Privacy Policy
For Use by all University Staff and Students at Australian Campuses
Monash University values the privacy of every individual's personal and health information and is committed to protecting the information it holds and uses about all individuals who provide personal information to the university.
This policy outlines how Monash University intends to handle personal and health information. Monash University is required to comply with a number of privacy laws operating throughout Australia, including the Information Privacy Act 2000 (Vic), the Health Records Act 2001 (Vic) (" Privacy Laws"). The Privacy Laws regulate how personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal. It applies to any personal information or health information that a person provides to Australian campuses of Monash University.
The policy is based on the following principles:
- Monash University supports responsible and transparent handling of information;
- Monash University respects an individual's right to know how his or her personal information will be used, stored and disposed; and
- It is a necessary condition for Monash University to participate in global e-communications and e-transactions.
The Information Privacy Act 2000 (Vic) sets out ten information privacy principles (IPPs) and the Health Records Act 2001 (Vic) sets out 11 Health Privacy Principles (HPPs). These principles concern the way in which information is collected, used, handled, disclosed and disposed.
Monash University has established a privacy regime that strives to:
- Promote an understanding and acceptance of the privacy principles and their objectives throughout the university community
- Educate people within the university about information privacy
- Handle any complaints received in an efficient and appropriate manner
- Monitor privacy compliance and keeps the university informed of updates to procedures
This policy explains Monash University's approach towards protecting the privacy of an individual's personal and health information.
All University staff and students and other individuals who transact with Australian campuses of the university.
The privacy laws arise from Victorian legislation. Consequently, the Monash University Privacy Policy applies only to personal information that a person provides to Australian campuses of Monash University. Students studying at Monash Malaysia or Monash South Africa should refer to local policies in relation to confidentiality or privacy.
Operative from first full pay period to commence on or after 30 August 2002
Vice-President Administration
Director, Organisational Development & Policy
Detailed policy
1.1 Health Information: Personal Information or an opinion about
- the physical, mental or psychological health (at any time) of an individual
- a disability (at any time) of an individual
- an individual's expressed wishes about the future provision of health services to him or her
- a health service provided or to be provided to an individual
and also includes
- other personal information collected to provide or in providing, a health service
- other personal information about an individual collected in connection with the donation or intended donation by the individual of his or her body parts, organs or body substances
- other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendents
1.2 Identifier: An identifying name or code (usually a number) assigned by an organisation to an individual to uniquely identify that individual for the purposes of the operations of the organisation. This does not include an identifier that consists only of the individual's name
1.3 Personal information: Information or an opinion (including information or an opinion forming part of a database) that is recorded in any form and whether true or not about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
- The Health Records Act excludes from its definition of personal information, information about anyone who has been dead for more than 30 years.
- The Health Records Act includes information that is not recorded in a material form.
1.4 Primary purpose: A primary purpose is one for which the individual concerned would expect their information to be used. Using the information for this purpose would be within their reasonable expectations.
1.5 Secondary purpose: A secondary purpose may or may not be apparent to the individual concerned, or within their reasonable expectations. Collecting the information may be mandatory (because required by law) or optional. The main distinction is that the service could still be provided even if the secondary purpose were not served.
1.6 Sensitive information: Information or an opinion about an individual's-
- Racial or ethnic origin
- Political opinions
- Membership of a political association
- Religious beliefs or affiliations
- Philosophical beliefs
- Membership of a professional or trade association
- Membership of a trade union
- Sexual preferences or practices
- Criminal record
- that is also personal information.
Collection of personal information
2.1 To the extent required by the Privacy Laws:
- Monash University will not collect personal information about an individual unless that information is necessary for one or more of its functions.
- Monash University will collect personal information about an individual only by lawful and fair means and not in an unreasonably intrusive manner.
2.2 When Monash University collects personal information directly from an individual (for example if a student enrols in a course), Monash University will take reasonable steps at or before the time of collection to ensure that:
- the individual is aware of certain key matters, such as the purposes for which Monash University is collecting the information;
- the organisations (or types of organisations) to which Monash University would normally disclose information of that kind;
- the fact that the individual is able to access the information; and
- how to contact Monash University.
