Red X iconGreen tick iconYellow tick icon
Category Administration and Management
Type Policy
Approved by Council, 9 April 2024
Date Policy Took Effect 28 May 2024
Last approved revision N/A
Sponsor Registrar and Secretary to the Council and Director Human Resources
Responsible officer Manager, Policy and Compliance

Purpose

This Privacy Policy outlines how the University Community is expected to manage personal information and ensures that the University Community:

  • understands the circumstances in which it is appropriate to access personal information on University systems
  • is aware of, and complies with, the University’s obligations under the privacy laws that apply to us, including the New Zealand Privacy Act, and the laws in place in other countries we operate, such as the EU General Data Protection Regulation, and the China Personal Information Protection Law
  • is aware of, and complies with, the promises the University has made to our data subjects in our privacy statements and collection notices
  • is aware of the various privacy-related roles and responsibilities across the University, including in relation to the escalation of privacy risks and issues, and
  • develops or procures, and uses, new technologies that process personal information, including automated processing tools or tools that include Artificial Intelligence (AI) or machine learning, ethically and lawfully.

Organisational scope

All members of the University Community who have access to personal information. This policy applies to all personal information the University holds.

Definitions

Artificial Intelligence (AI)
The ability of machines to perform typically human-like tasks, including recognising patterns, making decisions and solving problems. This is achieved through algorithms and models designed to learn from data and improve over time. “AI” is typically used as an umbrella term to describe a collection of related technologies such as machine learning, facial recognition, predictive analytics, natural language processing, large language models, and generative AI (see below).
Data subject
Any natural person about whom the University collects and holds personal information and includes students (including prospective students and students visiting from other institutions), staff members, contractors, alumni, donors, research participants, and visitors to the University’s websites or campuses.
GDPR
EU General Data Protection Regulation
Generative AI
Generative AI tools use large amounts of information to transform and generate a variety of content, including human-like conversations, writing essays, creating images or videos, and computer code. Examples of generative AI tools include ChatGPT and Claude.

This policy distinguishes between “public” generative AI tools (which are publicly available, free, and web-based) and “enterprise” generative AI tools (which are not publicly available, require payment, and should segment and protect enterprise data).
Personal information
Any information, whether electronic or hard copy, about a data subject, whether or not the information directly identifies the data subject, and includes but is not limited to contact, demographic, health and academic information (including course results), CCTV footage, staff employment and performance information, emails and other correspondence, and opinions about the data subject.
PIPL
China Personal Information Protection Law
Privacy Act
New Zealand Privacy Act 2020
Privacy breach
An event (whether intentional or unintentional) in which personal information held by the University of Otago is lost or is accessed, altered, disclosed or destroyed without authorisation, including but not limited to:
  • accidental disclosure of personal information to the wrong recipient;
  • employee browsing of personal information without a legitimate business reason;
  • deliberate or malicious data use or disclosure by a current or former employee
  • an external attack on a University system; or
  • a lost or stolen University device or document.
Privacy Officer
The person in the University who is responsible for ensuring our compliance with privacy laws. The current Privacy Officer is the Registrar and Secretary to the Council, and the Director, Human Resources in relation to employee personal information.
Sensitive personal information
Information about a data subject’s age, gender, health, ethnicity, political opinions, religion, sexual orientation, biometric information (such as facial recognition information), or criminal record.
University Community
All University of Otago staff, students (whether permanent, temporary, or part-time, and including prospective students and students visiting from other institutions), members of the Council of the University, honorary staff, or any other member of the University and any contractors (including contracted service providers), sub-contractors, consultants, or official visitors.

Content

The University Community must comply with privacy law, but privacy is about more than legal compliance. Good privacy practice involves considerations of ethics, fairness, and proportionality. Privacy is a human right, and the University strives to respect that.

Global privacy laws take a principles-based approach, allowing the University to collect, use and share personal information in the ways required to run our business. The principles of this policy reflect the requirements of most privacy laws, and best practice ethical considerations. The focus of this policy is on the Privacy Act, but where other laws (such as the GDPR and PIPL ) require specific steps to be taken, these are noted.

