Skip to main content

Privacy at the University

How we manage your personal information
Read about our privacy policy and the laws that inform it, the personal information collected by the University and how to submit a privacy complaint.

The University's primary privacy obligations are set out in the Privacy and Personal Information Protection Act 1998 (NSW) and the Health Records and Information Privacy Act 2002 (NSW)

Our Privacy Policy 2017 (pdf, 365KB) – incorporating the privacy management plan – sets out the privacy responsibilities of the University, and its staff and students. Our Privacy Procedures 2018 (pdf, 291KB) describes how the University discloses personal information and how we will manage a notifiable breach of personal information held by the University.

The University does not have any public registers as defined under "Part 6" of the Privacy and Personal Information Protection Act 1998.

There are exemptions to the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002, which may apply to the University, in particular, those relating to research. In addition, the operation of the NSW privacy laws can be modified by other laws.

The University runs a number of clinics and services, some of which may allow you to transact anonymously with them. You will need to ask the clinic or service provider about their practice regarding anonymity. These clinics and services may also include health information in a health records linkage system. You will need to ask the clinic or service provided about their practice regarding such systems.

Under the Privacy and Personal Information Act 1998 and the Health Records and Information Privacy Act 2002, there are various offences relating to personal and health information, for example:

  • the corrupt disclosure and use of personal or health information by public sector officials
  • intimidation, threats or misrepresentation by public sector officials
  • the supply of personal information that has been disclosed unlawfully
  • making a false statement to the Privacy Commissioner.

For more information, please email

We collect and retain personal and health information in the course of undertaking our functions. The object and functions of the University are prescribed in Section 6 of the University of Sydney Act 1989 (NSW).

Examples of the personal and health information that we collect include:

  • teaching – information relating to student admission and academic progression, including learning and assessment, special consideration, misconduct and graduation
  • research – records of human and animal ethics applications and approvals, and grant administration
  • administration and support –  staff records, ICT records such as email systems, images recorded on University CCTV cameras
  • community engagement – alumni and donor records, researchers and borrowers in University libraries, museums and archives, patrons and performers for public events.

More detail about the personal information collected by the University can be found on the privacy collection statements for our websitesour students, our staff (pdf, 265kb)CCTV system (pdf, 194KB),  Clinical recording and observation system (CROS) (pdf 126KB) and our multi-factor authentication (MFA) processes (pdf, 90.6KB).

You have the right to complain if you think the University has breached your privacy in the way it has handled your personal information. Complaints, also known as applications for internal review, should be made in writing within six months from when you first become aware of the breach.

You can use the privacy complaint form (pdf, 109KB) to make your complaint.

Email your complaint to or post to:

Privacy and Right to Information
Archives and Records Management Services
The Quadrangle (A14)
Camperdown Campus
University of Sydney
NSW 2006

We will advise the NSW Privacy Commissioner of your name and the details of your complaint and keep the Commissioner up to date with the progress of the internal review.  

Privacy complaints are considered by the University's Group Secretary. They will advise you of the results of the internal review and any action that we propose to take in respect of the complaint.

The Group Secretary must also report the findings and any proposed actions to the NSW Privacy Commissioner within 60 days of the date of receipt of the privacy complaint.

Review of the University's decision by NCAT  

If you are dissatisfied with the way the University has dealt with your complaint or are disappointed with our findings, you can ask the NSW Civil and Administrative Tribunal (NCAT) to review the conduct.

Complaint to the Privacy Commissioner

Whether or not you apply for an internal review, you can also make a complaint to the Privacy Commissioner about an alleged breach of your privacy.