(1) This Policy was approved by the Vice-Chancellor on 28 January 2013.
(2) To outline the University's obligations for and commitment to the responsible management of personal information held about its staff, students, and individuals with whom it interacts.
(3) This Policy applies to all collection, use, disclosure, storage and destruction of Personal or Health Information by the University.
(4) The University is committed to the responsible management of Personal and Health Information. This commitment arises not only from a wish to comply with its legal obligations but also in recognition of and commitment to information privacy as one of the foundations of human dignity.
(5) In undertaking its core functions of teaching and research and in conducting the activities which support these functions, the University will balance the public interest in the free flow of information with the protection of the privacy of Personal and Health Information which the University collects.
(6) All University staff must:
(7) All honorary staff and associates of the University must respect the privacy of Personal and Health Information which they collect, use or disclose in the course of their engagement by or association with the University.
(8) The University will appoint a University Privacy Officer to:
(9) Personal and Health Information must be collected only:
(10) When collecting Personal and Health Information directly from an individual, whether by verbal, written or electronic means, the University will take all reasonable steps to ensure that the individual providing such information is made aware of how their information will be used and with whom it might be shared or communicated in an appropriate collection statement. The University will publish its collection statement variously in a form approved by the University Privacy Officer, including at sites of collection and on the University's Privacy website.
(11) University websites, forms, and publications that provide for the collection of Personal or Health Information must include a collection statement.
(12) The University will use Personal and Health Information it collects in the course of its activities only for the primary purpose of collection, a related secondary use reasonably anticipated by the individual, or where authorised by law.
(13) The University will develop procedures and guidelines to ensure that University staff only access Personal or Health Information to the extent necessary to perform their job.
(14) University staff must seek advice from the University Privacy Officer prior to any use or disclosure which is not for the primary purpose of collection or a related secondary use which would be reasonably anticipated by the individual.
(15) The University will provide information to its staff, students and public users of its services to enable them to understand the types of secondary uses they can reasonably anticipate.
(16) The reference in Victorian privacy law to information 'in recorded form' does not diminish the obligation of University staff to hold in confidence information obtained in the course of their employment.
(17) The University will ensure that Personal Information and Health Information is:
(18) An individual may request that the University provide him or her with access to, or an opportunity to correct, their Personal or Health Information held by the University. Requests for access and correction will be managed in accordance with the provisions of the Freedom of Information Act 1982 (Vic).
(19) Operational areas of the University may, where appropriate, develop guidelines to enable staff, students and members of the public to access Personal or Health Information held about them by the University.
(20) It is the responsibility of a contract sponsor to ensure that a contract entered into by the University includes appropriate safeguards for protection of Personal and Health Information.
(21) The University will establish procedures to ensure that privacy complaints are dealt with in a timely and responsive manner.
(22) The University will establish procedures and guidelines to enable staff to identify and respond expeditiously to any actual or threatened breach of its obligation to manage Personal and Health Information responsibly.
(23) All University staff must undertake privacy training at induction and refresher training at least every three years unless they can demonstrate that the nature of their work at the University is such that additional privacy training is not required (e.g. lecturer in privacy law, University Privacy Officer).
(24) There is no attendant procedure.
(25) For the purpose of this Policy: