Privacy Statement
This Privacy Statement updates and replaces Griffith's "Privacy Plan".
Griffith University is committed to protecting your privacy and keeping your Personal Information safe.
Our Privacy Statement details what kinds of Personal Information we collect when you interact and transact with us, either in person, via telephone, email, on our social media channels, or on our websites. It is designed to:
- inform you of what information we collect, what we use it for and who we disclose it to;
- explain your rights regarding how we collect, use and disclose your personal information; and
- describe the legal obligations that apply to us, how we meet those laws and how they protect you.
Our Privacy Statement applies to all individuals who interact with the University, including students, staff, research participants, alumni, donors, third-party service providers, partners, visitors and community members, website users and persons accessing the University’s health services.
Please read our Privacy Statement carefully. We may change our Privacy Statement from time to time as required, when there are material changes to our practices or when there are legislative amendments made. Any changes to our privacy practices will be published on our website. We encourage you to check our website periodically to ensure that you are aware of these changes.
What personal information do we collect, use and disclose?
The types of Personal Information that we may collect, use and disclose will depend on who you are and how you interact with the University.
This section applies to you if you are a prospective student, a student applying for enrolment, a current student, an international exchange student, or a past student.
As a Griffith student, you are asked to provide personal information like your contact details, educational background, course and class choices, and health information for various purposes. This notice explains why we collect your personal information, what we do with it and who we share it with.
Your personal information will be managed in accordance with our obligations, and we ask that you keep your personal information updated during your studies. This enables us to communicate with you and fulfill our obligations toward you, including helping us protect your privacy. For example, if you do not update your address with Griffith, we may send a document with your personal information to the incorrect address, where it could be opened by someone else.
We have a legal basis for collecting your information under the Griffith University Act 1998 (Qld) and in accordance with our obligations under various other laws, legal obligations, and provision of services. Our legal obligations include, but are not limited to, the Higher Education Funding Act 1988 (Cth), Higher Education Support Act 2003 (Cth), the Education Services for Overseas Students Act 2000 (Cth) and the Migration Act 1958 (Cth).
What personal information do we collect?
- identification information such as your name, date and country of birth, student number, Unique Student Identifier (USI), Tax File Number (TFN), passport and driver’s licence details, citizenship and residency information and other similar identification information or documentation;
- contact information such as your address(es), email address(es), telephone number(s), and emergency contact details;
- information regarding your family including spouse/de facto partner relationships and dependents;
- information in connection with your admission, enrolment and graduation such as your student history and existing qualifications; academic transcripts, disciplinary matters and graduation records; student sponsorship information; Centrelink information; supervisor and examiner information and internship information;
- health information including Medicare information and health insurance information; information about disabilities or health conditions; vaccinations, serology and exposure prone declarations; medical history; records of accidents, incidents, and injuries; consultation and treatment notes; records relating to compensation and rehabilitation and health or medical provider information;
- financial information such as bank account details, financial statements, evidence of financial capacity to support your intended studies, and financial information related to scholarship and funding applications;
- information related to criminal history checks and clearances, security clearances, Blue Card, NDIS Workers screening and mask fit testing;
- travel-related information such as passport and visa information; language proficiency test results; travel profile information and health insurance details;
- personal records such as your employment information and certifications or licenses;
- contents of email messages that are sent by or received from your Griffith email address;
- information in connection with services provided while you are a student such as vehicle information for parking; library usage; computer and terminal usage; rental references, lecture recordings, images of you, and CCTV footage (on Griffith premises).
- The personal information we collect about you may include:
When will your personal information be used or disclosed?
We use or disclose your personal information for a range of reasons including:
- to administer and manage the provision of educational and support services, including admission, enrolment, scholarships, billing and collection of fees and charges, examinations, academic administration, electoral rolls and visas;
- to administer learning and support services, such as library and information technology, email, online teaching and resources, lecture, recording, and collaborative study (including sharing some information with other students in classes);
- to administer cross-institutional enrolments;
- to administer and manage the provision of practicum or placements, school and workplace visits, clinical assignments and work integrated learning;
- to undertake checking and verification activities including credentialing and clinical privileging;
- to administer financial services (for payments, government support and assistance, etc.)
- to review, develop, optimise and personalise the delivery of all our services to students including course and program design, library, accommodation, parking, facilities access, health, wellbeing and counselling, sport and recreation and hospitality services;
- to provide you with direct marketing materials, such as students newsletters and invitations to University events;
- to maintain accurate and up-to-date contact details (including emergency contact details) and to keep in touch with you when you graduate;
- to manage and investigate performance, conduct, and disciplinary matters and to enable cyber and physical security;
- for quality assurance and evaluation purposes to help ensure that our courses, programs, and services are of high quality and fit for purpose;
- to ensure the University complies with duties in relation to individuals and meets its contractual, statutory and regulatory obligations;
- to ensure accreditation requirements and standards are met;
- for emergency or crisis purposes;
- to provide an online verification of qualifications service that is accessible to the public; and
- as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
To whom will your personal information be disclosed?
