1. The purpose of our policy
Adelaide University respects the privacy of individuals, and we are committed to protecting the personal information that we collect.
This policy sets out the principles applying to our collection, use, storage and disclosure of personal information, and our approach to relevant privacy laws.
It also provides the authority to maintain our Privacy Management Procedure.
2. Who our policy applies to
Our policy applies to Council members and to our employees, contractors, volunteers, titleholders, students, visitors and agents. It applies to the collection, use, disclosure and management of personal information handled or processed by Adelaide University.
3. Our privacy principles
Although Adelaide University is not subject to the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) (Privacy Act) for all its activities, many of our operations are Commonwealth-funded and therefore must comply with the APPs. To ensure consistency and avoid dual systems, Adelaide University has adopted practices that are consistent with the APPs across all its operations.
Adelaide University is also committed to complying with the requirements of applicable privacy laws in other jurisdictions, including the European Union General Data Protection Regulation (GDPR), regarding individuals located in the European Union (including the European Economic Area).
Our policy principles include the following:
3.1 We collect personal information only when it is necessary for us to conduct our business activities
We collect personal information in several ways, including:
- from individual's directly, including from correspondence and submitted forms (e.g. via online portals) as part of an individual's enrolment, registration, or subscription process, and in the course of undertaking research, providing services, or administration of our activities
- From individual’s directly, including personal information relating to employment
- from automatic processes that we have in place, including monitoring and logging of metadata from the use of the IT and online services and facilities we provide, and from CCTV cameras on our premises, and
- from third parties we collaborate with.
See Appendix 1 for the types of personal information we collect and how we use it.
3.2 We collect sensitive information only where permitted by law or with consent
We only collect sensitive information with the individual's consent, if required or authorised by Australian law or court/tribunal order, or where collection is permitted under the Privacy Act.
We collect sensitive information in undertaking some of our activities, including undertaking research, providing services, and in relation to student visa applications and requirements.
3.3 We store and manage personal information securely and responsibly
We may hold personal information in hardcopy or electronic format stored on our computing equipment or on third party servers. We take reasonable steps to:
- ensure personal information we collect is accurate, up-to-date, complete, and relevant
- ensure personal information we use or disclose is accurate, up-to-date, complete, and relevant (having regard to the purpose of our use or disclosure)
- protect personal information in our possession from misuse, interference, loss, and unauthorised access, modification, or disclosure, and
- destroy or de-identify personal information we no longer need, unless we are required or authorised to retain the information under an applicable law or court order, or regulatory or contractual requirement.
We have in place measures to protect personal information in our possession from misuse, interference, loss, and unauthorised access, modification or disclosure.
Where it is lawful and not impracticable, we allow individuals to interact with us anonymously or to use a pseudonym when dealing with us.
3.4 We use personal information only for legitimate and lawful purposes
We will only use or disclose personal information for the primary purpose it was collected, or a reasonably expected and related secondary purpose, where we have the individual's consent, or where use is otherwise permitted or required by law.
See Appendix 1 for the purpose for which different types of personal information are collected.
We may disclose personal information to the following types of third parties:
- Government departments and agencies, to satisfy our reporting requirements.
- Our controlled entities, if such personal information is required by the controlled entity to provide services to us or undertake activities for us.
- Our foundation universities, in connection with their transition to us.
- External service providers, if the personal information is required for the service provider to provide services to us or on our behalf.
- Collaborating parties, if the personal information is required for the collaborative activity to be undertaken.
- Regulators and law enforcement bodies, for the purpose of conducting investigations and enforcement-related activities.
- Third parties impacted by investigations into student misconduct complaints such as student accommodation providers, clubs, societies or placement providers.
- Third parties impacted by investigations into research integrity complaints, such as research publishers, funding bodies, and affiliated organisations, and as required or authorised by Australian law or court/tribunal order.
Some third parties to whom we disclose personal information may be located outside of Australia (including in the countries listed in Appendix 2). If we disclose personal information to an overseas recipient and the disclosure is not expressly permitted under the APPs, we will ensure compliance with APP 8 by:
- entering into a contract with the overseas recipient that binds the overseas recipient to privacy obligations that are consistent with the APPs, including provisions for ongoing monitoring and enforcement of those obligations
- ensuring the overseas recipient is subject to a law or binding scheme that has the effect of protecting the personal information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, and that individuals have accessible means to enforce those protections, or
- obtaining the individual’s express consent to the disclosure of their personal information to the overseas recipient.
We will not use personal information for the purpose of direct marketing unless it is contemplated under this policy, or we have the individual’s consent, or it is otherwise permitted by the Privacy Act. We may collect and use personal information (other than sensitive information) provided by an individual, or which is accessed through our website, including by using tools such as cookies and pixels, for direct marketing. We will ensure any direct marketing communications contain a simple means by which individuals may easily opt out of receiving them in the future.