Where the University is required by another law – such as the Education and Training Act 2020 – to collect, use or disclose personal information in a particular way, this requirement will override the Privacy Act, and the relevant processing of personal information will not generally be required to comply with the information privacy principles.

1.     Collection of personal information

Scope of collection

  1. Personal information should only be collected if it is necessary for a lawful purpose that is directly connected with any of the University’s lawful functions. At a high level, our lawful purposes include (but are not limited to):
    1. considering applications for admission to, or employment with, the University
    2. administering programmes of study
    3. conducting academic research
    4. managing staff and ensuring the health and safety of students and staff members, and
    5. meeting the University’s reporting requirements.
  2. Where a process or system can operate without the collection of personal information, or without the need to identify a data subject, the University may not require the individual’s identifying information.
  3. Personal information should be collected from the data subject directly, unless an exception can be relied upon to collect the information from a third party. Relevant exceptions may include:
    1. where the data subject authorises the University to collect personal information from a third party
    2. where collecting personal information from a third party would not prejudice the data subject’s interests
    3. where the information is collected from a publicly available source, such as the Internet
    4. where personal information is obtained or verified through relevant government or education agencies, including the New Zealand National Student Index
    5. where the information will be used in a form that does not identify the data subject, or
    6. where another law requires or permits the University to collect personal information from a third party.

Collection or assigning of unique identifiers

  1. Unique identifiers assigned by other agencies (“third-party unique identifiers”, such as the National Student Number (NSN), the National Health Index (NHI), the IRD number) must be collected and managed in accordance with the following requirements:
    1. The University must not use third-party unique identifiers to generally identify data subjects within our systems.
    2. The University may use a third-party unique identifier for the purposes of communicating with that third party about the relevant data subject (such as where the IRD number is used to communicate with Inland Revenue about an employee).
    3. The University must not require data subjects to provide their third-party unique identifiers, unless we can establish that this one of the purposes for which the identifier was assigned by the third party (such as the NSN , which was assigned for the purpose of enabling education providers to search for and modify information about their students).
    4. The University must protect third-party unique identifiers from misuse (such as by masking or truncating them in correspondence).
  2. The University will assign its own unique identifiers to students, employees and affiliates, for example, in the form of ID numbers. These unique identifiers are necessary to enable the University to carry out its functions efficiently. However, the University must assign unique identifiers in accordance with the following requirements:
    1. The University must take reasonable steps to ensure that unique identifiers are assigned only to an individual whose identity is clearly established, and that the risk of misuse of a unique identifier by any person is minimised.
    2. The University must protect its unique identifiers from misuse (such as by masking or truncating them in correspondence).
    3. Student and employee ID cards will be allocated in conjunction with appropriate personal information, as governed by the Identity Card Sector Allocation Policy and Identity Card Issuing Policy.

Transparency

  1. Subject to clause 1(h), at the time that personal information is being collected from a data subject, the University Community must ensure that data subjects are made aware:
    1. what information is being collected
    2. why the information is being collected
    3. how the information will be used
    4. who the information will be shared with
    5. if the collection of the information is authorised or required by or under law, the particular law by or under which the collection of the information is authorised or required and whether the supply of the information by the individual is voluntary or mandatory
    6. the consequences (if any) for that individual if all or any part of the requested information is not provided, and
    7. what rights they have in relation to their information.
  2. If the information collected is a routine part of University process (that is, the collection of information is not unusual or ad hoc), it will be sufficient for compliance with clause 1(f) above if the University Community refers to, or provides the data subject with a link to, the relevant privacy statement.
  3. Unless the data collection relates to data subjects located in the EU or China, it is not necessary to comply with 1(f) if an individual with appropriate authority believes on reasonable grounds that:
    1. Non-compliance would not prejudice the interests of the individual;
    2. Non-compliance is necessary to avoid prejudice to the investigation, prevention, or prosecution of offences, or for the purposes of court proceedings;
    3. Compliance would prejudice the purposes of the collection; or
    4. That compliance is not reasonably practicable in the circumstances of the particular case; or
    5. That the information will not be used in a form in which the individual concerned is identified or will be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.
    If you are uncertain of your obligations you must consult with your Manager, who may consult with a University Privacy Officer.
  4. Occasional or ad hoc collections, such as individual research projects, may require the provision of specific privacy notices relating to that collection.
  5. Where a new collection, use or disclosure of personal information is to become a routine part of University process, the responsible member of the University Community must ensure that the Privacy Officer is notified and the relevant privacy statement is updated to reflect this.