The University may disclose your personal information to third parties, including third parties that may be overseas, including:
- government agencies, regulatory bodies, and law enforcement agencies if disclosure is authorised or required;
- professional registration bodies, external checking and verification bodies, accreditation bodies, industry bodies and associations as required;
- government, industry and private organisations sponsoring your education;
- practicum or placement providers;
- research partners;
- scholarship providers and student sponsors (where there is an agreement between the student and the provider/sponsor or the student authorises release);
- banking and financial institutions; to current or former employers for the purposes of verifying work experience;
- health and medical bodies where you have consented to the disclosure, or in an emergency situation;
- to your emergency contacts, your supervisor or Human Resources, or to notify the relevant authority, in an emergency situation, to lessen or prevent a serious threat to your or another person’s life, health or safety or public health or safety, where it is impractical to obtain your consent, or if there are reasonable grounds to be concerned about your or someone else’s welfare or safety;
- third-party vendors who assist the University with the provision of services to you;
- other educational institutions (for example, if you do a semester at another institution through a study abroad program or participate in a conference or other activity at another institution);
- advisors or consultants engaged by the University, including accountants, lawyers and other professional services advisors;
- in response to a writ, subpoena, or similar order legally requiring Griffith to disclose the information;
- other parties as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
Some disclosures to departments of the Australian government and other bodies that are required by law include:
- statistical information about your enrolment and educational background;
- financial information in relation to your HECS-HELP, FEE-HELP, and other loan schemes where you may defer payments through the tax system and to other government and private loan schemes where students are granted approved loans;
- identifying data (including your TFN) for the allocation of a Unique Student Identifier (“USI”), a Commonwealth Higher Education Student Support Number, and the management of your Commonwealth assistance;
- on all matters related to international student visa conditions;
- to monitor domestic students’ entitlements to Centrelink benefits;
- to health care providers as part of the Overseas Student Health Cover; and
- to the Australian Health Practitioner Regulation Agency (AHPRA) for students in courses covered by the Health Practitioner Regulation National Law Act 2009.
This section applies to you if you are an employee (academic and professional), casual or sessional staff member, council member, adjunct or other non-paid appointment (e.g. Emeritus Professor), visiting academic, or secondee or are a job applicant. This notice explains why we collect your personal information, what we do with it and who we share it with.
Your personal information will be managed in accordance with our obligations, and we ask that you keep your personal information updated. This enables us to communicate with you and fulfill our obligations toward you, including helping us protect your privacy. For example, if you do not update your address with Griffith, we may send a document with your personal information to the incorrect address, where it could be opened by someone else.
We have a legal basis for collecting your information under the Griffith University Act 1998 (Qld), the Fair Work Act 2009, our Enterprise Agreements and contracts with staff members, Griffith policies and procedures, the Migration Act 1958 and other legislation, including but not limited to that relating to employment, taxation, superannuation. We also have a legitimate business interest in collecting your information as it relates to the business activities you engage in as part of your relationship with Griffith.
What personal information do we collect?
The personal information we collect about you may include:
- identification information such as your name, date and country of birth, staff and/or student numbers, passport and driver’s licence details, citizenship and residency information and other similar identification information or documentation;
- contact information such as your address(es), email address(es), telephone number(s), and emergency contact details;
- information in connection with your recruitment or employment, including position applications; qualifications, publications, criminal history checks; security clearances; language proficiency test results; working with children checks; previous employment history; performance appraisals, and reference and referee checks;
- information in connection with your appointment or employment including professional registration and clinical privileging; provider and prescriber numbers, staff appraisals and student surveys;
- health information including Medicare information; information about disabilities or health conditions; vaccinations; medical history; records of accidents, incidents, and injuries; consultation and treatment notes and records relating to compensation and rehabilitation, work and functional capacity and health or medical provider information;
- financial information such as bank account details; Tax File Number (TFN) and superannuation information;
- travel related information such as passport and visa information; travel profile information;
- Information in connection with services provided to you such as vehicle information; library usage; computer and terminal usage; images of you and CCTV footage (on Griffith premises);
- Information in connection with services or roles performed by you, such as lecture and meeting recordings or facility and system use and access;
- contents of email messages that are sent by or received from your Griffith email address;
- Information in relation to declarations or conflicts of interests as required by the Conflict of Interest Policy; and
- Information regarding your work, research, and publications that may be published on the website (including the Griffith Experts page), newsletter, social media, or other marketing materials.
- information related to Blue Card, NDIS Workers screening mask fit testing, and other qualifications or certifications related to your role;
When will your personal information be used or disclosed?
