|Monash home | About Monash | Faculties | Campuses | Courses | Contact Monash|
|Staff directory | A-Z index | Site map|
Conduct and Compliance Procedure - Privacy
Conduct and Compliance Policy
Monash University values the privacy of every individual’s personal and health information and is committed to protecting the information it holds and uses about all individuals who provide personal information to the university.
This procedure outlines how Monash University intends to handle personal and health information. Monash University is required to comply with a number of privacy laws operating throughout Australia, including the Information Privacy Act 2000 (Vic), the Health Records Act 2001 (Vic) ("Privacy Laws"). The Privacy Laws regulate how personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal. This procedure applies to any personal information or health information that a person provides to Australian campuses of Monash University.
The procedure is based on the following principles:
The Information Privacy Act 2000 (Vic) sets out ten information privacy principles (IPPs) and the Health Records Act 2001 (Vic) sets out 11 Health Privacy Principles (HPPs). These principles concern the way in which information is collected, used, disclosed, stored and disposed of.
Monash University has established a privacy regime that strives to:
This procedure explains Monash University’s approach towards protecting the privacy of an individual’s personal and health information.
Monash University Controlled Entities
Monash Controlled Entities are required to comply with two pieces of privacy legislation – the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic).
It is important to note that the Privacy Act 1988 and the Information Privacy Act 2000 are different pieces of legislation and whilst there are similarities, there are also differences.
All University staff and students and other individuals who transact with Australian campuses of the university.
The privacy laws that apply to Monash University arise from Victorian legislation. Consequently, the Conduct and Compliance Procedure - Privacy applies only to personal and health information that a person provides to Australian campuses of Monash University. Staff employed and students studying at Monash Malaysia or Monash South Africa should refer to local policies in relation to confidentiality or privacy.
Monash University Controlled Entities are required to comply with the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic).
1.1 Health Information: Personal Information or an opinion about
that is also Personal Information; or
1.2 Identifier: An identifying name or code (usually a number) assigned by an organisation to an individual in connection with their health information to uniquely identify that individual for the purposes of the operations of the organisation. This does not include an identifier that consists only of the individual’s name.
1.3 Personal Information: Information or an opinion (including information or an opinion forming part of a database) that is recorded in any form and whether true or not about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.
The Health Records Act excludes from its definition of personal information, information about anyone who has been dead for more than 30 years.
The Health Records Act includes information that is not recorded in a material form, the Information Privacy Act does not.
1.4 Primary Purpose: The purpose for which the information is collected. This covers the primary use and primary disclosure of the information. This should be what is necessary to discharge the function or undertake the activity.
1.5 Secondary Purpose: The secondary purpose for which the information is used or disclosed has to be connected or associated with the primary purpose. It must relate to the primary purpose for which it was collected. If sensitive information is involved, the secondary purpose has to be directly related to the primary purpose.
1.6 Sensitive Information: Information or an opinion about an individual’s-
that is also personal information.
2.0 Collection of personal information
2.1 To the extent required by the Privacy Laws:
2.2 When Monash University collects personal information directly from an individual (for example if a student enrols in a course), Monash University will take reasonable steps at or before the time of collection (or as soon as practicable thereafter) to ensure that the individual is aware of:
2.3 Monash University will collect personal information directly from an individual where it is reasonable and practicable to do so. Where Monash University collects information about an individual from a third party (for example if a student authorises a parent, spouse or partner to register for them on their behalf), Monash University will still take reasonable steps to ensure that the individual is made aware of the details set out above.
2.4 While Monash University generally collects personal or health information directly from the relevant individual, in some cases we may collect it from a third party, such as VTAC, another educational institution, an employment agency, a former employer, a contractor or a government authority such as Victoria Police.
2.5 The main functions of Monash University are to provide teaching and research services, together with ancillary services which may support students and staff in their study or work at the university. Some information needs to be collected by Monash University as the government requires the information, for example, for statistical purposes.
2.6 If an individual chooses not to provide the information requested, Monash University may not be able to provide services to that individual.
3.0 Use and disclosure of personal information
3.1 Monash University has a duty not to disclose staff and students’ personal and health information. To the extent required by the Privacy Laws, Monash University will only use or disclose personal information for a secondary purpose other than the primary purpose for which it was originally collected where:
4.0 Security and quality of personal information
4.1 Monash University is committed to ensuring that personal and health information is held securely. To the extent required by the Privacy Laws, Monash University will take reasonable steps to:
4.2 Personal information may be stored in hard copy documents, as electronic data, or in Monash University’s software or systems. Some of the ways Monash University seeks to protect personal information include the following:
4.3. Staff and students can help Monash University keep the personal information that it holds accurate, complete and up to date, by directly updating information on-line through the ESS or Callista systems for address and contact details, or by promptly notifying Monash HR (staff) or Student Services (students).
