• Section 1 - Preamble
• Section 2 - Purpose
• Section 3 - Scope
• Section 4 - Policy
• Statement of commitment
• Obligation
• Privacy Officer
• Collection
• Use and disclosure
• Security and disposal
• Access and correction
• Contracts
• Complaints
• Breach process
• Training
• Section 5 - Procedure
• Section 6 - Definitions

Section 1 - Preamble

(1) This Policy was approved by the Vice-Chancellor on 28 January 2013.

Section 2 - Purpose

(2) To outline the University's obligations for and commitment to the responsible management of personal information held about its staff, students, and individuals with whom it interacts.

Section 3 - Scope

(3) This Policy applies to all collection, use, disclosure, storage and destruction of Personal or Health Information by the University.

Section 4 - Policy

Statement of commitment

(4) The University is committed to the responsible management of Personal and Health Information. This commitment arises not only from a wish to comply with its legal obligations but also in recognition of and commitment to information privacy as one of the foundations of human dignity.

(5) In undertaking its core functions of teaching and research and in conducting the activities which support these functions, the University will balance the public interest in the free flow of information with the protection of the privacy of Personal and Health Information which the University collects.

Obligation

(6) All University staff must:

1. respect the privacy of Personal and Health Information which they collect, use or disclose in the course of their employment; and
2. comply with the requirements of the Information Privacy Act 2000 (Vic), the Health Records Act 2001 (Vic), and this Policy in the performance of their obligations as staff of the University.

(7) All honorary staff and associates of the University must respect the privacy of Personal and Health Information which they collect, use or disclose in the course of their engagement by or association with the University.

Privacy Officer

(8) The University will appoint a University Privacy Officer to:

1. provide advice and training on issues related to information privacy
2. develop information privacy resources for use throughout the University
3. liaise with the Office of the Victorian Privacy Commissioner and the Victorian Health Services Commissioner;
4. receive enquiries about Personal and Health Information privacy at the University
5. receive and coordinate the investigation of privacy complaints.

Collection

(9) Personal and Health Information must be collected only:

1. where necessary and relevant to the University's functions and activities and where there is a specific and immediate need to do so
2. in a lawful, fair and not unreasonably intrusive way.

(10) When collecting Personal and Health Information directly from an individual, whether by verbal, written or electronic means, the University will take all reasonable steps to ensure that the individual providing such information is made aware of how their information will be used and with whom it might be shared or communicated in an appropriate collection statement. The University will publish its collection statement variously in a form approved by the University Privacy Officer, including at sites of collection and on the University's Privacy website.

(11) University websites, forms, and publications that provide for the collection of Personal or Health Information must include a collection statement.

Use and disclosure

(12) The University will use Personal and Health Information it collects in the course of its activities only for the primary purpose of collection, a related secondary use reasonably anticipated by the individual, or where authorised by law.

(13) The University will develop procedures and guidelines to ensure that University staff only access Personal or Health Information to the extent necessary to perform their job.

(14) University staff must seek advice from the University Privacy Officer prior to any use or disclosure which is not for the primary purpose of collection or a related secondary use which would be reasonably anticipated by the individual.

(15) The University will provide information to its staff, students and public users of its services to enable them to understand the types of secondary uses they can reasonably anticipate.

(16) The reference in Victorian privacy law to information 'in recorded form' does not diminish the obligation of University staff to hold in confidence information obtained in the course of their employment.

Security and disposal

(17) The University will ensure that Personal Information and Health Information is:

1. kept secure and protected from misuse, loss, unauthorised access, modification or disclosure
2. destroyed or permanently de-identified when it is no longer needed by the University, subject to the University's obligations under the Public Records Act 1973 (Vic) and other legislation.

Access and correction

(18) An individual may request that the University provide him or her with access to, or an opportunity to correct, their Personal or Health Information held by the University. Requests for access and correction will be managed in accordance with the provisions of the Freedom of Information Act 1982 (Vic).

(19) Operational areas of the University may, where appropriate, develop guidelines to enable staff, students and members of the public to access Personal or Health Information held about them by the University.

Contracts

(20) It is the responsibility of a contract sponsor to ensure that a contract entered into by the University includes appropriate safeguards for protection of Personal and Health Information.

Complaints

(21) The University will establish procedures to ensure that privacy complaints are dealt with in a timely and responsive manner.

Breach process

(22) The University will establish procedures and guidelines to enable staff to identify and respond expeditiously to any actual or threatened breach of its obligation to manage Personal and Health Information responsibly.

Training

(23) All University staff must undertake privacy training at induction and refresher training at least every three years unless they can demonstrate that the nature of their work at the University is such that additional privacy training is not required (e.g. lecturer in privacy law, University Privacy Officer).

Section 5 - Procedure

(24) There is no attendant procedure.

Section 6 - Definitions

(25) For the purpose of this Policy:

1. Associates: contractors, volunteers, visiting appointees and visitors to the University.
2. Contractor: a company or an individual (other than a University employee) engaged to provide services to the University. Contractors include consultants.
3. Collection: includes any means by which the University obtains Personal or Health Information, including information that is volunteered, incidentally obtained or gathered from another organisation.
4. Collection statement: a statement of the University's practices when collecting, using, disclosing and otherwise managing Personal and Health Information collected in the course of its activities, which is provided at or near the time such information is collected.
5. Honorary staff: includes Honorary Professors, Honorary Associate Professors, Adjunct Professors, Adjunct Associate Professors, Honorary Fellows, Conjoint Clinical Professors and Conjoint Clinical Associate Professors.
6. Personal Information: as defined in the Information Privacy Act 2000 (Vic) is information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include health information.
7. Privacy complaint: a complaint by an individual about an act or practice of the University in relation to the individual's Personal or Health Information which the individual believes is contrary to or inconsistent with the Information Privacy Principles set out in the Information Privacy Act 2000 (Vic) or the Health Privacy Principles set out in the Health Records Act 2001 (Vic).
8. Health information: as defined in the Health Records Act 2001 (Vic):
   1. information or an opinion about:
      • the physical, mental or psychological health (at any time) of an individual; or
      • a disability (at any time) of an individual; or
      • an individual's expressed wishes about the future provision of health services to him or her; or
      • a health service provided, or to be provided, to an individual - that is also personal information; or
   2. other personal information collected to provide, or in providing, a health service; or
   3. other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
   4. other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants.
9. Staff: as defined in section 3, Deakin University Act 2009 (Vic): any person employed by the University.