We use or disclose your personal information to administer your employment; manage your remuneration, benefits, and other employment conditions; and other related human resources purposes including:
- selection and appointment functions such as verifying details for your employment or contractual engagement including work rights and relevant qualifications, licences or permits, health and background checks;
- to maintain accurate and up-to-date employment records and contact details (including emergency contact details), leave details, records of employee contractual and statutory rights and accreditation checks;
- to administer University services such as payroll processing, superannuation administration; insurance, the management of work-related travel and staff training and development;
- to undertake checking and verification activities including credentialing and clinical privileging;
- staff appraisals, probation and promotions;
- publication of the staff directory, Griffith news, marketing, Griffith Experts, and other disclosures for business purposes, including to build Griffith’s reputation and increase its collaboration and grant capabilities;
- managing and investigating performance, conduct, conflicts of interest and disciplinary matters;
- to provide you with marketing materials, such as staff newsletters and invitations to University events;
- risk management, workplace health and safety and workers’ compensation matters and reasonable adjustment decisions/ actions;
- to health and medical bodies where you have consented to the disclosure or in an emergency situation;
- to your emergency contacts or to notify the relevant authority in an emergency situation, to lessen or prevent a serious threat to yours or another person’s life, health or safety or public health or safety, where it is impractical to obtain your consent, or if there are reasonable grounds to be concerned about your welfare or safety;
- to obtain occupational health advice, and ensure the University complies with duties in relation to individuals with disabilities, meets its obligations under health and safety law, and ensures that employees are receiving the pay or other benefits to which they are entitled;
- benchmarking, reporting, analysis, quality assurance, evaluation, and planning purposes;
- for emergency or crisis purposes;
- to manage and investigate performance, conduct, and disciplinary matters and to enable cyber and physical security;
- to optimise the security, reliability, and functionality of Griffith apps or services, such as through its use for testing of the apps or services;
- to review, develop, optimise and personalise the delivery of all our services to and by staff;
- as authorised by law, otherwise permitted by the IP Act, or as authorised by you; and
- to ensure the University complies with duties in relation to individuals and meets its contractual, statutory and regulatory obligations, including by disclosing personal information to third parties as required (such as by disclosing some information to the Australian Tax Office or the Department of Education.
To whom will your personal information be disclosed?
The University may disclose your personal information to third parties, including:
- to government departments, agencies and regulatory bodies as requested or required for the purpose of verifying your immigration/citizenship status, verifying educational qualifications, undertaking required security and criminal checks, obligations regarding eligibility for government benefits, taxation, and superannuation benefits;
- professional registration bodies, external checking and verification bodies, accreditation bodies, industry bodies and associations as required;
- banking, superannuation and financial institutions;
- health and medical bodies where you have consented to the disclosure, or in an emergency situation;
- to your emergency contacts, your supervisor or Human Resources or to the relevant authority, in an emergency situation, to lessen or prevent a serious threat to yours or another person’s life, health or safety or public health or safety, where it is impractical to obtain your consent, or if there are reasonable grounds to be concerned about your welfare or safety;
- other staff or third-party vendors who assist the University with the provision of services to you or that support your role as a Griffith employee;
- other University staff and officers where required or in response to a writ, subpoena, or similar order legally requiring Griffith to disclose the information;
- to law enforcement agencies when required;
- advisors engaged by the University, including accountants, lawyers and other professional services advisors; and
- other parties as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
I am a consultant, contractor, service provider or third-party
This section will apply to you if you are a consultant, contractor or third-party providing goods or services to the University (including University committee members and research partners who are not staff).
What personal information do we collect?
The personal information we collect about you may include:
- identification information such as your name, date of birth, staff and student numbers, passport and driver’s licence details, citizenship and residency information and other similar identification documentation;
- contact information such as your address, email address, telephone number(s), and emergency contact details;
- information in connection with your recruitment including position applications; criminal history checks; security clearances; working with children checks; previous employment history; and reference and referee checks, including copies of qualifications and information regarding your research collaborations;
- health information including Medicare information; information about disabilities or health conditions; medical history; records of accidents, incidents, and injuries; consultation and treatment notes and records relating to compensation and rehabilitation;
- information in connection with your appointment, contract, or other agreement including professional registration numbers, clinical privileging and provider and prescriber numbers;
- financial information such as bank account details; Tax File Number (TFN) and superannuation information;
- travel related information such as passport and visa information; language proficiency test results; and travel profile information;
- Information in connection with services provided to you such as vehicle information; library usage; computer and terminal usage; images of you and CCTV footage (on Griffith premises);
- contents of email messages that are sent by or received from your Griffith email address if you receive one;
- Information in relation to declarations or conflicts of interests as required by the Conflict of Interest Policy.
When will your personal information be used or disclosed?
We use or disclose your personal information for a range of reasons including:
- recruitment, selection and appointment functions such as verifying details for your employment or contractual engagement including work rights and relevant qualifications, licences or permits, health and background checks and to meet our legal and contractual obligations;
- to maintain accurate and up-to-date engagement records and contact details (including emergency contact details), attendance, and records of contractual and statutory rights;
- to administer University services such as payroll processing, superannuation administration; insurance; the management of work-related travel and training and development;
- appraisals, reviews and on-boarding/off-boarding;
- managing and investigating performance, conduct, conflicts of interest and disciplinary matters;
- to contact you with direct marketing materials, such as Griffith newsletters or event invitations;
- for publication on the intranet and the website in relation to your role, contact information, research and publications, and related work and for disclosure to research and other partners involved in the building Griffith’s research capabilities;
- sharing the information of research collaborators on Griffith publications and as part of disclosures to accreditors, government agencies, and others I the ordinary course of business and to research facilitators in those places where Griffith’s researchers’ study and/or publication details are being shared;
- to manage and investigate performance, conduct, and disciplinary matters and to enable cyber and physical security;
- to optimise the security, reliability, and functionality of Griffith apps or services, such as through its use for testing of the apps or services;
- risk management and workplace health and safety matters;
- health and medical bodies where you have consented to the disclosure, or in an emergency situation;
- to your emergency contacts or to notify the relevant authority in an emergency situation, to lessen or prevent a serious threat to yours or another person’s life, health or safety or public health or safety, where it is impractical to obtain your consent, or if there are reasonable grounds to be concerned about your welfare or safety;
- to obtain occupational health advice and ensure the University complies with duties in relation to individuals with disabilities, meets its obligations under health and safety law, and ensures that you are receiving the pay or other benefits to which you are entitled;
- for benchmarking, reporting, analysis, quality assurance and planning purposes;
- for compliance, where we are legally required to provide information to government agencies such as the Australian Taxation Office or the Department of Education; and
- as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
To whom will your personal information be disclosed?
