University Secretary's Department Privacy

A.

The Privacy Act regulates the handling of personal information about individuals.  Personal information means ‘information or an opinion about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion’.

Q.

Who should I contact at the University about a privacy query or complaint?

A.

The University has a designated Privacy Officer.  Contact details and further information can be found at http://www.unimelb.edu.au/unisec/privacy/index.html

Q.

Does the Privacy Act apply to people who are under 18?

A.

Yes it does.  A complaint may also be made by a child (defined as a person under the age of 18) although a complaint may be made on behalf of a child by their parent or any other individual they choose.  This may be important for those students under the age of 18.

Q.

Does the Privacy Act apply to individuals who have died?

A.

The Privacy Act applies only to living people.  This does not mean, however, that it is OK to use or disclose any personal information about them.  As a matter of good practice, we should take into account the wishes of the family and the potential negative consequences of disclosing any personal information. Note that the Health Records Act 2001 (Vic) which governs health information collected or held by the University does apply to deceased individuals.

Q.

Should contracts entered into with another party include privacy clauses if personal information is being transferred?

A.

Yes, all contracts that the University enters into whereby personal information is transferred to a third party, should contain a ‘Privacy Clause’ requiring compliance with the University’s privacy policy to prevent information loss or misuse. All such clauses should be reviewed and approved by Legal Services.

Q.

Can an agency – a private company – contracted to provide services collect personal information?

A.

Yes, they can, provided the University has a formal agreement with them that requires them to comply with the University’s privacy policy.  This means they must collect only the information that is necessary, and they must use it and disclose it only for the purposes for which it was collected.

Q.

Do we have to provide personal information to the police?

A.

We may have to, but there is specific University procedure about this, and all requests must be in writing.  If the police contact you, refer to the procedure on the privacy webpage at http://www.unimelb.edu.au/unisec/privacy/index.html

Q.

Do we have to provide personal information to Centrelink and the Department of Immigration or other government agencies?

A.

We may have to if the information is being sought under the legislation that empowers those organisations to access information.  The Privacy Act  is subservient to all other legislation.  Please contact the Privacy Officer for advice.

Q.

The University is served with a subpoena to produce certain documents in the Supreme Court.  Is the University required to comply?

A.

In this situation, unless the University applies to have the subpoena set aside, the documents must be produced as this is required by law.  The original subpoena and any accompanying documents must be sent to Legal Services for review.

Q.

Our department is having problems with theft and wishes to install video surveillance and record people’s movements and activities.  Is that OK?

A.

Yes, provided the requirements of the Surveillance Devices Act 1999 (Vic) are complied with.  Accordingly, the recording of ‘private activities’ is prohibited unless there is implied or express consent to the recording.  Implied consent can be established through the use of signage in the area under surveillance.  Treat the captured information as ‘personal information’ for the purposes of the Privacy Act and comply with the University’s privacy policy.

Q

Can we use photos taken 10 years ago at a department function in a new department history that is to be published?

A

Depends on nature of the event 10 years ago. Consent may be implied where, for example, the function was a public event or opening ceremony of some kind. If it was in the nature of a private function and it would not be reasonable to expect photos to be used again in this way, then get consent. 

Q

Can a staff member’s photo be posted on a University webpage or used for promotional purposes without their consent?

A:

No. You must first obtain consent from the staff member to use their photos in this way.  Consent must be voluntary.  If a staff member is not willing to provide consent, they must not be compelled.  Note also that a staff member may also revoke their consent at a later date in which case the photo must be removed.

Q.

Can we conduct a survey among students to whom we have offered a place next year?

A.

Not automatically.  Their personal contact details have been provided for the purposes of offers and admissions.  This illustrates the importance of planning.  If we include a tick-box on forms that prospective students can tick if they are happy to be surveyed, then they will have given their consent and a survey would be quite legitimate.  If the survey was related to the admissions process, it could be argued that the use was a legitimate secondary purpose and that the students might expect to receive such communications about the admissions process

Q

Can we put a student on leave of absence or allow them to defer if a parent approaches the University to do so, citing extensive medical evidence?