Method of collection

  1. Personal information must only be collected in ways that are lawful and, in the circumstances, not unfair or unreasonably intrusive. This maintains personal dignity and protects data subjects from disproportionate or overly intrusive practices.
    1. Unlawful collection methods are those that are prohibited by law.
    2. Unfair collection methods could include not telling data subjects that information is being collected or deceiving data subjects about the purpose for collecting information. There are some instances where such collection methods may be appropriate (e.g., when conducting research), where there are other protections or processes establishing appropriate ethical protections.
    3. Unreasonably intrusive collection methods could include collecting sensitive personal information in a public space or using CCTV cameras in sensitive locations such as bathrooms.
  2. The University Community must be especially careful when collecting personal information from children or young people (such as some students and prospective students) to ensure that the collection is fair. This might include providing a simple summary of our privacy statement or ensuring that a child’s caregiver is aware that we are collecting personal information about their child. Where a student is 18 years or older it is expected that the University will liaise with them directly in respect of collecting their personal information.

Collection of sensitive personal information

  1. Some jurisdictions the University might operate in – including the EU, China and Australia – specifically regulate the collection of sensitive personal information. Where the University is directly and knowingly collecting information for people located in these jurisdictions, we must obtain consent to collect sensitive personal information, unless that information is being collected for the purposes of public health management (such as pandemic management), the delivery of health services to the individual, for occupational or employment purposes or in order to respond to an emergency (e.g., concerning a threat to the life or safety of an individual or individuals).

2.     Security and retention of personal information (including access)

Security

  1. All members of the University Community have a responsibility to protect the personal information they handle against loss, misuse, or unauthorised access, modification or disclosure.
  2. Before sharing personal information with a contracted service provider, the University Community must ensure that the service provider is required and able to provide an adequate level of protection to the personal information shared. This will usually be achieved by entering into a binding contract with the third party that includes a minimum set of privacy obligations on the third party.

Access

  1. Members of the University Community must only access personal information that is required by them to carry out a function of their University employment or research or study. Any subsequent use of the information must also be clearly based on professional need.
  2. Access to personal information, which is to be granted in accordance with the established approval processes for each system and/or data set, should only be granted to a member of the University Community if there is a legitimate need.
  3. It is the responsibility of the Head of Department (or their delegate) to ensure access to personal information is removed when no longer required by a role or individual.
  4. Access to personal information about students must be managed in accordance with the Authorisation of Access to Student Information Procedure.

Retention

  1. Members of the University Community must not retain personal information for longer than the University has a lawful purpose to use it, and must delete information in compliance with the Information and Records Management Policy.

3.     Use and disclosure of personal information

Anticipated uses and disclosures

  1. Except as provided in clause 3(b) below, personal information must only be used or disclosed by the University Community if that use or disclosure is the purpose for which the information was collected, and has been made clear to the data subject in the relevant privacy statement (if applicable).

