This is the current version of this document. To view historic versions of this document click the link in the main navigation (grey) bar above or contact email@example.com for versions that expired pre February 2016.
Section 1 - Preamble
(1) This Policy was approved by the Vice-Chancellor on 11 October 2016.
Section 2 - Purpose
(2) To outline the University's obligations for and commitment to the responsible management of personal information held about its staff, students, and individuals with whom it interacts.
Section 3 - Scope
(3) This policy applies to all collection, use, disclosure, storage and destruction of Personal or Health Information by the University.
Section 4 - Policy
Statement of commitment
(4) The University is committed to the responsible management of Personal and Health Information. This commitment arises not only from a wish to comply with its legal obligations but also in recognition of and commitment to information privacy as one of the foundations of human dignity.
(5) In undertaking its core functions of teaching and research and in conducting the activities which support these functions, the University will balance the public interest in the free flow of information with the protection of the privacy of Personal and Health Information that the University collects.
(6) All University staff must:
- respect the privacy of Personal and Health Information that they collect, use or disclose in the course of their employment, and
- comply with the requirements of the Privacy and Data Protection Act 2014 (Vic), the Health Records Act 2001 (Vic), and this policy in the performance of their obligations as staff of the University.
(7) All honorary staff and associates of the University must respect the privacy of Personal and Health Information that they collect, use or disclose in the course of their engagement by or association with the University.
University Solicitor's Office
(8) The University Solicitor is the University's Privacy Officer and will:
- provide advice on issues related to information privacy
- develop information privacy resources for use throughout the University
- liaise with the Office of the Victorian Privacy and Data Protection Commissioner and the Victorian Health Services Commissioner
- receive enquiries about Personal and Health Information privacy at the University.
(9) Personal and Health Information must be collected only:
- where necessary and relevant to the University's functions and activities and where there is a specific and immediate need to do so
- in a lawful, fair and not unreasonably intrusive way.
(10) Sensitive Information must only be collected where the individual has provided consent, or where the collection:
- is required by law
- is otherwise authorised under the Privacy and Data Protection Act 2014 (Vic) or the Health Records Act 2001 (Vic).
(11) When collecting Personal and Health Information directly from an individual, whether by verbal, written or electronic means, all reasonable steps must be taken to ensure that the individual providing such information is made aware of how their information will be used and with whom it might be shared or communicated in an appropriate collection statement. The collection statement must include:
- the purpose for which the information is being collected (the proposed use) and to whom it might be disclosed
- the area collecting the information and how to contact it
- that the individual is able to gain access to the information
- any law that requires the particular information to be collected
- the main consequence (if any) for the individual if all or part of the information is not provided to the University.
(12) University websites, forms, and publications that collect Personal or Health Information must include a collection statement, the form of which must be approved by the Privacy Officer.
(13) Personal or Health Information must not be collected from individuals if it is reasonable and practicable to transact with them without collecting this type of information.
Use and disclosure
(14) Personal and Health Information collected in the course of the University's activities must be used only for the primary purpose of collection, a related secondary use reasonably anticipated by the individual, or where authorised by law.
(15) University staff must only access Personal or Health Information to the extent necessary to perform their job.
(16) University staff must seek advice from the Privacy Officer prior to any use or disclosure that is not for the primary purpose of collection or a related secondary use that would be reasonably anticipated by the individual.
(17) The reference in Victorian privacy law to information 'in recorded form' does not diminish the obligation of University staff to hold in confidence information obtained in the course of their employment.
(18) University staff must take reasonable steps to ensure that Personal and Health Information collected, used or disclosed is accurate, complete and up to date.
Data security and disposal
(19) University staff must ensure that Personal Information and Health Information for which they are responsible is:
- kept secure and protected from misuse, loss, unauthorised access, modification or disclosure
- destroyed or permanently de-identified when it is no longer needed by the University,
subject to the University's obligations under the Public Records Act 1973 (Vic) and other legislation.
Access and correction
(20) An individual has the right to request that the University provide them with access to, or an opportunity to correct, their Personal or Health Information held by the University. Requests for access and correction will be managed in accordance with the provisions of the Freedom of Information Act 1982 (Vic).
