THE University of Newcastle says it has never offered unrestricted access to student emails, and has "always complied" with privacy legislation.
That is despite a judgement handed down in the NSW Civil and Administrative Tribunal (NCAT) blasting the university over an "egregious'' breach of privacy and the use of internal policies to avoid its legal obligations.
NCAT directed the university to pay out $22,500 to a student known as 'EJX', and formally apologise to her over the incident. The payout includes $15,000 in aggravated damages for the "wholly avoidable exacerbation and aggravation" of the harm caused.
The case centred around the use of a university-created 'dedicated email' that the student was directed to use, including by vice-chancellor Alex Zelinsky.
The dedicated email address created for EJX was managed, accessed and operated by certain staff, employees, groups and "units" within the university.
The student had no access to the contents of the email or its functionality, and no oversight as to whether her personal and health information was being used, disclosed, amended or deleted by university users and being sent on elsewhere, either in its original form or in a revised, anonymised or otherwise changed format, the NCAT decisions says.
In response to questions from the Newcastle Herald, however, University of Newcastle chief operating officer David Toll said the university "has never and would never offer unrestricted access to student emails".
"The University of Newcastle values our staff and student's safety and wellbeing," he said.
"Our privacy and sexual harassment policies comply - and have always complied - with the relevant legislation.
"These policies have processes in place to protect staff, students and ICT resources from threats including spam, cyber threats, and security attacks."
Those policies were regularly reviewed to ensure they remained compliant with the Privacy Management Plan by the NSW Information Privacy Commission, he said.
In its submissions to NCAT during the EJX case, the university said its IT policy gave it "broad powers"
Those powers included the right to "monitor its information assets, including email, and the right to view, modify copy, move delete or otherwise handle as it sees fit the data and information assets stored on and accessed through the University's ICT resources, irrespective of any ownership or other rights claimed over the data or information assets", it said in its defence.
However, the NCAT ruling said agencies could not "simply by adopting policies with provisions contrary to the (legislation) ... avoid or limit their obligations (or an individual's rights) under that legislation".