A.

Unless the student is incapable of providing his or her consent or completing necessary paperwork, then any application for leave or to defer studies should be made by the student concerned.

Q.

Can someone else act on a student’s behalf for enrolment matters?

A.

Students will be required to provide their signature on various documents and that must obviously be done by them.  But it is the case that many student fees are paid by parents.  Students can authorise someone else to act on their behalf.  The authority must be dated and it must be explicit in describing the functions that are authorised: it must not be simply a blanket authorisation.  If a parent or other person holds a power of attorney to act on behalf of the student, then in reliance on this, that other person can sign documents.  The original power of attorney or certified copy should be sighted.  Some powers of attorney are limited in certain ways – if it is not clear from the document what the extent of the power is or if in doubt in relation to any other aspect, contact the Privacy Officer for advice.

Q.

A person telephones claiming to be the mother of a student and wishes to know the value of monies owed (eg library fine) for the student and how to pay it.

A.

Information about how to pay library fines is public information which can be sourced from places such as the University web-site. However, a student’s library fine status and the value of any fines, is personal information, subject to the Information Privacy Principles set out in the Privacy Act. Such information cannot be disclosed.

Q.

Our department requires further information from a student regarding their application for special consideration. Can we approach a student in the cafeteria to obtain this information?

A.

No. In these circumstances, collecting such sensitive information in such a manner, is too intrusive.

Q.

Can we attempt to contact a student about whom a third party phones to say that they haven’t heard from them for two weeks and they are worried?

A.

Yes.  The University has a duty of care for its students.  This may well be a legitimate concern.  We should not provide the student’s contact details to the third party, but we should take steps to contact the student and inform them of the concerns and give them the option of contacting the third party.

Q.

Can we provide the names, photos, email addresses and usernames of students in a particular subject to the relevant academic staff?

A.

A student’s University email address is regarded in the same way as a staff member’s work email address and it can be provided without seeking the formal consent of the student or staff member.  Relevant academic staff can be provided with students’ names and photos in this circumstance.  But students’ usernames are for them to gain access to the system and should not be provided.

Q.

A University graduate rings and asks for the home contact details of a former tutor she wishes to catch up with. Is this OK?

A.

No. The University should not disclose such information without consent as the information was not collected for this reason.

Q.

The University receives health information about a student through an application for special consideration. Can this information be used for any other purpose?

A.

No. The information should only be used by the University to assess special consideration and should not be disclosed to anyone not involved in that assessment or used for another purpose.

Q

A student from another University is enrolled in a subject at Melbourne. Can we use their student numbers from their home University?

A.

Yes. If they are necessary to run a program or subject efficiently.

Q.

Can we provide student log-in names to the hosts of an educational website that we want to subscribe to?

A.

No, not without the consent of the students.  In general, services and extra functions must be introduced with an “opt-in” system where people are asked if they would like to subscribe and where it is made clear what personal information will be provided and to what use it will be put.

Q.

Can we confirm the enrolment details of a student (past or present) in response to a telephone request from a newspaper journalist?

A.

No.  Enrolment details are for the purposes of the student’s education.  Whether they are a past or present student is irrelevant, as is the fact that it is a journalist asking for information.  This also illustrates a general point about telephone enquiries.  Personal information should not be given over the phone unless steps have been taken to verify the caller’s identity and it is permitted under the University’s privacy policy to provide the information.

Q.

Can a student centre leave a message with a prospective student’s parent, for example for more documentation?

A.

In general, we should deal directly with students and prospective students where possible.  If a student has given a particular phone number as their contact, and the phone is answered by someone other than them, the message should be that the student is asked to contact the relevant student centre.

Q.

