(1) This Policy is effective from 16 July 2018. (2) This Policy outlines the University's obligations for and commitment to the responsible management of personal information held about its staff, students, and individuals with whom it interacts. (3) This Policy applies to all collection, use, disclosure, storage and destruction of Personal or Health Information by the University. (4) The University is committed to the responsible management of Personal and Health Information. This commitment arises not only from a wish to comply with its legal obligations but also in recognition of and commitment to information privacy as one of the foundations of human dignity. (5) In undertaking its core functions of teaching and research and in conducting the activities which support these functions, the University will balance the public interest in the free flow of information with the protection of the privacy of Personal and Health Information that the University collects. (6) All University staff must: (7) All honorary staff and associates of the University must respect the privacy of Personal and Health Information that they collect, use or disclose in the course of their engagement by or association with the University. (8) The General Counsel is the University's Privacy Officer and will: (9) Personal and Health Information must be collected only: (10) Sensitive Information must only be collected where the individual has provided consent, or where the collection: (11) When collecting Personal and Health Information directly from an individual, whether by verbal, written or electronic means, all reasonable steps must be taken to ensure that the individual providing such information is made aware of how their information will be used and with whom it might be shared or communicated in an appropriate collection statement. The collection statement must include: (12) University websites, forms, and publications that collect Personal or Health Information must include a collection statement, the form of which must be approved by the Privacy Officer. (13) Personal or Health Information must not be collected from individuals if it is reasonable and practicable to transact with them without collecting this type of information. (14) Personal and Health Information collected in the course of the University's activities must be used only for the primary purpose of collection, a related secondary use reasonably anticipated by the individual, or where authorised by law. (15) University staff must only access Personal or Health Information to the extent necessary to perform their job. (16) University staff must seek advice from the Privacy Officer prior to any use or disclosure that is not for the primary purpose of collection or a related secondary use that would be reasonably anticipated by the individual. (17) The reference in Victorian privacy law to information 'in recorded form' does not diminish the obligation of University staff to hold in confidence information obtained in the course of their employment. (18) University staff must take reasonable steps to ensure that Personal and Health Information collected, used or disclosed is accurate, complete and up to date. (19) University staff must ensure that Personal Information and Health Information for which they are responsible is: (20) An individual has the right to request that the University provide them with access to, or an opportunity to correct, their Personal or Health Information held by the University. Requests for access and correction will be managed in accordance with the provisions of the Freedom of Information Act 1982 (Vic). (21) Operational areas of the University may, where appropriate, develop guidelines to enable staff, students and members of the public to access Personal or Health Information held about them by the University. (22) It is the responsibility of a contract sponsor to ensure that a contract entered into by the University includes appropriate safeguards for protection of Personal and Health Information. Advice from the Privacy Officer must be sought where Personal or Health Information is to be transferred outside of Victoria. (23) An individual who believes that the University has engaged in an act constituting an interference with their privacy may complain to the University in accordance with subclauses a. — d. (24) Privacy and data security breaches must be immediately reported to the Privacy Officer who will advise the Chief Digital Officer and the Chief Operating Officer. (25) The Privacy Officer, Chief Digital Officer and Chief Operating Officer will assess the breach and determine if a Critical Incident Management response is required in accordance with the Critical Incident Management procedure and advise the Vice-Chancellor. (26) Where the breach does not require a Critical Incident management response, the Privacy Officer will manage the breach in conjunction with the relevant area. (27) The Privacy Officer will report breaches to the Risk and Compliance Unit on a quarterly basis or as otherwise required. (28) All University staff must undertake privacy training at induction and refresher training at least every two years unless they can demonstrate that the nature of their work at the University is such that additional privacy training is not required (e.g. lecturer in privacy law, solicitor employed in DeakinLegal). Faculties and Portfolios of the University are responsible for monitoring initial and refresher training of their staff. (29) There is no attendant Procedure. (30) For the purpose of this Policy:Privacy policy
Section 1 - Preamble
Section 2 - Purpose
Section 3 - Scope
Section 4 - Policy
Statement of commitment
Obligation
Office of the General Counsel
Collection
Use and disclosure
Data security and disposal
Access and correction
Contracts
Complaints
Breach process
Training
Section 5 - Procedure
Section 6 - Definitions
View Current
This is not a current document. To view the current version, click the link in the document's navigation bar.
subject to the University's obligations under the Public Records Act 1973 (Vic) and other legislation.