2.3 Monash University will collect personal information directly from an individual where it is reasonable and practicable to do so. Where Monash University collects information about an individual from a third party (for example if a student authorises a parent, spouse or partner to register for them on their behalf), Monash University will still take reasonable steps to ensure that the individual is made aware of the details set out above
2.4 While Monash University generally collects personal or health information directly from the relevant individual, in some cases we may collect it from a third party, such as VTAC, a temporary employment agency or a contractor.
2.5 The main functions of Monash University are to provide teaching and research services, together with ancillary services which, may support students and staff in their study or work at the university. Some information needs to be collected by Monash University as the government requires the information for statistical purposes.
2.6 If an individual chooses not to provide the information requested, Monash University may not be able to provide services to that individual.
3.1 Monash University has a duty to maintain the confidentiality of staff and students' personal and health information. To the extent required by the Privacy Laws, Monash University will only use or disclose personal information for a secondary purpose other than the primary purpose for which it was originally collected where:
- the secondary purpose is related to the primary purpose (or is directly related, in the case of sensitive information or health information), and a person would reasonably expect Monash University to use or disclose the personal information for that secondary purpose; or
- a person has consented to the use or disclosure of their personal information for the secondary purpose; or
- the use or disclosure is required or authorised by or under law; or
- the use or disclosure is otherwise permitted by the Privacy Laws.
Security and quality of personal information
4.1 Monash University is committed to ensuring that personal information is held securely. To the extent required by the Privacy Laws, Monash University will take reasonable steps to:
- ensure that any personal information Monash University collects, uses and discloses is accurate, complete and up to date;
- protect the personal information that Monash University holds from misuse, loss, unauthorised access, modification or disclosure: and
- destroy or permanently de-identify personal information when required by the Privacy Laws.
4.2 Personal information may be stored in hard copy documents, as electronic data, or in Monash University's software or systems. Some of the ways Monash University seeks to protect personal information include the following:
- confidentiality requirements on the use of information by Monash University's staff members
- policies on document storage and security
- security measures for access to Monash University's computer systems
- controlling access to Monash University's premises
- web site protection measures.
4.3 Staff and students can help Monash University keep the personal information that it holds accurate, complete and up to date, by directly updating information on-line through the SAP or Calista systems for address and contact details, or by promptly notifying Student and Staff Services, or alternatively by submitting an amendment form to the Privacy Officer.
4.4 Contact details for the Privacy Officer are as follows:
Privacy Officer
Human Resources Division
PO Box 92
Monash University, Victoria 3800
Email: privacyofficer@adm.monash.edu.au
Phone: 03 9905 6011
Fax: 03 9905 6351
5.1 Monash University will, on request, provide staff and students with access to information it holds about them, unless there is an exception that applies under the Information Privacy Principles or Health Privacy Principles such as:
- access would pose a serious threat to the life or health of any individual;
- access would have an unreasonable impact on the privacy of others;
- the request is frivolous or vexatious;
- the information relates to commercially sensitive decision making process;
- access would be unlawful or denying access is required or authorised by law (e.g. Monash University has a duty of confidentiality and will not provide access to personal information about you if it will breach that duty);
- access would prejudice enforcement activities relating to criminal activities and other breaches of law, public revenue, a security function, or negotiations with the individual; or
- the information is to be used for legal dispute resolution proceedings.
5.2 To make an application for formal access to your personal information, please contact the Freedom of Information Officer (FOI) in writing at Executive Services, Building 3A, Monash University VIC 3800.
Students wishing to gain access to their student record may be permitted to do so by the Manager of Student Administration. Requests for access should be made in writing to the Manager, Student Administration, PO Box 3C, Monash University, Vic 3800.
5.3 If Monash University doesn't provide a staff or student member with access, the staff or student member will be provided with written reasons for the refusal and informed of any exceptions relied upon.
5.4 Any request to provide information will be dealt with in a reasonable time and Monash University may recover from a student or staff member the reasonable cost of accessing and supplying this information.
6.1 Except to the extent permitted by the Privacy Laws, Monash University will not use Commonwealth or State government identifiers as its own identifier nor will it disclose such identifiers to anyone else.
