PII and sharing confidential information
To ensure information held by UQ is not misused, it must only be shared with those who are authorised to access it.
To operate and deliver services to staff, students and the community, UQ collects and manages information. Although our IT systems protect this information, UQ staff and students play a key role in ensuring confidential information is kept safe.
What is Personally Identifiable Information?
Personally Identifiable Information (PII) is any information that can be used to identify a person. Examples of PII include:
- student numbers or staff IDs
- date of births
- medical records.
If shared with an unauthorised person, this information can be used to commit identity theft and access resources and credit under another person's name.
UQ holds PII of staff, students, alumni and members of the wider UQ community. It’s important when dealing with the PII and other confidential information, to make sure it is only shared with those who are authorised to access it.
Handling requests for information
Before sharing any confidential information, ask yourself:
- Could exposure of this information harm anyone or UQ?
- Who is requesting this information?
- Am I sure that they are who they claim to be?
- Are they authorised to receive this information?
- Who is responsible for the information being requested?
Make sure the person requesting information is authorised and has a genuine need for the information. If you're unsure the person is who they claim to be, confirm their identity using details held by UQ. If you have any doubts, check with your supervisor.
If you don’t have responsibility for the information being requested, forward the request to the appropriate person or organisational unit.
Unauthorised requests for information that is not publicly available should be forwarded to the Right to Information and Privacy Office. If you think the request may be a scam, report it.
Reporting information breaches
Many information breaches happen by accident. Common causes of breaches include:
- sending confidential information to the wrong person or sharing it without authorisation
- losing paperwork or storage devices
- not using the 'BCC' option to hide recipients' email addresses when sending bulk emails.
If you think you may have lost information or shared it accidentally, report the incident as soon as possible. The quicker information breaches are identified, the more likely we can reduce the potential impact of the breach.