|Category||Administration and Management|
|Approved by||Vice-Chancellor, 10 September 2012|
|Date Policy Took Effect||10 September 2012|
|Last Approved Revision||23 January 2015|
|Sponsor||Registrar and Secretary to the Councial and Director Human Resources|
|Responsible Officer||Manager, Policy and Compliance|
|Review Date||23 January 2020|
- To ensure staff understand the circumstances in which it is appropriate to access personal student and staff information on University systems
- To ensure staff understand the need to observe the requirements of the Privacy Act 1993 in the use of that information and any other personal student and staff information they work with, or become aware of, as they undertake their roles
- To provide a process for staff to follow should they receive requests to disclose personal student or staff information
SMS – Student Management System
eVision - the University's main Student Management System
NZQA - New Zealand Qualifications Authority
NCEA - National Certificate of Educational Achievement
1. Authorisation to Access Personal Information
(a) Many staff members of the University are required, by the nature of their roles:
(i) to be able to access personal student and staff information on an SMS (e.g. eVision) and/or the HR databases and/or any of the University’s information systems; and/or
(ii) to work with, or be aware of, personal student and staff information in a wide range of contexts e.g. administration relating to student assessment or staff appointments.
(b) Access to personal information, which is to be granted in accordance with the established approval processes for each system and/or data set, should only be granted if required by a staff member’s role.
(c) It is the responsibility of the Head of Department (or their delegate) to ensure access to personal information is removed when no longer required by a role or individual.
(d) Special restrictions exist around the use of NCEA result data supplied directly to the University by NZQA. Access to, and use of, such data requires documented permission from the Director, Academic Services.
(e) Certain staff members undertaking specific roles in the University involving reporting to external agencies are authorised to release particular information relating to students and staff to the relevant agencies.
(f) A student or staff member may authorise a staff member to release their personal information to a particular individual or agency; such authorisation must be provided in writing.
(g) The provision of staff members' names as referees by students and former students is considered to be authorisation for the release of information relating to the academic performance of those students and former students, in terms of this policy.
2. Rules Governing Access to, and Use of, Personal Information
(a) Staff must only access and/or possess information that is required by them to carry out a function of their University employment. Any subsequent use of the information must also be clearly based on professional need.
(b) Authorisation to access a system containing personal information, for example eVision, does not imply authorisation to access all records or information in that system. Such access to particular records or information is governed by clause 2(a) above.
(c) Apart from the specific authorisations detained in clauses 1 (e), 1 (f) and 1 (g) above, staff must ensure that:
(i) They do not disclose any personal student or staff information to another staff member, unless that staff member also has a professional need to know the information.
(ii) They do not disclose any personal student information to another student or to an individual or organisation external to the University.
(iii) They do not disclose any personal staff information to an individual or organisation external to the University.
(d) If a staff member receives a request for student information as per clause 2 (c) (ii) above, they must refer it to the Manager, Policy Compliance.
(e) If a staff member receives a request for staff information as per clause 2 (c) (iii) above, they must refer it to the Director, Human Resources.
Related Policies, Procedures and Forms
- Authorisation of Access to Student Information Procedure
- The Privacy Act 1993 and other relevant information available at the following link http://privacy.org.nz/
- Other specific privacy considerations may attach to information as a result of the basis on which it was originally supplied.
- Information relating to the Public Records Act, the General Disposal Authority and other recordkeeping requirements at the following link http://www.otago.ac.nz/administration/corporaterecords/
Contact for Further Information
If you have any queries regarding the content of this policy or need further clarification, contact
a) the Manager, Policy and Compliance, on email@example.com in regard to student information
b) the Manager, HR Services, on firstname.lastname@example.org in regard to staff information.