| Category | Administration and Management |
|---|---|
| Type | Policy |
| Approved by | Vice-Chancellor, 10 September 2012 |
| Date Policy Took Effect | 10 September 2012 |
| Last approved revision | 23 January 2015 |
| Sponsor | Registrar and Secretary to the Council and Director Human Resources |
| Responsible officer | Manager, Policy and Compliance |
Purpose
- To ensure staff understand the circumstances in which it is appropriate to access personal student and staff information on University systems
- To ensure staff understand the need to observe the requirements of the Privacy Act 2020 in the use of that information and any other personal student and staff information they work with, or become aware of, as they undertake their roles
- To provide a process for staff to follow should they receive requests to disclose personal student or staff information
Organisational scope
University-wide
Definitions
- SMS
- Student Management System
- eVision
- the University's main Student Management System
- NZQA
- New Zealand Qualifications Authority
- NCEA
- National Certificate of Educational Achievement
Content
1. Authorisation to Access Personal Information
- Many staff members of the University are required, by the nature of their roles:
- to be able to access personal student and staff information on an SMS (e.g. eVision) and/or the HR databases and/or any of the University’s information systems; and/or
- to work with, or be aware of, personal student and staff information in a wide range of contexts e.g. administration relating to student assessment or staff appointments.
- Access to personal information, which is to be granted in accordance with the established approval processes for each system and/or data set, should only be granted if required by a staff member’s role.
- It is the responsibility of the Head of Department (or their delegate) to ensure access to personal information is removed when no longer required by a role or individual.
- Special restrictions exist around the use of NCEA result data supplied directly to the University by NZQA. Access to, and use of, such data requires documented permission from the Director, Academic Services.
- Certain staff members undertaking specific roles in the University involving reporting to external agencies are authorised to release particular information relating to students and staff to the relevant agencies.
- A student or staff member may authorise a staff member to release their personal information to a particular individual or agency; such authorisation must be provided in writing.
- The provision of staff members' names as referees by students and former students is considered to be authorisation for the release of information relating to the academic performance of those students and former students, in terms of this policy.
2. Rules Governing Access to, and Use of, Personal Information
- Staff must only access and/or possess information that is required by them to carry out a function of their University employment. Any subsequent use of the information must also be clearly based on professional need.
- Authorisation to access a system containing personal information, for example eVision, does not imply authorisation to access all records or information in that system. Such access to particular records or information is governed by clause 2(a) above.
- Apart from the specific authorisations detained in clauses 1 (e), 1 (f) and 1 (g) above, staff must ensure that:
- They do not disclose any personal student or staff information to another staff member, unless that staff member also has a professional need to know the information.
- They do not disclose any personal student information to another student or to an individual or organisation external to the University.
- They do not disclose any personal staff information to an individual or organisation external to the University.
- If a staff member receives a request for student information as per clause 2 (c) (ii) above, they must refer it to the Manager, Policy Compliance.
- If a staff member receives a request for staff information as per clause 2 (c) (iii) above, they must refer it to the Director, Human Resources.
Related policies, procedures and forms
- Authorisation of Access to Student Information Procedure
- Privacy Act 2020
- The University's student privacy statement
- Other specific privacy considerations may attach to information as a result of the basis on which it was originally supplied.
- Information relating to the Public Records Act, the General Disposal Authority and other recordkeeping requirements
Contact for further information
If you have any queries regarding the content of this policy or need further clarification, contact:
Regarding student information:
The Manager
Policy and Compliance
Email policycompliance@otago.ac.nz
Regarding staff information:
The Manager
Human Resources Services
Email helen.mason@otago.ac.nz