Can students’ work be used for marketing and promotional purposes?

A.

Not without their consent.  The purposes of student work relate to their education – specifically assessment and qualification.  The purpose is not for the promotion of the University or a particular faculty or department.

Q.

Can we provide the names and work contact details of all staff to a company engaged by the University to conduct services?

A.

Yes.  Work contact details are regarded as public information. 

Q.

Following a workshop attended by University staff, can I send to participants the names and contact details of all other participants?

A.

This illustrates the importance of planning.  Ideally participants should be given the opportunity to provide their consent for this distribution before it happens, but generally this would be considered a legitimate secondary purpose, provided there was a sound reason for sharing the information (eg to allow further discussion or for ongoing participation in a working group etc).

Q.

Can personal information be shared among staff working in a business centre?

A.

Personal information may be used and disclosed only for the purposes for which it was collected and only when it is necessary to perform a relevant University function.  It may be quite legitimate for two staff members from different departments to have personal information about the same person if they are using it for a legitimate work function.  The Privacy Policy and IT Security Policy apply and under RDM, departments and business centres should have developed protocols to cover the sharing of information and its security.

Q.

Can the contact details of staff members be posted on the Department’s webpage ?

A.

As the posting of staff work contact details facilitates the employment of staff members it is permissible. It would not be reasonable, however, to post the personal contact details of staff members on the web. Such a disclosure would be in breach of the Act and the University’s privacy policy.

Q.

A University department gets a call from Student Administration wanting to know if a student is accessing a service, or has outstanding fees. Can we give out that information to Student Administration?

A.

Yes. Using the information in this way is a valid administrative purpose and one that is related to the primary purpose of collection and could be reasonably expected by the student.

Q.

A call is received from a researcher at another University. He is conducting research and wishes to obtain the personal details of all students who have graduated from a certain course, over a certain number of years. Can we disclose this?

A.

The University may disclose personal information if it is NECESSARY for research in some situations:

• it must be impracticable to seek the relevant individuals’ consent (in the eg given, it may well be practicable to seek consent eg write to students and enclose a letter from the researcher explaining what was proposed and seeking their involvement)
• the research must be in the public interest;
• publication of the research results must be in a form that does not identify a particular individual;
• the University must hold a reasonable belief that the researcher will not disclose the information (and may well require a written undertaking or agreement to this effect); and
• the University must establish the bona fides of the researcher.

Q.

A job applicant worked for a friend/colleague of mine.  The job applicant has not listed the friend/colleague as a referee.  Can I contact them for a reference?

A.

No.  The individual has not provided their consent for the University to contact that person.  Any such contact may be a breach of the Privacy Act.

Q.

A company contacts the University, wishing to verify a job applicant’s qualification. What can be revealed?

A.

The University would be permitted to disclose the qualifications of the individual, as information pertaining to an individual’s qualification is a matter of public record. The actual grades or marks obtained and subjects studied, however, must not be released.

Q.

During a job interview, if it becomes apparent that a person is of a certain religious or ethnic background, can this be noted?

A.

No. This information is sensitive information and cannot be collected without the consent of the individual concerned.

Q.

Can staff take home a portable hard disk or other electronic storage device including some files that contain personal information?

A.

Any personal information which is sourced at the University and used off-site is still covered by the University’s Privacy Policy.  Departments where this is a common or routine way of working, or who have a “work-from-home” arrangement, for example, should ensure that staff are aware of their privacy responsibilities and any relevant policy such as the IT Security Policy.

Q.

Can the University disclose information over the phone?

A.

Providing information over the phone is risky because of the difficulty in carrying out suitable security checks. Callers should be asked to seek information in writing wherever possible. If this is impractical, the Privacy Officer should be contacted for advice.

Q.

A University graduate rings and asks for the home contact details of a former tutor she wishes to catch up with.  Is this OK?

A.

No.  The University should not disclose such information without consent as the information was not collected for this reason.