New uses and disclosures

  1. Before using or disclosing personal information in new ways, or in ways that are not part of the University’s routine business, the University Community must ensure that this is necessary for a lawful purpose or is otherwise permitted or required by law, including where any one of the following Privacy Act exceptions applies:
    1. the relevant data subject has authorised the University to use or disclose their information in this way
    2. the use or disclosure is directly related to the purposes for which the information was collected
    3. the information will be de-identified (anonymised)
    4. the information was collected from a public source (such as information collected from public social media accounts), and it would not be unfair or unreasonable in the circumstances to use or disclose it in this way
    5. the use or disclosure is necessary to assist with the investigation, prevention, or prosecution of offences (such as using gathering evidence of staff fraud), or for the purposes of court proceedings
    6. the use or disclosure is necessary to prevent a serious threat to life or health (such as tracking staff location for pandemic management), or
    7. the use or disclosure is required or permitted by another law (such as the Education and Training Act 2020 or the Education (Pastoral Care of Tertiary and International Learners) Code of Practice 2021).
  2. Where authorisation (or consent) is the lawful basis relied upon to process personal information, the University Community must ensure that this consent is:
    1. express – which means a clear, affirmative action, not a pre-selected box
    2. freely given – which means there are no conditions attached to the consent (such as the inability to provide a service), or there are no power imbalances at play (such as in the employment relationship)
    3. current and specific – which means perpetual or very general consents should be avoided
    4. informed – which means ensuring the data subject is made fully aware what personal information and processing the consent relates to, and
    5. clear – which means simple and in plain language.
  3. Third party requests for personal information that are not part of routine University business – including requests from other universities, family of students, government departments, or law enforcement agencies – must be escalated to a Privacy Officer.
  4. Personal information must not be disclosed to third parties based overseas without the approval of the Privacy Officer, who must consider whether the overseas third party is subject to privacy requirements that are equivalent to those contained in the Privacy Act. This will usually be achieved by entering into a binding contract with the third party that includes a minimum set of privacy obligations on the third party.  Where that is not practicable, the University may obtain the informed consent of the data subject for the disclosure (such as when disclosing personal information to overseas thesis supervisors).

Using AI tools to make automated decisions

  1. The University might develop, procure, or use AI tools to assist us to make inferences or automated decisions about individuals. These tools might be used to manage course administration processes, deliver services (such as remote examination proctoring), or for the purposes of data analytics.
  2. The use of AI tools can raise significant privacy risks, and is subject to specific regulation in some jurisdictions (such as the EU). The use of AI tools should be managed on the basis of the following risk threshold:
    1. Unacceptable risk – Tools intended to infer the emotions of individuals in the education or employment context, or intended to infer sensitive attributes about individuals (such as race or sexual orientation).
    2. High risk – Tools intended to automate the processing of personal information in order to determine access or admission to study programmes, to evaluate learning outcomes, to steer a student’s learning process, or to monitor student behaviour during examinations, or to otherwise automate decisions that could have a significant impact on the rights or interests of data subjects.
    3. Low risk – Tools that do not make decisions about individuals or automate important processes.
  3. The University Community must not use AI tools for any purposes that fall into the unacceptable risk category. The one exception is academic research, provided it satisfies ethical requirements, is compliant with the Health Information Privacy Code and any applicable law, and is compliant with the privacy expectations of the source of the information.
  4. If a member of the University Community intends to develop, procure, or use AI tools for any purposes that fall into the high risk category, they must complete a Privacy Impact Assessment (PIA – see clause 5 below) and obtain the approval of the Privacy Officer.
  5. When using an AI tool which collects, processes or handles personal information, the University Community must:
    1. Where possible, use best efforts to ensure the data used to train, run or prompt the tool is fit for purpose, including that it is accurate, up to date, complete, relevant, and that it does not raise issues of bias.
    2. Be transparent with data subjects about the use of the tool. This might include updating our privacy statements to provide notice about such use.
    3. Ensure that the University has a lawful basis to process the personal information within the tool, such as where the processing is directly related to the purposes for which the information was collected.
    4. Review outputs or outcomes from the tool to ensure that they meet expectations, are lawful and ethical, and do not adversely impact on individuals or communities in unexpected or unintended ways.
    5. If using an AI tool to automate significant decisions about data subjects, ensure that the affected data subjects can challenge those decisions with a human, and can object to the use of such tools to make decisions about them (see clause 4(c)(v) below).
    6. If developing a low risk AI tool such as a chatbot, ensure that individuals are made aware that they are interacting with an AI system not a human.
  6. The University Community must also be mindful that poor model performance, inadequate monitoring, bias and discrimination, copyright infringement, lack of explainability, and inadequate governance create particular risks when using AI to collect, process or handle personal information.