The University may disclose your personal information to third parties, including:
- government agencies and regulatory bodies as requested or required;
- professional registration bodies, industry bodies and associations, and accrediting bodies as required;
- banking, superannuation and financial institutions;
- health and medical bodies where you have consented to the disclosure, or in an emergency situation;
- to your emergency contacts or in notifying the relevant authority, in an emergency situation, to lessen or prevent a serious threat to yours or another person’s life, health or safety or public health or safety, where it is impractical to obtain your consent, or if there are reasonable grounds to be concerned about your welfare or safety;
- other third-party vendors who assist the University with the provision of services to you or in support of your association with the University;
- other University staff and officers where required;
- to law enforcement agencies when required;
- advisors engaged by the University, including accountants, lawyers and other professional services advisors; and
- other parties as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
This section applies to individuals who are participating in research projects, whether as a volunteer or on a paid basis.
The types of Personal Information that we collect will depend on the purpose of the research being undertaken and the terms of the research activity. You will be provided with a Research Participant Privacy Notice that will set out the particulars of the Personal Information that we intend to collect from you in advance of the research project. For additional information, please contact the Research Ethics and Integrity Team.
What personal information do we collect?
The personal information we collect about you may include:
- identification information such as your name, date of birth, staff and student numbers (if applicable), passport and driver’s licence details, citizenship and residency information and other similar identification documentation;
- contact information such as your address, email address, telephone number(s), and emergency contact details;
- sensitive information including racial or ethnic origin; political or religious affiliations; and sexual orientation or practices;
- health information including Medicare information; medical history; information about disabilities or health conditions; biometric and genetic information; records of accidents, incidents, and injuries; consultation and treatment notes and records relating to compensation and rehabilitation; and
- images, audio and video of you;
When will your personal information be used or disclosed?
- We will only use your Personal Information in accordance with the terms of the research activity as set out within the Privacy Notice that we provide to you.
- We may share your Personal Information with external organisations involved in the research activity as set out in the Privacy Notice.
We maintain relationships with alumni and donors and with other interested parties, including the local community, businesses, industry members and professional organisations concerned with or supporting the core education and research functions of the University.
As part of maintaining these relationships, we may collect Personal Information about prospective, current or former donors or scholarship providers; alumni and their friends and family; members of “Friends of Griffith” groups; and subscribers to the Griffith Review.
What personal information do we collect?
The personal information we collect about you may include:
- identification information such as your name, date of birth, staff and student numbers (if applicable), citizenship and residency information, and other similar identification documentation;
- contact information such as your address, email address, telephone number(s), and emergency contact details;
- sensitive information including racial or ethnic origin; political or religious affiliations; and sexual orientation or practices.
- financial information such as bank account details; Tax File Number (TFN), and superannuation information;
- information in connection with services provided to you (such as library or systems usage); and
- images, audio and video of you.
When will your personal information be used or disclosed?
This information may be used:
- to inform you of University courses/events;
- to provide alumnus services and benefits;
- to inform you of opportunities to engage with and support the University;
- for quality assurance and evaluation purposes to help ensure that services and systems are of high quality and fit for purpose; and
- as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
To whom will your personal information be disclosed?
The University may disclose your personal information to third parties, including:
- service providers engaged by the University, including events management providers and fund-raising service providers;
- your emergency contacts, in an emergency situation;
- medical bodies, in an emergency situation;
- other University staff and officers where required;
- other third-party vendors who assist the University with the provision of services to you;
- law enforcement agencies when required;
- advisors engaged by the University, including accountants, lawyers and other professional services advisors; and
- as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
I am accessing health services
This section covers persons whose information is collected through the University’s Health and Medical Centre and Counselling services.
The University provides a range of medical and allied health services to students, staff and the community. A list of the health services for students can be found on the student support page, and for staff and the wider community can be found on the health clinics page.
As part of these services, we collect, store and use personal information, including health information, with your consent and in accordance with any Collection Notices or other, more detailed consents you provide to our health services.
What personal information do we collect?
The personal information we collect about you may include:
- name, address and contact information of the individual, their dependents and other family members, of emergency contacts, and of health professionals who are currently or have previously provided treatment;
- health information including medical history; family medical history, information about disabilities or health conditions; biometric and genetic information; Medicare and health insurance details;
- records such as patient records including assessments and treatments; medical records, including medications, and any current or past medical conditions; consultations and treatments given and correspondence relating to you;
- x-rays, video/audio/digital recordings and images;
- financial information such as bank account details;
- sensitive information including racial or ethnic origin and sexual orientation or practices.