3.5 We provide individuals with access to their personal information wherever possible
We will provide individuals with access to their personal information on request in accordance with this policy, unless we have a legitimate reason to refuse the request (for example, if there is a legal basis to refuse). In some cases, we may request that an individual submits an application to access the information under the Freedom of Information Act 1991 (SA).
3.6 We take reasonable steps to correct and update personal information
We encourage staff, students and alumni to use self-serve systems provided by the University to update their personal information. Individuals may also submit requests to Adelaide University to correct or update personal information about them held by the university by contacting the area of Adelaide University to which the individual provided their personal information, or to our Privacy Officer on the contact details set out in 3.9 below.
We will respond to a request for correction or update within a reasonable period and will not impose any charges for the request. If we refuse to make the requested correction or update, we will provide the requestor with a written notice setting out our reasons for refusal. Individuals may apply in writing for a review (see 3.9 below for contact details) if they are dissatisfied with our refusal decision.
3.7 We protect the rights of individuals whose personal information is subject to the GDPR
Where we handle personal information from individuals located in the European Union, that information is managed in accordance with the GDPR. For the purposes of the GDPR, the University’s Data Protection Officer is the Director, Governance Services (Privacy Officer).
Refer to our Privacy Management Procedure for further details.
3.8 We respond to privacy breaches and complaints promptly and transparently
Individuals may contact us in writing (see 3.9 below for contact details) if they believe their personal information has not been managed by us in accordance with this policy. We aim to process complaints in a reasonable time (usually within 30 days from the date the complaint was received) and will inform the individual in writing of our decision. Individuals may escalate their complaint to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au if they are not satisfied with our response.
Staff who become aware of any actual or suspected loss or unauthorised access, use, modification, disclosure or other misuse of personal information (“data breach”) must follow the data breach procedures contained in the [Information Breach Procedure]. Adelaide University will comply with mandatory data breach notification requirements.
3.9 We provide clear ways for individuals to contact us about their personal information
Individuals may contact us in relation to their personal information, including to exercise their rights under this policy or under an applicable law or to ask a question about our collection, storage, use or disclosure of their personal information.
Our contact details are:
University Privacy Officer
Office of the Vice Chancellor
Adelaide University SA 5005
Email: privacy@adelaide.edu.au
4. Definitions used in our policy
Please refer to our Adelaide University glossary for a full list of our definitions.
Controlled entity means a person, group of persons or body corporate over which we have control.
Foundation Universities means the University of South Australia and The University of Adelaide.
Personal Information is any information (including an opinion) about an identified or identifiable person.
Sensitive Information is Personal Information that is considered particularly sensitive or special and therefore needs additional protection. This includes information about racial or ethnic origin, political opinions, religious or philosophical beliefs or affiliations, trade-union membership, health, or medical conditions, genetic or biometric information, sexual orientation, or criminal convictions and offences.
5. How our policy is governed
This policy is categorised, approved and owned in line with the governance structure of Adelaide University and the offices and officers listed below.
| Policy category | Council |
|---|---|
| Approving authority | Transition Council / Council |
| Policy owner | Director, Governance Services |
| Responsible officer | Director, Governance Services |
| Effective from | 1 January 2026 |
| Review date | [3/4/5 years after date this version is approved, TBC] |
| Enquiries | Interim Central Policy Unit/[Central Policy Unit] staff.policy.enquiries@adelaideuni.edu.au |
| Replaced documents | None |
6. Legislation and other documents related to our policy
Refer to the Delegation Policy for all delegations at Adelaide University.
| Category | Documents |
|---|---|
| Associated procedures | Privacy Management Procedure [Information Breach Procedure] |
| Referenced legislation | |
| Related legislation |
Higher Education Support Act 2003 (Cth) Privacy (Tax File Number) Rule 2015 (Cth) |
| External references | HESF Domain 7 – Representation, Information and Information Management |
7. History of changes
| Date approved | To section/clauses | Description of change |
|---|---|---|
| 1 May 2024 | N/A | New policy |
| 19 December 2025 | 3.3 (overseas recipients) 3.7 (breaches and complaints) | Update to new policy template, expanded on conditions of overseas disclosure specifically relating to informed and voluntary consent, added escalation of complaints to OAIC information as well as notifiable data breaches scheme. Updated contact details of Privacy Officer. Other minor editorial changes to reflect new policy template. |
At the time of writing, Adelaide University’s organisational structure, position titles, and committee names have not been confirmed. Square brackets [ ] indicate placeholders for these details. Brackets are also used to identify policy elements that are subject to further decision-making or confirmation. These will be updated once final decisions are made.