Our privacy obligations and responsibilities
The University has legal obligations to protect the information privacy of all students, staff and members of public it comes into contact with. These obligations arise from the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic),
Please click on the links below to find out more about our privacy obligations and responsibilities.
What is personal, sensitive and health information?
The University has obligations in relation to personal, sensitive and health information.
Personal information means recorded facts or opinions that identify someone or allow them to be identified.
Sensitive information means:
information or opinion about an individual’s race/ethnic origin, political opinions, member ship in a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences/practices, or criminal record.
Health information means information about a person’s physical/mental health, any disability they may have and any treatment they may have received.
Information Privacy Principles (for the protection of personal and sensitive information)
Schedule 1 of the Privacy and Data Protection Act (Vic) sets out 10 Information Privacy Principles (IPPs). The IPPs are legislative safeguards for the collection, use, disclosure and management of personal and sensitive information.
Health Privacy Principles (for the protection of health information
Schedule 1 of the Health Records Act (Vic) sets out 11 Health Privacy Principles (HPPs). The HPPs are legislative safeguards for the collection, use, disclosure and management of personal and sensitive information.
Privacy responsibilities in the University
This summary sets out the IPPs and HPPs as they apply to everyday work at the University.
Privacy Collection Notice
A Privacy Collection Notice is to inform the individual of the intended use of their personal information.
A clear and comprehensive Privacy Collection Notice allows the University to use and disclose personal information in the way in which it was intended, and mitigates risk of non-compliance with privacy obligations.
- What should I do before drafting a Privacy Collection Notice?
Before drafting your Privacy Collection Notice, ensure that you have a clear idea of:
- all the personal information to be collected;
- all the purposes for which the information is collected (primary purpose/s); and
- all internal and external parties who may have access to the information
- What needs to be included in a Privacy Collection Notice?
A collection notice must include:
- the identity and contact details of the department/division which is collecting the information.
- the primary purpose for which the information is collected
- to whom generally (the types of individuals or organisations) the information will be routinely disclosed to.
- any law that requires the particular information to be collected.
- the main consequences (if any) for the individual if all or part of the information is not provided.
- the fact that the individual is able to gain access to the Personal Information they have provided; and
Item 4 may be omitted if there are no specific Laws that require the collection.
Item 5 may be omitted if the consequences of not providing all or part of the information is nil or minimal.
- Sample Privacy Collection Notice
The information on this form is being collected by Academic Services, the University of Melbourne. You can contact us at 13 6352.
The information you provide will be used to administer your enrolment as an international student. The information will be used by authorised staff for the purpose for which it was collected, and will be protected against unauthorised access and use. Your information may be made available to the Department of Education and Department of Immigration to comply with reporting requirements in relation to students holding overseas visas.
We are required to collect this information under the Education Services for Overseas Students Act 2000 (Cth), the Migration Act 1958 (Cth) and the Migration Regulations 1994 (Cth). If you do not provide all the information requested on this form, it may not be possible to provide a Confirmation of Enrolment at the University of Melbourne. This may affect your application for a student visa.
Privacy Impact Assessments
The University is committed to a proactive approach to privacy by anticipating and preventing invasive events before they occur. As part of our proactive privacy approach, the University embeds privacy considerations into the design and architecture of information technology systems and business processes. Privacy impacts arising from an initiative may be negative (privacy-invasive) and/or positive (privacy-enhancing). A PIA will assist in identifying ways in which any negative impacts can be mitigated.
Why undertake a Privacy Impact Assessment?
A Privacy Impact Assessment (PIA) is a risk assessment tool designed to assist in identifying privacy-invasive impacts, and in identifying and evaluating solutions to mitigate privacy risks.Privacy impacts arising from an initiative may be negative (privacy-invasive) and/or positive (privacy-enhancing).
A failure to properly embed appropriate privacy protection measures may result in a breach of privacy laws, a declaration of incompatibility with the Charter of Human Rights and Responsibilities, and prohibitive costs in retro-fitting a system to ensure legal compliance or address community concerns about privacy. PIAs are undertaken as part of a sound risk management strategy, to assess whether it is safe to proceed to the implementation phase of a new project. PIAs are also undertaken if changes are made to the way we collect, use, store or dispose of personal information.
Process for completing a Privacy Impact Assessment
A copy of the PIA template is available for download below.
Please save the form to your local drive, then complete and forward to the Privacy Office (email@example.com) for initial review.
The final PIA must be reviewed and endorsed by the Project/System/Process Manager and the Director (or Level 3 Delegate). Please retain the PIA with other Project/System/Process documentation and risk assessments.
Film, Photography and Audio
The following are resources for University staff who intend to collect and use images, videos or audio recordings of individuals. Further guidelines for use of photos and video can be found on Staff Hub.
- Note: This is a template notice for use at events that may be photographed, filmed or otherwise recorded. It is not a consent form to release any personal information. Staff intending to use images or other materials should refer to the Guidelines for Use of Photos and Videos on Staff Hub for guidance.
Protecting Information Security at Work
The University has an obligation to take reasonable steps to protect the personal, sensitive and/or health information it holds from misuse, loss, and unauthorised modification or disclosure. The following are some tips to help you protect information security at work.
- How do I know if information management in my area is sufficiently secure?
What constitutes "reasonable steps" depends on:
- The nature or sensitivity of the personal information concerned
- The likelihood of a security breach occurring
- The gravity of any harm to an individual if a security breach occurs.
More advanced security measures may be required in the following circumstances:
- Your area holds vast amounts of personal, sensitive or health information (e.g. hard copy files, ISIS, Themis)
- Your area works with information belonging to vulnerable persons
- Your area has collected sensitive information about individuals
- There is a risk of identity theft or financial harm if a security breach occurs
- There is a risk of harm to a person’s life, safety, liberty, reputation or livelihood if a security breach occurs
- Physical security
The University has an obligation to ensure the physical security of information stored in hard copy (e.g. files or paper documents). Possible measures to ensure physical security include:
- locking filing cabinets;
- restricting access to certain areas (swipe card access);
- adopting a clean desk policy; or
- having a separate meeting room to discuss personal, health or sensitive information.
- Operational security
The University must ensure that individuals' privacy is protected in its everyday operations. This may include taking the following steps:
- adopting rules on levels of access and limiting information to those with a need to know;
- encouraging staff to change passwords at frequent intervals; or
- using fictitious information for training.
- Online security
The University's privacy obligations extend to information transmitted or stored online. Privacy can be protected online by taking steps such as:
- encrypting files or enabling password protection; or
- blind carbon copying address details
Where cloud computing is used, the University must ensure that the cloud service provider has adequate security measures to protect Personal Information collected by the University as per the Privacy and Data Protection Act 2014 (Vic).
Privacy training, processes and common scenarios (University employees only)
The following resources are developed to assist University employees in meeting privacy obligations in their day-to-day work.
The University's Process Library contains internal processes relating to the collection and management of personal information. To access these processes, please log in here.
The Legal and Risk page on Staff Hub contains a series of common "scenarios" involving personal information of staff, students and members of public. University employees can discover how our privacy responsibilities and obligations apply to their everyday work. To access these scenarios, please log in to Staff Hub here.
Note: These scenarios are for internal use and guidance only - for information about privacy in your specific circumstances, please contact the Privacy Coordinator directly.
University employees can enrol into online Managing Information training or attend face-to-face training. Visit the Training and Events page for further information.
Click here to access the Powerpoint for privacy presentations.