Specific considerations in relation to using generative AI tools to process personal information

  1. The University Community must use generative AI tools in accordance with the Use of Generative-Artificial Intelligences and Autonomous Content Generation in Learning and Teaching Policy, which includes a requirement to ensure privacy issues are appropriately managed.
  2. The University Community must be mindful of the privacy risks created by using both public and enterprise generative AI tools to process personal information (either in training or in inference) including:
    1. Accuracy – The personal information intended to be processed within the tool must be fit for purpose. This requires checking (where possible) that the information is accurate, up to date, complete and relevant, and that it does not raise issues of bias.
    2. Use and disclosure – The University must have a lawful basis to use or disclose personal information within the tool. Processing personal information via public tools increases the risk of subsequent uses or disclosures that are unlawful.
    3. Security and retention – It is difficult to determine how secure public tools are. Once information is ingested into the tool, it may not be possible to delete it.
    4. Access and correction – Data subjects can ask to access or correct their personal information that is being processed within a tool, which could be extremely difficult to manage in practice.
    If these risks cannot be managed or mitigated then AI may not be the right tool in the circumstances.
  3. The University Community must not use public generative AI tools to process personal or confidential information.
  4. If a member of the University Community intends to use an enterprise generative AI tool to process personal information, they must complete a Privacy Impact Assessment (PIA – see clause 5 below) and obtain the approval of the Privacy Officer.

Accuracy

  1. Members of the University Community must take reasonable steps to ensure that personal information is accurate and up to date before using or disclosing it, particularly where this use or disclosure could impact on the rights or interests of the data subject.

Processing sensitive personal information

  1. Some jurisdictions the University might operate in – including the EU, China and Australia – specifically regulate the processing of sensitive personal information. Where the University is delivering services to students or other people located in these jurisdictions, we must obtain consent to process sensitive personal information, unless that information is being processed for the purposes of public health management (such as pandemic management), the delivery of health services to the individual, or for occupational or employment purposes or in order to respond to an emergency (e.g., concerning a threat to the life or safety of an individual or individuals).

4.     Data subject rights

  1. Privacy laws give the University’s data subjects important privacy rights, which support transparency and accountability, protect individual autonomy and give data subjects some control over the way we collect, retain, use and share their information. The specific rights a data subject has will depend on their geographic location and applicable privacy laws in that jurisdiction.
  2. Data subject rights requests must be managed in accordance with the procedural requirements set out in privacy laws, including:
    1. The University must respond to a request as soon as reasonably practicable and in any case not later than 20 working days after the day on which the request is received. The response must include the following information:
      1. That the University does not hold the personal information in a way that enables the information to be readily retrieved; or
      2. That the University does not hold any personal information about the individual to whom the request relates; or
      3. That the University does hold personal information about the individual to whom the request relates and, if access to the information has been requested, that –
        1. Access to that information, or some of that information, is granted; or
        2. Access to that information, or some of that information, is refused and the grounds for refusal; or
      4. The University neither confirms nor denies that it holds any personal information about the individual to whom the request relates.
    2. The University does not necessarily have to provide the personal information at the same time as they provide the individual with their decision. However, if the University has agreed to provide personal information it will need to do so without undue delay.
    3. It is important that members of the University Community who receive data subject rights requests can recognise those requests and escalate them quickly to the relevant Privacy Officer.
    4. Information should be released in the form preferred by the requester, unless doing so would impair the University’s efficient administration.
    5. The University Community must take reasonable steps to ensure that we are releasing personal information to the data subject only, unless they authorise us to release it to someone else.
    6. The University Community may charge a reasonable fee to process a request, but should not generally do so, and any fee must be approved by a Privacy Officer.
  3. Depending on their location, the University’s data subjects may have the right to:
    1. Access – Ask the University to confirm whether or not we are processing their personal information and, if we are, ask us for a copy of their information.
    2. Correction – Ask the University to correct personal information about them that they think is wrong. If we do not agree the data subject can ask us to attach a statement of correction to the information.
    3. Erasure (if the data subject is based in the EU or China) – Ask the University to erase their personal information if:
      • it is no longer needed for the purposes for which it was collected
      • they have withdrawn their consent for the processing of the information (where the processing was based on consent)
      • we have accepted their objection to processing, and we have no other lawful basis to retain it
      • it has been processed unlawfully, or
      • this is necessary to comply with a legal obligation to which we are subject, and
      • we are not required to retain it under the Public Records Act or the University General Disposal Authority.
    4. Restrict processing (if the data subject is based in the EU or China) – Ask the University to restrict the processing of their personal information if:
      • the accuracy of the personal information is contested, to allow us to verify its accuracy
      • the processing is unlawful, but they do not want it to be erased
      • it is no longer needed for the purposes for which it was collected, but it is still needed to establish, exercise or defend legal claims, or
      • they have objected to processing, and we are still considering that objection.
    5. Object to processing – Object to the processing of their personal information, where the University is processing personal information based on its legitimate interests, including where this involves automated decision-making.
    6. Withdraw consent – Withdraw their consent, if they have given the University consent for the processing of their personal information. Note that this will not affect the lawfulness of any processing of personal information that has been carried out based on the consent before its withdrawal.
  4. All data subject rights requests must be escalated to the relevant Privacy Officer.

