prescribed by the law.
- If access is sought by a warrant/subpoena, you should deal with the request promptly, as the request may have time limitations that are legally binding. For areas where you have clear procedures for dealing with such requests (such as student records), follow those procedures carefully and do not be afraid to ask for help if you are unsure what to do. For areas that have no such internal procedures, you should seek assistance from Legal and Risk Branch.
- If you are in doubt whether access should be granted to a particular document or file - check with your Head of School or Branch manager or refer the question to Archives & Recordkeeping staff.
-
Privacy, confidentiality, and other limits on access
It is best practice not to restrict records in order to facilitate sharing of corporate knowledge. However, in some instances there is a demonstrated need to restrict records including:
- Personal information - Many of the records held by the University contain personal information. Any information or opinion from which the identity of an individual can be ascertained is considered to be "personal information". This includes a person's name, address, date of birth, student/staff identification number, and other personal characteristics. The University has a responsibility to collect, manage, use and disclose personal information in accordance with the prevailing community standards of best practice, respecting the privacy of the individual. Everyone handling University records needs to be familiar with and follow these standards, as encapsulated in the Privacy Policy and Management Plan - this will be particularly important if you work with student records or personnel files, which contain predominantly personal information.
- Financial information - such as tax file numbers, bank account or credit card details. These are a form of personal information, but are also generally subject to specific confidentiality requirements under financial regulations. For more information, consult with Financial Services or someone in the Legal and Risk Branch.
- Health related information - such as counseling notes or medical information. In addition to being a form of sensitive, personal information, they are subject to additional regulatory and professional confidentiality requirements.
- Student related information - including grades, progress and enrolment details of current, past and prospective students (including those who are offered a place but ultimately do not attend the University).
- Legally privileged documents - this would include communications between you and legal representatives (including the Legal and Risk Branch of the University) or advice you receive from your legal representatives. For information, ask the Legal and Risk Branch.
- Information requiring confidentiality to ensure intellectual property right protection - such as patentable information which is in the course of being protected. For more information, contact Innovation and Commercial Partnerships.
- Commercially sensitive information - such as information provided by an industry sponsor in the course of a specific research project, disclosed on the basis of "commercial in confidence". Commonly this material would be protected by way of a confidentiality agreement (or confidentiality clauses in the research funding contract).
- Confidential by way of agreement - if the University has agreed to keep something confidential under a contract, then it must comply with that agreement. If you are agreeing to keep something confidential, you should run the terms by a legal advisor, such as someone in Legal and Risk Branch. Note that if the terms of a contract itself are intended to be kept confidential, then a special process must be followed before the contract is signed, otherwise the document will not be protected from access under Freedom of Information. For more details, see the University's Freedom of Information Policy.
-
Maintaining adequate security around records
When records have restrictions on their access, it becomes particularly important to store them in a secure manner. Content Manager provides strict control of access to records. Security of records in Content Manager is managed by the use of Security Groups and Access Controls.
Records need to be protected from unauthorised access and should not be left unattended or in vulnerable locations.
Refer to the section on managing records in a mobile and portable work environment for hints on ensuring security where records are being portably used.
If a restricted or confidential document is subject to unauthorised access, unintentional disclosure, or has its security breached in any other way (including through loss or misplacement of the document), you should notify:
- Your Head of School or Branch, who should be made aware if departmental records have been compromised;
- The Technology Services Helpdesk for any electronic information breaches or compromising of the University's IT system - refer to IT Security Procedures for more information.
- The Legal and Risk Branch, who must be informed for insurance purposes, and who may be able to provide assistance dealing with the situation.
-
Freedom of Information (FOI)
If you or someone in your work area receives a Freedom of Information (FOI) request, contact the University's FOI Officer immediately.
The Freedom of Information Act is a state law that gives members of the public a right to access our records - with some exceptions, such as where records contain personal or confidential information, or are subject to some other reasonable limitation (such as being legally privileged, or commercially sensitive).
This public right means that the University is required to produce documents that are requested under Freedom of Information (FOI), within a very limited time frame and in line with certain procedures. These requirements are summarised in the University's Freedom of Information Policy.
For the University to meet its FOI obligations, the coordination of FOI applications on behalf of the University is essential, and occurs through a designated FOI Officer located in Records Services. It is also essential that all relevant areas of the University cooperate in identifying and producing all documents that are possibly relevant to an application, including "documents" stored electronically, such as emails.
If you or someone in your area receives an FOI request, contact the University's FOI Officer immediately. They will coordinate the University's response, and help you determine which documents (if any) may be subject to exemptions from disclosure under the legislation.
For additional information, refer to the Freedom of Information (FOI) section on the Legal and Risk website.