When will your personal information be used or disclosed?
This information may be used:
- to provide you with our medical services and treatments to improve your health and wellbeing including by the Health and Medical Services and Counselling and Wellbeing Services; and
- to contribute to the University’s teaching, research and development activities in relevant fields to improve our healthcare practices;
- to provide you with health and service-related information, such as news regarding vaccine drives;
- for quality assurance and evaluation purposes to help ensure that our courses, programs, and services are of high quality and fit for purpose; and
- as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
To whom will your personal information be disclosed?
The University may disclose your personal information to third parties, including:
- government agencies and regulatory bodies that request or require your information including Department of Health Queensland; Department of Health and Aged Care; Department of Home Affairs; the Australian Tax Office; AHPRA, the Office of the Queensland Health Ombudsman; Department of Social Services; and other regulatory agencies and bodies;
- Medicare;
- other health professionals, such as specialists, who are also involved in your medical treatment;
- banking and financial institutions;
- your emergency contacts, in an emergency situation;
- medical bodies, in an emergency situation;
- other third-party vendors who assist the University with the provision of services to you;
- other University staff and officers where required;
- law enforcement agencies when required;
- advisors engaged by the University, including accountants, lawyers and other professional services advisors; and
- other parties as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
Griffith health practitioners are also subject to applicable guidelines from regulatory bodies such as the AHPRA and Australian Psychological Society when determining what information can be disclosed to which entities or individuals and under what circumstances those disclosures may occur.
I am accessing the University's Child Care Services
I am accessing the University’s Child Care Services. This section covers any persons whose Personal Information is likely to be collected by the University for the primary purposes of providing early childhood education and care services at the Griffith University Early Childhood Education Centres. The University collects personal information of parents/guardians/carers (“carers”), children and stakeholders.
What personal information do we collect?
The personal information we collect includes:
- identification information of the individual such as name, date and place of birth, gender, birth certificate, passport and driver’s licence details and other similar identification documentation;
- contact information such as address, email address, telephone number(s), and emergency contact details;
- Centrelink Customer Reference Number;
- citizenship and residency information;
- sensitive information including racial or ethnic origin; cultural or religious requirements and languages spoken;
- health information including medical history; medications required; immunisation history; information about disabilities or health conditions; information about additional needs; Medicare and health insurance details; doctor’s details;
- custody arrangements or parenting orders;
- dietary requirements;
- CCTV footage for security and safety (on Griffith premises).
- photographs and videos of children, samples of children’s work and general information about your child and your family that assists us in providing individualised early learning and care to children.
When will your personal information be used or disclosed?
This information may be used to:
- provide you with our early childhood education and care services and advocating for the well-being, protection and development of children;
- contribute to the University’s teaching, research and development activities in relevant fields to improve our early childhood education and care services practices;
- meet our legal and contractual obligations;
- for quality assurance and evaluation purposes to help ensure that our programs, and services are of high quality and fit for purpose; and
- as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
To whom will your personal information be disclosed?
The University may disclose your personal information to the following third parties:
- government agencies and regulatory bodies that request or require your information including the Department of Education, the Queensland Early Childhood Regulatory Authority, Department of Health Queensland; Medicare; Centrelink; the Department of Social Services and other regulatory agencies and bodies;
- child protection agencies or family support agencies when we reasonably believe that a child is at risk of significant harm;
- banking and financial institutions;
- your emergency contacts, in an emergency situation;
- medical bodies, in an emergency situation;
- other third-party vendors who assist the University with the provision of services to you;
- other University staff and officers where required;
- law enforcement agencies when required;
- advisors engaged by the University, including accountants, lawyers and other professional services advisors; and
- other parties as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
I am a visitor, community member, or university services recipient
This section covers any persons that fall outside the above categories whose Personal Information is likely to be collected by the University, such as other participants in outreach or marketing campaigns or attendees at University events. These types of persons include:
- visitors to the University campus (e.g. for Open Days, Orientation days, graduation ceremonies, sport, or public lectures);
- digital visitors to the University website or digital systems;
- attendees at University events that are held on and off-campus;
- community members of the Library and Griffith Archive;
- industry contacts who engage with staff or students through University programs, initiatives or projects;
- individuals providing services to the University, but who are not employees or contractors; and
- individuals who receive services from the University.
Personal information that we collect
- We may collect your name, contact details and identification documents, so that we can contact you and identify you. This information may include your:
- We may collect personal information related to your usage activity if you are on Griffith internet, networks, devices, or applications. See the “How Do We Manage Your Personal Information” section above for more information.
- name;
- address;
- email address;
- telephone number;
- date of birth;
- passport, driver’s licence details, other identification documentation;
- images, audio and video of you;
- emergency contact details;
- CCTV footage for security and safety (on Griffith premises).
- We may collect personal information related to your usage activity if you are on Griffith internet, networks, devices, or applications. See the “How Do We Manage Your Personal Information” section above for more information.
When will your personal information be used or disclosed?
- We may contact to provide you with direct marketing materials such as Griffith news and events and invitations to participate in community initiatives.
