- Summary of University's privacy responsibilities
- Summary of Information Privacy Principles
- Summary of Health Privacy Principles
- Privacy Collection Notice
- Privacy Impact Assessments
- Protecting Information Security at Work
- Film, Photography and Audio
- Training Materials
- Privacy Scenarios
- Internal Privacy Processes
The University has legal obligations to protect the information privacy of all students, staff and members of public it comes into contact with. These obligations arise from the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic),
Summary of University's privacy responsibilities
This is a short summary of the University's privacy responsibilities.
Summary of Information Privacy Principles
The ten Information Privacy Principles can be found in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic). They set out legislative safeguards for the collection, use, disclosure and management of personal and sensitive information.
Summary of Health Privacy Principles
The 11 Health Privacy Principles can be found in Schedule 1 of the Health Records Act 2001 (Vic). They set out legislative safeguards for the collection, use, disclosure and management of health information.
Privacy Collection Notice
A Privacy Collection Notice is to inform the individual of the intended use of their personal information.
A clear and comprehensive Privacy Collection Notice allows the University to use and disclose Personal Information in the way in which it was intended, and mitigates risk of non-compliance with privacy obligations.
- What should I do before drafting a Privacy Collection Notice?
Before drafting your Privacy Collection Notice, ensure that you have a clear idea of:
- All the Personal Information to be collected;
- All the Purposes for which the information is collected
- All internal and external parties who may have access to the information
- What needs to be included in a Privacy Collection Notice?
A collection notice must include:
- The identity and contact details of the department/division which is collecting the information.
- The Primary Purpose for which the information is collected
- To whom generally (the types of individuals or organisations) the information will be routinely disclosed to.
- Any Law that requires the particular information to be collected.
- The main consequences (if any) for the individual if all or part of the information is not provided.
- The fact that the individual is able to gain access to the Personal Information they have provided.
Item 4 may be omitted if there are no specific Laws that require the collection.
Item 5 may be omitted if the consequences of not providing all or part of the information is nil or minimal.
- Sample Privacy Collection Notice
The information on this form is being collected by Academic Services, the University of Melbourne. You can contact us at 13 6352.
The information you provide will be used to administer your enrolment as an international student. The information will be used by authorised staff for the purpose for which it was collected, and will be protected against unauthorised access and use. Your information may be made available to the Department of Education and Department of Immigration to comply with reporting requirements in relation to students holding overseas visas.
We are required to collect this information under the Education Services for Overseas Students Act 2000 (Cth), the Migration Act 1958 (Cth) and the Migration Regulations 1994 (Cth). If you do not provide all the information requested on this form, it may not be possible to provide a Confirmation of Enrolment at the University of Melbourne. This may affect your application for a student visa.
Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a way of measuring the privacy impacts on any new or amended project or process. Privacy impacts arising from an initiative may be negative (privacy-invasive) and/or positive (privacy-enhancing). A PIA will assist in identifying ways in which any negative impacts can be mitigated.
Why undertake a Privacy Impact Assessment?
A failure to properly embed appropriate privacy protection measures may result in a breach of privacy laws, a declaration of incompatibility with the Charter of Human Rights and Responsibilities, and prohibitive costs in retro-fitting a system to ensure legal compliance or address community concerns about privacy.
PIAs are undertaken as part of a sound risk management strategy, to assess whether it is safe to proceed to the implementation phase of a new project. PIAs are also undertaken if changes are made to the way we collect, use, store or dispose of personal information.
Process for completing a Privacy Impact Assessment
A copy of the PIA template is available for download below.
Please save the form to your local drive, then complete and forward to the Risk and Compliance team (firstname.lastname@example.org) for initial review.
The final PIA must be reviewed and endorsed by the Project/System/Process Manager and the Director (or Level 3 Delegate). Please retain the PIA with other Project/System/Process documentation and risk assessments.
Protecting Information Security at Work
The University has an obligation to take reasonable steps to protect the personal, sensitive and/or health information it holds from misuse, loss, and unauthorised modification or disclosure. The following are some tips to help you protect information security at work.
- How do I know if information management in my area is sufficiently secure?
What constitutes "reasonable steps" depends on:
- The nature or sensitivity of the personal information concerned
- The likelihood of a security breach occurring
- The gravity of any harm to an individual if a security breach occurs.
More advanced security measures may be required in the following circumstances:
- Your area holds vast amounts of personal, sensitive or health information (e.g. hard copy files, ISIS, Themis)
- Your area works with information belonging to vulnerable persons
- Your area has collected sensitive information about individuals
- There is a risk of identity theft or financial harm if a security breach occurs
- There is a risk of harm to a person’s life, safety, liberty, reputation or livelihood if a security breach occurs
- Physical security
The University has an obligation to ensure the physical security of information stored in hard copy (e.g. files or paper documents). Possible measures to ensure physical security include:
- locking filing cabinets;
- restricting access to certain areas (swipe card access);
- adopting a clean desk policy; or
- having a separate meeting room to discuss personal, health or sensitive information.
- Operational security
The University must ensure that individuals' privacy is protected in its everyday operations. This may include taking the following steps:
- adopting rules on levels of access and limiting information to those with a need to know;
- encouraging staff to change passwords at frequent intervals; or
- using fictitious information for training.
- Online security
The University's privacy obligations extend to information transmitted or stored online. Privacy can be protected online by taking steps such as:
- encrypting files or enabling password protection; or
- blind carbon copying address details
Where cloud computing is used, the University must ensure that the cloud service provider has adequate security measures to protect Personal Information collected by the University as per the Privacy and Data Protection Act 2014 (Vic).
Film, Photography and Audio
The following are resources for University staff who intend to collect and use images, videos or audio recordings of individuals. Further guidelines for use of photos and video can be found on Staff Hub.
Click here for our current Privacy Presentation
University staff can discover how the Privacy and Data Protection Act 2014 (Vic) applies to everyday scenarios. The scenarios are for internal use and guidance only. Where you are unclear about whether the question and answer meets the particular circumstances, or if the scenarios do not deal with those circumstances, please contact the Privacy Officer.
Internal Privacy Processes
Privacy Processes can be found in the University of Melbourne Process Library (Promapp).
Staff Hub access required. Promapp, Governance and Management, Privacy