Red X iconGreen tick iconYellow tick icon
Category Administration and Management
Type Policy
Approved by Vice-Chancellor, 10 September 2012
Date Policy Took Effect 10 September 2012
Last approved revision 25 October 2023
Sponsor Registrar and Secretary to the Council and Director Human Resources
Responsible officer Manager, Policy and Compliance

Purpose

  • To ensure staff understand the circumstances in which it is appropriate to access personal student and staff information on University systems
  • To ensure staff understand the need to observe the requirements of the Privacy Act 2020 in the use of that information and any other personal student and staff information they work with, or become aware of, as they undertake their roles
  • To provide a process for staff to follow should they receive requests to disclose personal student or staff information

Organisational scope

University-wide

Definitions

SMS
Student Management System
eVision
the University's main Student Management System
NZQA
New Zealand Qualifications Authority
NCEA
National Certificate of Educational Achievement

Content

1.     Authorisation to Access Personal Information

  1. Many staff members of the University are required, by the nature of their roles:
    1. to be able to access personal student and staff information on an SMS (e.g. eVision) and/or the HR databases and/or any of the University's information systems; and/or
    2. to work with, or be aware of, personal student and staff information in a wide range of contexts e.g. administration relating to student assessment or staff appointments.
  2. Access to personal information, which is to be granted in accordance with the established approval processes for each system and/or data set, should only be granted if required by a staff member's role.
  3. It is the responsibility of the Head of Department (or their delegate) to ensure access to personal information is removed when no longer required by a role or individual.
  4. Special restrictions exist around the use of NCEA result data supplied directly to the University by NZQA.  Access to, and use of, such data requires documented permission from the Director, Academic Services.
  5. Certain staff members undertaking specific roles in the University involving reporting to external agencies are authorised to release particular information relating to students and staff to the relevant agencies.
  6. A student or staff member may authorise a staff member to release their personal information to a particular individual or agency; such authorisation must be provided in writing.
  7. The provision of staff members' names as referees by students and former students is considered to be authorisation for the release of information relating to the academic performance of those students and former students, in terms of this policy.

2.     Rules Governing Access to, and Use of, Personal Information

  1. Staff must only access and/or possess information that is required by them to carry out a function of their University employment. Any subsequent use of the information must also be clearly based on professional need.
  2. Authorisation to access a system containing personal information, for example eVision, does not imply authorisation to access all records or information in that system.  Such access to particular records or information is governed by clause 2(a) above.
  3. Apart from the specific authorisations detained in clauses 1 (e), 1 (f) and 1 (g) above, staff must ensure that:
    1. They do not disclose any personal student or staff information to another staff member, unless that staff member also has a professional need to know the information.
    2. They do not disclose any personal student information to another student or to an individual or organisation external to the University.
    3. They do not disclose any personal staff information to an individual or organisation external to the University.
  4. If a staff member receives a request for student information as per clause 2 (c) (ii) above, they must refer it to the Manager, Policy Compliance.
  5. If a staff member receives a request for staff information as per clause 2 (c) (iii) above, they must refer it to the Director, Human Resources.

Related policies, procedures and forms

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, contact:

Regarding student information:

The Manager
Policy and Compliance
Email policycompliance@otago.ac.nz

Regarding staff information:

The Manager
Human Resources Services
Email helen.mason@otago.ac.nz

Back to top