- We may use and your personal information for the provision of the Griffith activity or service you are participating in (such as providing the names of event attendees to the venue hosting an activity they registered for);
- We may use your personal information for quality assurance and evaluation purposes to help ensure that our courses, programs, events and services are of high quality and fit for purpose;
- We may use your personal information to provide for the security and optimisation of the services we provide to you;
- The University may disclose your personal information to the following entities:
- third-party vendors who assist the University with the provision of services to you;
- your emergency contacts, in an emergency situation;
- medical bodies, in an emergency situation;
- other University staff and officers where required;
- law enforcement agencies when required;
- advisors engaged by the University, including accountants, lawyers and other professional services advisors;
- as authorised by law, otherwise permitted by the IP Act, or as authorised by you.
I am from the European Economic Area (EEA)
If you are an individual based in the EEA, we collect and process Personal Information about you only where we have a legal basis for doing so under the General Data Protection Regulation (GDPR).
- This means we collect and use your Personal Information only where it:
- is necessary for the delivery of education and research services; or
- satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development; or
- is necessary to comply with a legal obligation; or
- with your consent.
- The GDPR applies to the University’s collection, use and disclosure of Personal Information from persons based in the EEA.
- This includes:
- programs to attract European students to the University; and
- research conducted with EEA participants and interactions with alumni and donors in the EEA.
- We also appreciate that our European partners will often want to impose GDPR compliant clauses in the agreements we reach with them, to enable them to meet the GDPR requirements.
- When students or staff from the EEA relocate to Australia, the information we collect during the course of their employment or study in Australia is governed by the IP Act and other relevant Australian law.
The IP Act takes the same principle-based approach to data protection as the GDPR. Accordingly, we already have many consistent practices with the GDPR and, when directing our activities toward EEA residents, we enter into appropriate contractual obligations to ensure the protection of your date when it is transferred to Griffith by our service providers.
To make a rights request under the GDPR, contact our Privacy Officer using the information in the "Privacy Contacts” section.
How Do We Manage Your Personal Information?
The University will only collect, use and disclose your Personal Information for a lawful purpose related to a function or activity of the University or as otherwise legally authorised under the privacy regulatory framework.
- Personal Information is information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable from the information or opinion.
- Typical examples of Personal Information that we collect include:
- name and contact information, such as addresses, email addresses, phone number, and dates of birth;
- identification information, such as passport and licence details;
- financial information, such as payment and bank details, Tax File Number (TFN) and superannuation information;
- academic records, such as assessment results, lecturer feedback, and transcript information;
- medical information including medical records, records of accidents/incidents/injuries, Medicare information, consultation and treatment notes, and records relating to compensation and rehabilitation, work and functional capacity;
- employee information such as employment records, leave applications, personal development and training information, misconduct and disciplinary information;
- audio, photo, and audiovisual recordings of events and activities, such as lectures, campus security footage, and event photography; and
- usage, audit, logging and security monitoring information from Griffith wired or Wi-Fi networks, apps, and other online or digital services.
- This Statement sets out the particular Personal Information that is generally collected for the different categories of individuals who interact with the University.
- We may sometimes also collect and deal with specific types of Personal Information, including Sensitive Information and Health Information, under the privacy regulatory framework.
- Sensitive Information may relate to your:
- racial or ethnic origin;
- political opinions or associations;
- religious or philosophical beliefs or affiliations;
- professional or trade association or union membership;
- sexual orientation or practices;
- criminal record;
- health information; and
- genetic information that is not health information;
- or biometric information that is to be used for the purpose of automated biometric verification or identification (or biometric templates).
- Health Information may include information or an opinion about your:
- health, including an illness, disability or injury;
- health services provided, to be provided, or your wishes about the future provision of health services;
- donation of body parts, organs or body substances; and
- genetic or biometric information.
- We will only collect, use and disclose Sensitive and Health information as authorised under the privacy regulatory framework.
- In relation to Health Information collected through the University Health and Medical Services, please also refer to the “I am accessing Health Services” notice below and the consent forms provided to you by the health service.
How will my personal information be collected?
We will only collect your Personal Information, as authorised under the privacy regulatory framework, where it is reasonably necessary for or directly related to one or more of the University’s functions or activities, such as teaching, research, community services and engagement activities.
- We collect your Personal Information in a variety of ways, including:
- if you provide it to us in writing, via the telephone, or in person;
- through our website, digital systems or assets, or related social media (some of which is collected automatically via usage, audit, and security logging and cookies);
- through your in-person attendance on campus;
- through your interactions with University programs, systems or surveys;
- through third parties, such as other educational institutions that you have been involved with, various government agencies or event collaborators; and
- from public sources of information, where available.
- When we collect Personal Information directly from you, a Collection Notice may be provided which will set out:
- the purposes for collecting the information;
- any authorising law or court order that requires the collection; and
- if applicable, the details of any third party to whom your Personal Information is intended to be provided.
- What personal information do we collect, use and disclose
- There are also Collection Notices included in this Privacy Statement. Refer to the options below "What personal information do we collect, use and disclose?" to identify the Collection Notice(s) related to your dealings with the University.
How will my personal information be used and disclosed?
- The University will only use and disclose your Personal Information as authorised under the privacy regulatory framework.
