AUQA Policies

Print-friendly

Policy 020:
Privacy of Information and Freedom of Information

1. Purpose

In 2001, the Privacy Act 1988 (Cwlth) was amended to include laws that regulate the collection and use of personal information by private sector organisations. The changes are outlined in the Privacy Amendment (Private Sector) Act 2000 (Cwlth). The amendments include the ten National Privacy Principles which are as follows: collection, use and disclosure, data quality, data security, openness, access and correction, identifiers, anonymity, trans-border data flows and sensitive information. Each principle details the obligations of those collecting, retaining and using personal information.

Personal information is defined as information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

By virtue of its establishment, nature and structure, AUQA is not subject to any privacy legislation. However, in its operations, AUQA acts within the spirit of the legislation. The function of AUQA is to assist the self-accrediting institutions in the review and enhancement of their academic quality; and to assist the accrediting agencies in the performance of their legal obligations. All AUQA’s information-gathering (from the institutions or elsewhere) and its discussions (with staff of institutions and agencies, students and others) are directed to this end.

2 Policy

Access to information
In order that an audit panel may carry out an effective audit, it needs access to a great deal of material about the auditee. Some of this, such as personal or commercial information, may be quite sensitive. Auditees are expected to write the core document of the Performance Portfolio as a public document and post it on the auditee’s website for at least 12 months after the audit report is published. The core document refers to other documents that are or can be made available to the audit panel, and some of these may be flagged as confidential, to be seen by the panel only. Furthermore, there may be parts of such documents that the auditee would prefer (or is required by its own confidentiality constraints) not to show even to the audit panel. In such circumstances, the audit panel negotiates with the auditee an appropriate means for the panel to obtain the information its needs, while respecting the auditee’s requirements.

Handling of information
Audit panels keep the requests for personal or commercial information to the essential minimum, and treat as confidential any personal or commercially sensitive information provided by the auditee. Furthermore, AUQA panel members and observes ensure that any such information: is used only for the purpose for which it was obtained in conjunction with the audit process; is not disclosed to third parties; and is kept in ‘secure storage’ during the audit process.

Once the audit report has been published, panel members, any observer and AUQA have responsibilities for destroying, in a secure fashion, information related to the audit, as follows.

Panel members and observer
Panel members and any observer are instructed to destroy:

  • all notes (handwritten and electronic) they have made during or in connection with the audit
  • emails sent or received by panel members and any observer in connection with the substance of the audit
  • all Portfolio and supporting documents (except those documents that are obviously in the public domain, such as annual reports, handbooks or calendars, which may be kept provided they have no marginal annotations)
  • all documents downloaded from the auditee’s intranet (when access has been provided) and printed or saved electronically
  • any documents, such as the Portfolio and drafts of the audit report, in which panel members have made marginal notes, and
  • the transcript of the audit interviews (if this has been provided to panel members).

In summary, panel members and any observer may keep the core document of the Portfolio (provided it has no marginal comments written on it) and the final audit report, but little else.

In order to facilitate the deletion of emails, panel members and any observer are advised to keep all incoming and outgoing email messages relating to the audit in a single folder. Panel members and any observer who are unable to easily dispose of these materials in a secure fashion should discuss the matter with the AUQA staff member on the panel.

AUQA recognises that networked IT systems are set up to capture electronic communication and documentation and are backed up into a separate IT system and that this information is not readily deleted. However in these environments, which are set up to meet regulatory and legislative requirements, the information is not readily accessible or searchable and poses little or not risk to AUQA business.

AUQA
AUQA retains the following materials:

  • Performance Portfolio (unmarked)*
  • complete set of supporting material
  • additional documents, in hardcopy or electronic format, whether requested, received, downloaded from the internet or from the auditee’s intranet or accessed through research (including ‘commercial-in-confidence’ documents)
  • audit budget and other material relating to the financial aspects and travel arrangements for the audit
  • final Issues Register and Additional Information request
  • final Audit Visit program and worksheets
  • transcript of the Audit Visit interviews
  • official correspondence with panel members excluding details relating to development of the audit report (but including panel members’ declaration forms)
  • survey forms and reports of accrediting agency stakeholders
  • report of the panel’s overseas visits (if applicable)
  • the definitive draft of the audit report (as sent to the auditee) and the auditee’s response;
  • published audit report*
  • Board meeting minutes recording the Board’s approval of report release
  • correspondence, including email, with the auditee relating to the audit, and
  • summary and analysis of responses to surveys of auditee and auditors after the audit.

Items marked with an asterisk (*) are retained in AUQA’s archives indefinitely. Other items will eventually be disposed of according to the Retention and Disposal Schedule.

Any information that is kept by AUQA for any purpose is stored in a secure place or fashion, but documents in the public domain such as annual reports, calendars and handbooks may be retained in the AUQA Library.

AUQA securely destroys the following materials:

  • any documents with marginal annotations
  • other hand-written or electronically stored notes
  • in audits of agencies, the responses to the surveys of the agency’s providers and panel members
  • aside from official correspondence, any draft information relating to substantive aspects of the audit
  • aside from the definitive draft, any draft versions of the audit report
  • correspondence, including email, and any other documents, that contain panel members’ interim ideas or views in relation to the audit’s conclusions, and
  • responses to surveys of auditee and auditors after the audit.

Information dissemination
One function of AUQA is to disseminate information about good practice in quality assurance, and one way of doing this is through auditors describing instances of good practice that they have encountered in carrying out their audit work. Any such descriptions are, however, to be confined to general principles and non-sensitive information, so as not to breach the confidentiality referred to above. Auditors may not implement, in whole or in part, systems or processes that are substantially the same as ones they have observed during an audit, without first obtaining the permission of the auditee.

Personal information submitted to the AUQA website
 Individuals provide personal information to the AUQA website for the following purposes: communication such as providing news of latest additions to our website to mailing list subscribers, statistical reporting of usage and system administration, including monitoring to prevent security breaches.

All information submitted to AUQA through mailing list subscriptions, workshop or forum registrations or other means is held confidentially. No personal information collected on the website will be disclosed to a third party except when authorised by the provider or by law. AUQA also takes all reasonable steps to protect personal information collected and held in our servers from unauthorised access, or modification.

Approvals

This policy was originally approved on: 28 May 2002.
Revisions were approved on: 27 November 2003, 05 June 2006, and 01 March 2007.
This version was approved on: 29 November 2007.

 

© 2009 Australian Universities Quality Agency