5.     Privacy Impact Assessments (PIA)

  1. Where applicable, the University endeavours to take a “Privacy by Design” approach to the development of new or changed processes or systems. This means that we adhere to the following principles:
    1. Proactive not reactive; Preventative not remedial
    2. Privacy as the default
    3. Privacy embedded into design
    4. Full functionality – Positive-sum, not zero-sum
    5. End-to-end security – Lifecycle protection
    6. Visibility and transparency, and
    7. Respect for user privacy
  2. Any member of the University Community responsible for creating or changing a process or system, that involves a new collection, use or disclosure of personal information or that may impact the security or integrity of personal information already held by the University, must complete a PIA and consult on this PIA with a Privacy Officer. You can access a copy of the PIA template:
    Privacy Impact Assessment template (DOCX)
  3. At a minimum, a PIA must be completed in any of the following situations, which may be likely to create high privacy risk:
    1. processing sensitive personal information
    2. developing, procuring, or using AI tools for any purposes that fall into the high risk category as set out at section 3(g)(ii) above
    3. using generative AI tools to process personal information
    4. procuring a new third party service provider to store or process personal information on the University’s behalf, or
    5. disclosing personal information to a new third party, including an overseas third party.

6.     Privacy breach management

  1. All members of the University Community must ensure that any privacy breach they become aware of is reported promptly to a Privacy Officer in compliance with the applicable Privacy Breach Management Procedure.

7.     Roles and responsibilities

  1. The Audit and Risk Committee, which is a University Council committee, is responsible for:
    1. providing oversight and monitoring, including through receipt of regular management reports, of University of Otago's privacy status and obtaining assurance from internal and external information systems auditors.
  2. The Vice-Chancellor is responsible for:
    1. advocating cultural values that promote good privacy practice, and
    2. supporting the Privacy Officer and others to ensure personal information is managed in accordance with this policy
  3. The Privacy Officer is responsible for:
    1. supporting the University Community to understand and comply with this policy, including by maintaining and developing relevant procedures, standards and guidelines
    2. developing and offering privacy training as required
    3. assisting with the management of privacy breaches, data subject rights requests, and other privacy issues
    4. managing privacy complaints from data subjects
    5. reporting on privacy breaches and general privacy compliance to the Audit and Risk Committee and, where required, the Vice-Chancellor, and
    6. liaising with third parties in respect of privacy matters, including the Privacy Commissioner or other relevant regulators and data subjects.
  4. All managers are responsible for:
    1. supporting staff to understand and comply with this policy and participate in any privacy training provided by the University, and
    2. ensuring privacy breaches, data subject rights requests, and other privacy issues are identified and managed in accordance with this policy.
  5. All members of the University Community are responsible for:
    1. knowing and understanding their privacy responsibilities
    2. complying with this policy and any associated procedures
    3. actively participating in any privacy training provided by the University, and
    4. reporting any privacy breaches, data subject rights requests, or other privacy issues to the Privacy Officer

Related policies, procedures and forms

Contact for further information

If you have any queries regarding the content of this policy or need further clarification, contact:

Registrar and Secretary to the Council
Email registrar@otago.ac.nz

For specific queries relating to the management of employee personal information, contact:

Kevin Seales
Director, Human Resources
Email kevin.seales@otago.ac.nz

Back to top