Disclosure of Personal Information Procedures
Application
These procedures apply to all University members who may be required to disclose personal information or respond to third-party requests for personal information, who may manage projects or systems that impact on personal information, or who are responsible for making policy decisions about the way the University manages or discloses personal information.
Purpose
To ensure that all University members understand when they may disclose personal information to a third party and the questions they must ask before doing so, and to assist University members to comply with the University’s Privacy Policy.
Background
When the University collects and processes personal information about its data subjects, it is required to comply with the Privacy Act 2020 and associated regulations but it also wishes to lead by example and ensure that its privacy practices meet the expectations of its global community.
Note – ‘Data subjects’ is the global term for the individual to whom personal information relates. The Privacy Act 2020 uses the term ‘individual concerned’.
The University must always ensure that it has a lawful basis to disclose personal information. Usually, the University can disclose personal information if that is why it was collected. The University may also be able to disclose personal information in new ways, provided this has a lawful basis.
Procedures
1. If any University member is unsure how to apply these procedures or whether or not they can disclose personal information in a particular case, they should ask the Privacy Officer.
Anticipated disclosures
2. The University can disclose personal information where this is the purpose, or one of the purposes, for which it was collected.
3. The University’s Privacy Statements provide notice to data subjects of the ways in which their personal information will be disclosed. These disclosures are lawful because the University has already notified data subjects that they may take place.
4. The University can also disclose personal information in ways that are directly related to the purposes for which the personal information was collected. However, before doing this, the University member should seek the advice of their manager and/or the Privacy Officer to ensure that the disclosure is directly related to the collection purposes.
5. Where a University member discloses personal information under items 2 or 4 above, they must ensure that they disclose information only to the extent that this is necessary to meet the relevant purpose or purposes.
6. Where personal information is disclosed on a routine basis, the responsible University member must ensure that this disclosure is secure and operates in compliance with the University’s Information Technology policies.
Unanticipated disclosures
7. University members may need to disclose personal information in ways that were not anticipated, and so may not have been addressed in the Privacy Statements (such as in response to a request from a third party). These disclosures are acceptable, provided they are legitimate and have a lawful basis.
8 University members must use the following process, and set of questions, to determine whether they may disclose personal information in a new way:
- Is it possible to ask the data subject to authorise the disclosure? – University members must first consider obtaining the authorisation of the data subject to disclose personal information in a new way. However, where authorisation is not practicable, there may be another lawful basis to disclose.
- Has the University received a request from a third party for personal information about someone else? – Ad hoc requests for personal information made by a third party (including a media agency) will be managed by the Privacy Officer under the Official Information Act 1982, or under other legislation as appropriate.
Note – Section 12 of the Official Information Act sets out who can make a request under the OIA. This does not generally include government agencies.
- Is the University under a legal obligation to disclose? – The University may be legally compelled to disclose personal information in some circumstances:
- Other legislation may require the University to disclose personal information in certain circumstances. For example, section 22C of the Health Act 1956 requires our health services staff to disclose health information where they are requested to do so by certain public officials, including a Probation Officer, the New Zealand Transport Agency or a social worker. Some public sector agencies - such as the Coroner - have legislative powers to compel the release of personal information. These provisions override the Privacy Act.
- The Police may make a request for personal information under a Production Order. Any requests from Police or other law enforcement agencies must be escalated to the Privacy Officer.
- Can the University rely on any other exception to disclose? – If none of the above apply and the University member still believes it is necessary to disclose personal information, they must be able to rely on an exception to Principle 11 of the Privacy Act 2020. Personal information may be disclosed if:
- the information was obtained from a public source (such as the internet) and it would not be unfair or unreasonable to disclose it;
- it is necessary to prevent or lessen a serious threat to public health or safety or to the life or health of an individual; or
- the information is to be used for statistical or research purposes and will be published in an anonymised form.
9. Before disclosing personal information as an exception to Principle 11 of the Privacy Act 2020, the University member must consult with the Privacy Officer.
10. Where a researcher is considering secondary data analysis or the disclosure of research data that includes personal information to an unanticipated third party, the researcher must obtain the approval of the University of Auckland Human Participants Ethics Committee (UAHPEC).
Note – the use and disclosure of research data must comply with the UAHPEC guidelines.
11. Where a University member discloses personal information pursuant to item 8, they must ensure that they disclose information only to the extent that this is necessary to meet the objectives of the disclosure.
Disclosing to a new contracted service provider or overseas recipient
12. Before disclosing personal information to a new contracted service provider, or disclosing personal information to an overseas recipient (other than a data subject), University members must ensure that the service provider or recipient is required and able to provide an adequate level of protection to the information.
13. The University must not disclose personal information to an overseas recipient (such as another tertiary education provider) unless:
- the recipient is providing the University with contracted services, and therefore processing the personal information on the University’s behalf (see item 13); or
- the data subject authorises the disclosure; or
- the recipient is in a country that has equivalent privacy laws in place (such as, Australia, or any EU Member State or any country that has EU Adequacy); or
- there are reasonable grounds to believe the recipient can provide comparable safeguards to those required by the Privacy Act (such as a binding contract in place between the University and the recipient).
14. Before disclosing personal information to a new contracted service provider, University members must consider the following factors:
- Location of the provider – if the service provider is located in a country that does not have equivalent privacy laws in place, the approval of the Privacy Officer must be sought.
- Limitation of provider access and processing – the provider must be prevented from accessing, using or disclosing personal information for its own purposes.
- Control of data on termination of relationship – the University must be able to secure the personal information in the event of termination of the contractual relationship or provider failure. This must include a requirement that the provider must not retain the information for its own purposes.
- Ability of provider to facilitate the University’s privacy obligations – The system a provider offers must not hinder the University’s ability to comply with the Privacy Act.
- Knowledge of privacy breaches – the provider must agree to inform the University in a timely manner of any privacy breaches or potential breaches that may affect personal information about data subjects.
Definitions
The following definitions apply to this document:
Disclose means to disclose personal information to any third-party person or agency, including a data service provider contracted to provide data storage or processing services to the University, but does not include making personal information available to University staff members or between University departments, or making personal information available to the data subject in response to a personal information request.
Data subject means any natural person about whom the University collects and holds personal information and includes students, staff members, contractors, alumni and friends, donors, and visitors to the University’s websites or campuses.
Personal information means any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course
results), CCTV footage, staff performance information, emails and other correspondence, and opinions about the data subject.
Privacy Statement means a notice the University has provided to a particular category of data subjects that outlines in general the matters set out at item 4 of this policy, and includes the Privacy Statement (covering personal information about students, alumni and friends, donors and website users) and the Employee Privacy Statement (covering personal information about staff members and contractors).
University means the University of Auckland and includes all subsidiaries.
University member includes members of Council, committee members, staff members, committee appointees, the University’s companies’ staff and board members and contractors working for and on behalf of the University and, for the purposes of this procedure,
includes students who collect or process personal information in the course of their studies or research, or who are otherwise permitted access to personal information held by the University.
Key relevant documents
Include the following:
Document management and control
Owner: Registrar
Content manager: General Counsel and Privacy Officer
Approved by: Vice-Chancellor
Date approved: 10 November 2020
Review date: 10 November 2025