(21) Operational areas of the University may, where appropriate, develop guidelines to enable staff, students and members of the public to access Personal or Health Information held about them by the University.
(22) It is the responsibility of a contract sponsor to ensure that a contract entered into by the University includes appropriate safeguards for protection of Personal and Health Information. Advice from the Privacy Officer must be sought where Personal or Health Information is to be transferred outside of Victoria.
(23) An individual who believes that the University has engaged in an act constituting an interference with their privacy may complain to the University in accordance with the procedures set out in clauses 23(a) — (d).
- Complaints must be made within six (6) months of the time the complainant first became aware of the alleged breach.
- Where the complainant is a student of the University, any complaint will be dealt with under the Student Complaints Resolution Policy.
- Where the complainant is a staff member of the University, any complaint will be dealt with under the Staff Complaints, Disputes and Grievances Procedure.
- Where the complainant is neither a currently-enrolled student nor a current staff member, complaints must be forwarded in writing to the Privacy Officer (via email firstname.lastname@example.org). The Privacy Officer will be responsible for:
- appointing an appropriate person to undertake an investigation of the complaint and to provide recommendations to the Privacy Officer as to an appropriate response;
- determining what actions the University will take;
- providing a written response in respect of the outcome to the complainant, and
- advising relevant University personnel of actions required to remedy the interference with the complainant's privacy (if any).
(24) Breaches of the privacy rights of an individual must be reported to the Privacy Officer, who will manage the breach in conjunction with the relevant area. The Privacy Officer will report breaches to the Risk and Compliance Unit on a quarterly basis or as otherwise required.
(25) All University staff must undertake privacy training at induction and refresher training at least every two years unless they can demonstrate that the nature of their work at the University is such that additional privacy training is not required (e.g. lecturer in privacy law, solicitor employed in the University Solicitor's Office's). Faculties and Portfolios of the University are responsible for monitoring initial and refresher training of their staff.
Section 5 - Procedure
(26) There is no attendant Procedure.
Section 6 - Definitions
(27) For the purpose of this Policy:
- Associates: contractors, volunteers, visiting appointees and visitors to the University.
- Collection: includes any means by which the University obtains Personal or Health Information, including information that is volunteered, incidentally obtained or gathered from another organisation.
- Collection statement: a statement of the University's practices when collecting, using, disclosing and otherwise managing Personal and Health Information collected in the course of its activities, which is provided at or near the time such information is collected.
- Contractor: a company or an individual (other than a University employee) engaged to provide services to the University. Contractors include consultants.
- Health Information: as defined in the Health Records Act 2001 (Vic),-
- information or an opinion about:
- the physical, mental or psychological health (at any time) of an individual; or
- a disability (at any time) of an individual; or
- an individual's expressed wishes about the future provision of health services to him or her; or
- a health service provided, or to be provided, to an individual — that is also personal information; or
- other personal information collected to provide, or in providing, a health service, or
- other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances, or
- other personal information that is genetic information about an individual in a form that is or could be predictive of the health (at any time) of the individual or of any of his or her descendants.
- Honorary staff: includes Honorary Professors, Honorary Associate Professors, Adjunct Professors, Adjunct Associate Professors, Honorary Fellows, Conjoint Clinical Professors and Conjoint Clinical Associate Professors.
- Personal Information: as defined in the Privacy and Data Protection Act 2014 (Vic) is information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion, but does not include health information.
- Privacy complaint: a complaint by an individual about an act or practice of the University in relation to the individual's Personal or Health Information that the individual believes is contrary to or inconsistent with the Information Privacy Principles set out in the Privacy and Data Protection Act 2014 (Vic) or the Health Privacy Principles set out in the Health Records Act 2001 (Vic).
- Sensitive Information: a subset of Personal Information that constitutes information or an opinion about an individual's racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preferences or practices; or criminal record.
- Staff: as defined in section 3, Deakin University Act 2009 (Vic): any person employed by the University.