- The University “uses” your Personal Information if it:
- manipulates, searches or otherwise deals with the information;
- takes your information into account in the making of a decision; or
- transfers your information from one department of the University that has particular functions to another department of the University that has different functions.
- The University will only use your Personal Information for the purpose that it was collected (or a related purpose) unless you expressly or impliedly agree to the use of the information for another purpose, or the use is otherwise permitted under the IP Act.
- Your personal information may be used for direct marketing in which Griffith reaches out to you with newsletters, invitations, and related materials;
- Your Personal Information may be used to optimise the security, reliability, and functionality of Griffith apps or services, such as through its use for testing of the apps or services;
- The University may use advanced processing methods, such as artificial intelligence, in the collection and use of personal information as part of office activities (such as the summation of meetings) and in accordance with Australia’s Ethical AI Framework.
- “Disclosure” of your Personal Information by the University to a third party occurs where:
- the third party does not already know the Personal Information, and is not in a position to be able to find it out;
- the University gives the third party your Personal Information, or places it in a position to be able to find it out; and
- the University ceases to have control over the third party in relation to who will know the Personal Information in the future.
- We will not disclose your Personal Information unless it is authorised under the statutory framework, such as where:
- you have consented to disclosure (whether express or implied);
- you are reasonably likely to have been aware that it is the University’s usual practice to disclose that type of Personal Information to a relevant entity;
- disclosure is compelled or authorised by law (for example, a court order or subpoena, or a statutory obligation to disclose);
- disclosure is necessary to lessen or prevent a serious threat to a person’s life, health, safety, or welfare, or to public health, safety or welfare; or
- where disclosure is necessary for investigation or enforcement of criminal matters or other law enforcement matters.
We do not sell, trade, or rent your personal information to third parties for marketing purposes. If we contact you for direct marketing purposes, we will also offer the option for you to unsubscribe from the marketing materials.
How is my Personal Information stored and secured? For how long?
The University takes steps to protect your Personal Information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. We use physical, administrative, and technical measures in accordance with our Information Security Policy to safeguard your Personal Information as follows:
- Personal Information held by us is often stored in our digital systems (hosted on and off-site), including student management information systems, HR management systems, Customer and Relationship Management (CRM) systems, finance systems, library systems and records management systems;
- The University implements a range of measures and controls to ensure that your Personal Information is kept secure including swipe card access, system access controls, file level security, multifactor digital authentication, and endpoint detection;
- Personal Information will be retained as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, contractual, accounting, or reporting requirements;
- Personal Information is retained and disposed of according to the provisions of the relevant records disposal authority approved by the Queensland State Archives and the University Sector Retention and Disposal Schedule under the Public Records Act 2023.
Will my Personal Information be transferred overseas?
In certain circumstances, the University may transfer your Personal Information outside of Australia (for example when the information is stored in the cloud by an overseas provider or if the University needs to send enrolment information to a partner University regarding an international exchange student).
- Before your information is disclosed to an overseas recipient, the University will take all reasonable steps to ensure that any overseas recipient will deal with Personal Information in a way that complies with the privacy regulatory framework.
- Given the wide-ranging activities of the University, it is not practical to list every circumstance or country where Personal Information may be transferred overseas. However, we note that:
- The University uses a number of cloud-based service systems which require backup/emergency services to be undertaken overseas;
- As part of our international programs, Personal Information may be sent to partner Universities or other organisations where students undertake international Work Integrated Learning. We may also send information to international recipients as part of our recruitment, alumni and advancement services engaged with individuals who are overseas.
- We may send information overseas in order to obtain or maintain accreditations and meet other regulatory and compliance requirements.
We refer specifically to disclosures of Personal Information of persons in the EEA under the GDPR in the section titled “I am in the European Economic Area”.
Use of cookies
- We use cookies (digital tracking and analytics tools) on the University website, digital systems, call centres and email.
- Cookies and local storage:
- are small strings of text that a website may place on your computer or device to store information;
- allow a website to access and use this stored information at a later time; and
- store visitor's information, such as their IP address.
- examples of information collected by cookies includes:
- the number of visitors to the website;
- how visitors arrive at the website (for example, did they type in the address directly, follow a link from another webpage or ad, or arrive via a search engine?);
- the number of times each page is viewed and for how long;
- time and date of visit;
- geographical location of the visitor;
- information about what browser and operating system were used to view the website;
- information about whether the browser supports certain applications, such as Java and Flash; and
- the speed of the user’s internet connection.
- The University website and digital systems use cookies for:
- identifying unique visitors to the site - users are allocated a visitor number associated with their IP address which is held in a cookie on that computer or device;
- validating staff and/or students’ identity when they attempt to access a restricted part of the University website - a cookie is created in that computer or device's memory to improve the user experience for subsequent times the user goes to access a restricted part of the website, such as student mail. The cookie contains the following information:
- internal unique ID generated by the University; and
- full name and email alias;
- personalisation of your experience in our digital systems;
- security, control, and optimisation of the website; and
- marketing communication purposes with Google, LinkedIn, Facebook and other third-party vendors - cookies allow the University to reach people who have previously visited our website so that we can provide tailored messages based on their University website interaction.
- The information generated by cookies about your use of the website may be transmitted to and stored by servers located outside of Australia.
- Visitors can choose to accept or opt out of cookies in general by adjusting their browser settings. It’s important to note that occasionally, opting out of cookies can result in the loss of some website functionality.
- for example, you may not be able to access a secure site such as the Griffith Portal;
- it may also mean that you are prompted to verify your identity several times during a session on the University website or digital systems.
Third-party analytics
- We use Google Analytics, LinkedIn analytics, Facebook analytics and other third-parties to gather statistics about how the website and email correspondence is accessed and used;
- Some of these analytic tools utilise cookies to gather information for statistical reporting; and
- We do not intentionally record or provide Personal Information to Google Analytics and third-parties except on occasions where identifiers (such as your name or Student Number) are dynamically included in the website's page title.
For further information please refer to the University's Information Security Policy or contact the IT Service Centre.
Exercising your Rights
How do I access and amend my personal information?
- You have the right to request access to the Personal Information that we hold about you and to request an amendment to your Personal Information if you believe the information is inaccurate, incomplete, out-of-date, or misleading. To obtain access to or amendment of your information, you can submit an administrative or formal request:
- Administrative requests are the simplest means to access or update your information. See the Administrative Access Request section of Griffith’s Right to Information and Information Privacy webpage for more information about the various ways administrative requests can be made.
- A formal request for access to or amendment of your personal information should be directed to the University’s Privacy Officer (contact details below). The Personal Information Requests section of Griffith’s Right to Information and Information Privacy page provides detailed guidance on how to submit a formal privacy request.
- Staff members can submit formal access or amendment requests via Service Now.
- The Privacy Officer may respond with additional instructions to ensure your request is compliant with the applicable law or to assist in our ability to respond.
- We may refuse your request if:
- the University is authorised or required under an access law to refuse to give the access; or
- the document is expressly excluded from the operation of an access law.
- If a formal request for your Personal Information is denied by the University, you can request an internal review, or seek external review by the Office of the Information Commissioner (OIC). See “Privacy Contacts” below for information on how to contact them. The Right to Information and Information Privacy site provides additional information on disputing or appealing a decision.
- You may have additional rights regarding your Personal Information if your information is subject to other privacy laws. Individuals in the European Economic Area should refer to the “I am from the European Economic Area” section below. If you believe another jurisdiction’s laws may apply, you can submit your query to the Privacy Officer using the contact details below.
How do I make a privacy complaint?
We take privacy complaints seriously.
- If you believe your Personal Information has not been dealt with in accordance with the University Privacy Statement or relevant laws, you may make a complaint in writing to the University’s Privacy Officer. Staff can submit written complaints via Service Now.
- The Privacy Officer may respond requesting additional information needed to respond to your complaint.
- If you do not agree with the decision of the Privacy Officer, you can request an internal review.
- You can also refer your complaint for independent mediation by the Office of the Information Commissioner without requesting an internal review if at least 45 business days have passed since the complaint was made to the Privacy Officer.
- See “Privacy Contacts” below for information on how to contact the Privacy Officer and Office of the Information Commissioner.
Can I stay anonymous or use a pseudonym?
Individuals are allowed to deal with public agencies anonymously (or with a pseudonym) unless it is impracticable to do so or where we are required by a law or court order to only deal with identified individuals. If you are a student or staff member, it is generally not possible for us to give you the option of anonymity or of using a pseudonym when dealing with us. The nature of our dealings with you and the Personal Information that Griffith collects in order to properly carry out its functions will ordinarily require that it not be anonymous.
However, in limited circumstances it may be possible for a person to remain anonymous when making an enquiry or complaint with the University, for example, if you are a whistleblower under the Public Interest Disclosure Policy.
The University will only collect, use and disclose your Personal Information for a lawful purpose related to a function or activity of the University or as otherwise legally authorised under the privacy regulatory framework.
Key Privacy Legislation
The University has legal obligations to protect the personal information it collects from students, staff and members of the public. These obligations arise principally from the Information Privacy Act 2009 ( Qld ) which establishes safeguards for how Queensland public sector agencies must deal with an individual’s Personal Information. There are also instances where personal information may be covered by the Commonwealth Privacy Act 1988 (Cth).
Where individuals are based in other countries, such as the European Union or the Republic of China, they may also be covered by the privacy laws of those jurisdictions such as the EUGeneral Data Protection Regulation or the China Personal Information Protection Law if their personal information is collected overseas.
Privacy Contacts
Griffith University Privacy Officer
Telephone: + 61 (07) 3735 5586
Email: privacyofficer@griffith.edu.au
Postal Address:
Legal Services, Privacy
170 Kessels Rd Nathan QLD 4111
Queensland Information Commissioner
Telephone: + 61 (07) 3234 7373 or 1800 642 753
Email: enquiries@oic.qld.gov.au
Postal Address:
Office of the Information Commissioner
PO Box 10143
Adelaide Street Brisbane QLD 4000
Australian Information Commissioner
Telephone: 1300 363 992
Email: foi@oaic.gov.au
Postal Address:
Office of the Australian Information Commissioner
GPO Box 5288
Sydney NSW 2001
Last Updated: 2 May 2024