THE University of Newcastle has been called out over an "egregious'' breach of privacy and the use of internal policies to avoid its legal obligations.
The NSW Civil and Administrative Tribunal (NCAT) has directed the university to pay out $22,500 to a student known as 'EJX', and formally apologise to her over the incident.
The payout includes $15,000 in aggravated damages for the "wholly avoidable exacerbation and aggravation" of the harm caused.
The case centred around the use of a university-created 'dedicated email' that the student was directed to use, including by Vice Chancellor Alex Zelinsky.
The student, who had previously made a sexual harassment claim against a member of staff, was threatened with disciplinary action and termination of her PhD candidature if she did not agree.
That was despite the fact that what she was being asked to do - using only the university-created dedicated email to communicate with staff - was contrary to her privacy rights and the university's legal obligations to her, the tribunal found.
NCAT Senior Member Alexander Christie said the university displayed a "flagrant and oppressive disregard" for its obligations, and the student's rights, under the Privacy and Personal Information Protection Act 1998 and the Health Records and Information Privacy Act 2002.
It ignored, dismissed, and was in contempt of her many complaints and requests for basic information, he said.
The university's approach and conduct in the administrative tribunal was also heavily criticised - for creating unnecessary delays, submitting 'deficient' documents, and a basic failure to address the evidence.
During proceedings, the university submitted that its own internal policies, such as its IT policies, gave it 'wide powers', including the power to establish a dedicated email for the student, using her student ID number.
The dedicated email address created for EJX was managed, accessed and operated by certain staff, employees, groups and 'units' within the university.
The student herself had no access to the contents of the email or its functionality, and no oversight as to whether her personal and health information was being used, disclosed, amended or deleted by university users and being sent on elsewhere, either in its original formation or in a revised, anonymised or otherwise changed format.
The IT policy gave the university 'broad powers to monitor its information assets, including email, and the right to view, modify copy, move delete or otherwise handle as it sees fit the data and information assets stored on and accessed through the University's ICT resources, irrespective of any ownership or other rights claimed over the data or information assets", it said in defence of the claims.
However, NCAT ruled that agencies could not "simply by adopting policies with provisions contrary to the (legislation) ... avoid or limit their obligations (or an individual's rights) under that legislation".
The student, EJX, had repeatedly asked the university what information the email portal was holding about her, including private and sensitive health-related information.
The university responded to some of her complaints on an unattributed basis and, on occasion, they were attributed to the Vice Chancellor, the NCAT ruling says.
As well as an apology from the Chancellor of the University for contravening the legislation and for "all harm, distress, humiliation and embarrassment" EJX suffered, the tribunal ordered it pay $22,500 in damages.
The university was also ordered to provide the information the student had been seeking in the first place, and ensure it took reasonable security safeguards steps in accordance with the law.