The objectives of this policy are to:

(a)   identify the University’s obligations for handling personal information of past and present; University staff, students, prospective students and other individuals associated with the University;

(b)   encourage all University staff to take a proactive privacy approach; and

(c)   identify the University’s obligations for responding to complaints about potential privacy breaches.

This policy applies to the personal and health information (including sensitive information) of staff and students and other individuals associated with the University, collected by the University.

This policy is made under the University of Melbourne Act 2009 (Vic) and the Vice-Chancellor Regulation and supports compliance with the:

(a)   Privacy and Data Protection Act 2014 (Vic);

(b)   Health Records Act 2001 (Vic);

(c)   Public Records Act 1973 (Vic); and

(d)   Privacy Act 1988 (Cth).

4.1    Proactive privacy – The University is proactive in its approach to privacy protection by anticipating and preventing invasive events before they occur.

4.2.   Privacy by design – The University embeds privacy considerations into the design and architecture of information technology systems and business processes.

4.3.   The University collects, uses, discloses and manages personal information as University records in accordance with the Victorian Information Privacy Principles in the Privacy and Data Protection Act 2014 (Vic).

4.4.   In circumstances where the Privacy Act 1988 (Cth) applies to the University’s operations or activities, the University will comply with Australian Privacy Principles that have the same intent as the Victorian principles.

4.5.   The University collects health information of its staff, students and other individuals, in accordance with the Health Privacy Principles in the Health Records Act 2001 (Vic).

5.1.    The University’s Privacy Officer is responsible for responding to all complaints of potential privacy breaches.

5.2.    Privacy impact assessments to identify and mitigate privacy risks, and identify and evaluate privacy solutions, must be undertaken throughout the development and implementation of any project that collects and handles personal information, or when making changes to existing systems.

5.3.    Privacy statements must be available on the University’s privacy website and include:

(a)    the University’s main functions and the types of personal information generally collected to fulfil these functions;

(b)   how personal information is used and to whom it is routinely disclosed;

(c)    whether collection of personal information is optional or compulsory under applicable legislation;

(d)   how the information is stored securely and how access is properly managed; and

(e)   how privacy is protected if the information is transferred or stored outside Victoria.

Acts means Privacy and Data Protection Act 2014 (Vic), Health Records Act 2001 (Vic), Public Records Act 1973 (Vic) and Privacy Act 1988 (Cth).

Australian Privacy Principles means the set of 13 principles in the Privacy Act 1988 (Cth) governing the collection, use, disclosure, management and transfer of personal information by Commonwealth government agencies and private entities with an annual turnover of more than $3 million.

Health information has the meaning given to it in section 3 of the Health Records Act 2001 (Vic).

Health Privacy Principles means the set of 11 principles in the Health Records Act 2001 (Vic) governing the collection, management, use, disclosure and transfer of health information by organisations such as the University.

Information Privacy Principles means the set of 10 principles in the Privacy and Data Protection Act 2014 (Vic) governing the collection, use, disclosure, management and transfer of personal information by organisations such as the University.

Personal information has the meaning given to it in section 3 of the Privacy and Data Protection Act 2014 (Vic).

Privacy by design means a methodology to build privacy into the design and architecture of information systems, business processes and networked infrastructure.

Privacy impact assessment means a point in time process that is part of business as usual to identify and mitigate privacy risks, and to identify and evaluate privacy solutions.

Proactive privacy means focusing on prevention rather than remediation.

Sensitive information has the meaning given to it in schedule 1 of the Privacy and Data Protection Act 2014 (Vic).

University record means recorded information, in any format (eg electronic, paper, image) created or received by staff of the University in the course of conducting their University duties.

Vice Chancellor

Privacy Officer

This policy is to be reviewed by 11 March 2021.