Personal information is defined as, “Information or an opinion about an individual whose identity is apparent or can be reasonably be ascertained from the information or opinion”.
- The University is required by the Privacy and Personal Information Protection Act 1998 (PPIP Act) and by the Health Records and Information Privacy Act 2002 (HRIP Act) to ensure that personal information is kept no longer than necessary and disposed of appropriately.
The risks associated with the unnecessary retention of personal information include reputational damage to the University and the possibility of penalties under the Legislation.
Personal information must always be stored securely and destroyed as soon as allowable.
The UNSW Data Classification Standard provides guidance on assessing and handling personal information.
Proof of Identity Records
Where it is necessary to validate the identity of an individual by sighting proof of identity records such as driver’s licences, passports or Medicare cards, there is frequently no need to retain a copy of these documents. Retaining these records within University systems introduces a significant and unnecessary security risk.
It is instead recommended to:
- return (or delete) the proof of identity documents without copying them and capture a record that the identity validation process has been completed to the appropriate system.
- if you need to copy them for an essential business purpose or statutory requirement, ensure there is a process in place to dispose of the copies as soon as this purpose or requirement ceases.
Creating a record that the documents were sighted fulfills the requirements of the State Records Act in accordance with the retention and disposal authorities.