6.2 Monash University will only assign identification numbers to individuals if the assignment of identifiers is reasonably necessary to enable it to carry out its functions efficiently. For example, both staff and student numbers are necessary to enable Monash University to carry out its functions.
7.1 Monash University will provide an individual with the option of not identifying who they are when it is lawful and practicable to do so. The nature of the business carried on by Monash University means that, generally, it is not possible for the university to provide services to student or staff members in an anonymous way.
8.1 Monash University may transfer your personal information overseas where it is necessary to do so, for example where a student studies or an a staff member works at an international campus. If Monash University transfers personal information outside Victoria, Monash University will comply with the relevant requirements of those Privacy Laws that relate to transborder data flows outside Victoria.
8.2 This stipulates that the recipient of the information must protect privacy of personal information to a similar standard as the Victorian IPPs.
9.1 When a staff or student member provides Monash University with personal and health information about other individuals, Monash University relies on that person to have made the other individuals aware:
- That their information will or may be provided to Monash University
- Of the types of third parties to whom Monash University may provide that information,
- Of the relevant purposes of the information, and
- how they can access it.
If it is sensitive information Monash University relies on the staff or student member to have obtained consent from the other individuals to the above uses.
9.2 If a staff member collects, uses, discloses or handles personal information on Monash University's behalf, the staff member must meet the relevant requirements of the Information Privacy Principles set out in the Information Privacy Act 2000 and the Health Privacy Principles set out in the Health Records Act 2001. Staff members must only collect, handle, use, disclose and store the information for the agreed purposes only.
How to contact Monash University regarding receipt of University communications or publications
10.1 In order for Monash University to undertake its core functions and to comply with legislative reporting requirements, students and staff members may be contacted by the University from time to time via email, telephone and in writing. If a student or staff member would like to discuss the receipt of a University communication or publication, they should contact the Monash University Privacy Officer via email: privacyofficer@adm.monash.edu.au .
11.0 Contacting and/or Complaining to Monash University About Its Privacy Practices
How to contact Monash University regarding privacy issues
11.1 If a student or staff member has any privacy issues that he or she would like considered by Monash University, the person may contact the Privacy Co-ordinator within their faculty/divisional unit. The Privacy Co-ordinator will undertake a preliminary investigation of the issue and report back to the person who raised the issue, his or her view of whether there has been a breach of this policy or one or more of the Information Privacy Principles or Health Privacy Principles. The Privacy Co-ordinator will also indicate what action, if any, Monash University will take to rectify the situation.
11.2 If the student or staff member is not satisfied with the response of the Privacy Co-ordinator, the student or staff member can complete a Complaint Form attached to this policy and send it to Monash University's Privacy Officer for consideration. The Privacy Officer will conduct a further investigation and will report back to the person who raised the issue, his or her view of whether there has been a breach of this policy or one or more of the Information Privacy Principles or Health Privacy Principles. The Privacy Officer will also indicate what action, if any, Monash University will take to rectify the situation.
11.3 If a member of the public has an issue he or she would like considered then the member of the public should contact the Privacy Officer directly.
Breach of this policy
12.1 If a staff member breaches this policy, depending on the circumstances it may be regarded as misconduct or poor performance and this may result in action being taken in accordance with the provisions set out in the Monash University enterprise agreement or, where applicable, the provisions of the relevant AWA Terms and Benefits Policy.
13.1 Monash University may change this Privacy Policy from time to time without prior notice.
Relevant Australian Legislation, Policies and Associated Documentation
- Information Privacy Act 2000 (Vic)
- Health Records Act 2001 (Vic)
- Freedom of Information Act 1982 (Vic)
- Privacy Amendment (Private Sector) Act 2000
Associated documentation
16.1 Adherence to this policy will generally ensure compliance with University requirements and legislation. However, there may be instances where inadvertent breaches could occur. When in doubt users requiring assistance with interpretation of the policy, or who wish to report an incident, should contact:
- The Privacy Officer on extension 56011
- Organisational Development & Policy Group, Human Resources Division, on extension 560936
- The University Solicitor's Office on extension 55126.
16.2 For more information on privacy see the Victorian Privacy Commissioner's website or the Office of the Health Services Commissioner. |
