CASE STUDY: PRACTICAL APPLICATIONS OF AN INFORMATION PRIVACY PLAN…
CASE STUDY: PRACTICAL APPLICATIONS OF AN INFORMATION PRIVACY PLAN
XYZ University is a medium-sized tertiary education provider in the state of Queensland, Australia. In undertaking its normal business of teaching, learning, and research, the university collects, stores, and uses “personal information,” that is, anything that identifies a person’s identity.
With respect to students, this information may include, among other things, records relating to admission, enrollment, course attendance, assessment, and grades; medical records; details of student fees, fines, levies, and payments, including bank details; tax file numbers and declaration forms; student personal history files; qualifications information; completed questionnaire and survey forms; records relating to personal welfare, health, equity, counseling, student and graduate employment, or other support matters; records relating to academic references; and records relating to discipline matters.
The bulk of this information is retained in the student management information systems and in the file registry. Academic and administrative staff, at various levels, have access to these records only as required to carry out their duties. Portions of the information held in university student records are disclosed outside the university to various agencies, such as the Australian Taxation Office; the Department of Education, Employment and Workplace Relations; other universities; consultant student services providers; the Department of Immigration and Citizenship; and overseas sponsorship agencies.
The university has a well-documented information privacy policy in accordance with the community standard for the collection, storage, use, and disclosure of personal information by public agencies in Queensland. The policy relies on the 11 principles developed in the Commonwealth Privacy Act of 1988. These principles broadly state the following:
• Personal information is collected and used only for a lawful purpose that is directly related to the collector’s function.
• Before the information is collected, the individual concerned should be made aware of the purpose, whether it is required by law, and to whom the information will be passed on.
• Files containing personal information should be held securely and protected against loss; unauthorized access, use, modification, or disclosure; or any other misuse.
• Personal information can only be disclosed to another person or agency if the person concerned is aware of it and has consented and the disclosure is authorized or required by law.
• Personal information should not be used without taking reasonable steps to ensure that it is accurate, up to date, and complete.
Presented below are three scenarios in which you need to decide how to apply the privacy policy and principles. The following scenarios were sourced from the Griffith University Privacy Plan (http://www.griffith.edu.au/about-griffith/plans-publications/griffith-university-privacy-plan/pdf/privacy-training-guide.pdf). The link to the privacy plan itself is www.griffith.edu.au/ua/aa/vc/pp. A complete statement of the relevant privacy principles can be found at www.dva.gov.au/health_and_wellbeing/research/ethics/Documents/ipps.pdf.
Scenario 1
Roger, a photocopier technician, has been asked to repair an office photocopier that just broke down while someone was copying a grievance matter against an employee of the agency. The officer who was copying the file takes the opportunity to grab a cup of coffee and leaves Roger in the photocopy room while the photocopier cools down. While waiting, Roger flips through the file and realizes that the person against whom the grievance was made lives on the same street as he does.
Scenario 2
Tom telephones a student at home about attending a misconduct hearing. The student is not at home; however, the student’s partner, Christine, answers the phone. She states that she knows all about the misconduct hearing but asks for clarification of the allegations. When pressed, Tom provides further details. Tom feels comfortable about providing this information to Christine because she is the student’s partner, and she has already told Tom that she knows all about her partner’s misconduct hearing.
Scenario 3
Brad works in a student administration center, and Janet is a student. They know each other, as they used to attend the same high school. Occasionally, they get together at the university to have coffee and chat about mutual friends. Brad knows that Janet’s birthday is coming up because Janet happened to mention that she’ll be another year older in the near future. Brad decides to access the student information system to find out Janet’s date of birth and home address. A few weeks later, Janet receives a birthday card from Brad sent to her home address.
Case Study Questions
With regard to the above scenarios, you need to decide
-
what information privacy principles (IPPs) have been breached,
-
how, and
-
what you would do to address the situation.
删除线格式
The answer to the above is as detailed below.
Step-by-step explanation
Scenario 1:
The Information privacy principles 3 and 4 have been breached.
The officer left the confidential papers as the photocopier was being repaired for a cup of coffee. He must have ensured the documents are safely kept and that only authorized personnel must view it. Instead, the technician had the opportunity to go through the confidential documents which is against the IPP.
If I were in place of the officer, I would never have left the site without retrieving all the confidential documents and ensuring the privacy. I would collect all the papers, keep it at a safe location and then only go for a coffee.
Scenario 2:
The IPPs 2 and 4 have been breached in this case.
The confidential information regarding the misconduct hearing and it’s related allegations must not be disclosed to anyone other than the student himself.
The student had not given official authority to his partner Kristine to be provide the confidential information. Even if his partner Kristine claimed of having known the case, Tom must not have breached the confidentiality. Instead must have requested Kristine to convey his call to the student and to call him back when he returns home.
Scenario 3:
The IPPs 1, 3 and 4 have been breached.
Brad has used the student’s information stored in the university’s student information system to know Janet’s date of birth and residential address. Brad used his position to access the student’s personal information for personal use.
As Brad and Janet were friends from the same high school and have developed a good relationship, he could have asked her for her birthday date and details of her address to send the card. Alternately, he could gift her a birthday card in the university itself if she felt unsure to disclose her address to him.(由留学作业帮www.整理编辑)
扫一扫
165
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