4.4 Contact details for the Privacy Officer are as follows:
5.0 Access to personal information
5.1 Monash University will, on request, from staff and students disclose to them documents it holds about them, unless there is an exemption that applies under the Freedom of Information Act 1982 (Vic) such as:
5.2 To make an application to access personal information, please contact the Freedom of Information Officer on (03) 9905 5137.
Students wishing to gain access to their student records may be permitted to do so by contacting the Manager of Student Administration. Requests for access should be made in writing to the Divisional Director, Manager of Student Administration, PO Box 3C, Monash University, Vic 3800.
5.3 If Monash University doesn’t provide a staff or student member with access, the staff or student member will be provided with written reasons for the refusal and informed of any exemptions relied upon.
5.4 Any request to provide information will be dealt with in a reasonable time (which will be no later than 45 days of receipt of a formal request) and Monash University may recover from a student or staff member the reasonable cost of accessing and supplying this information.
6.0 Commonwealth and State Government identifiers
6.1 Except to the extent permitted by the Privacy Laws, Monash University will not use Commonwealth or State government identifiers as its own identifier nor will it disclose such identifiers to anyone else.
6.2 Monash University will only assign identification numbers to individuals if the assignment of identifiers is reasonably necessary to enable it to carry out its functions efficiently. For example, both staff and student numbers are necessary to enable the University to carry out its functions.
7.1 Monash University will provide an individual with the option of not identifying who they are when it is lawful and practicable to do so. The nature of the business carried on by Monash University means that, generally, it is not possible for the university to provide services to student or staff members in an anonymous way.
8.0 Transborder data flows
8.1 Monash University may transfer your personal information interstate or overseas where it is necessary to do so, for example where a student studies or an employee works at an international campus. If Monash University transfers personal information outside Victoria, Monash University will comply with the relevant requirements of those Privacy Laws that relate to transborder data flows outside Victoria.
8.2 This stipulates that the recipient of the information must protect privacy of personal information to a similar standard as the Victorian IPPs.
9.0 Obligations of staff and students
9.1 When a staff or student member provides Monash University with personal and health information about other individuals, Monash University relies on that person to have made the other individuals aware:
If it is sensitive information, Monash University relies on the staff or student member to have obtained consent from other individuals for the above uses.
9.2 If a staff member collects, uses, discloses, stores or disposes of personal information on Monash University’s behalf, the staff member must meet the relevant requirements of the Information Privacy Principles set out in the Information Privacy Act 2000 and the Health Privacy Principles set out in the Health Records Act 2001. Staff members must only collect, use, disclose, store, or dispose of the information for the agreed purposes only.
10.0 Opting out of receiving material produced by Monash University
10.1 If a student or staff member does not wish to receive Monash University’s publications, then the student or staff member can opt out by sending an email to Monash University’s Privacy Officer on firstname.lastname@example.org or by contacting Monash University’s Privacy Officer on 03 9902 9589.
11.0 How to contact Monash University regarding privacy issues
11.1 If a student or staff member has any privacy issues that he or she would like considered by Monash University, the person may contact the Privacy Co-ordinator within their faculty/divisional unit. The Privacy Co-ordinator will look into the complaint and report back to the person who raised the issue with what action, if any, Monash will take in response to the complaint. The Privacy Co-ordinator will also indicate what action, if any, Monash University will take to rectify the situation.
11.2 If the student or staff member is not satisfied with the response of the Privacy Co-ordinator, the student or staff member can provide a written complaint to Monash University’s Privacy Officer for consideration. The Privacy Officer will conduct an investigation and will report back to the person who raised the issue and his or her view of whether there has been a breach of this procedure. The Privacy Officer will also indicate what action, if any, Monash University will take to address the breach.
11.3 If a member of the public has an issue he or she would like considered then the member of the public should contact the Privacy Officer directly.
12.0 Breach of this procedure
12.1 If a staff member breaches this procedure, depending on the circumstances it may be regarded as misconduct or unsatisfactory performance of their duties and may result in action being taken in accordance with the provisions set out in the applicable Monash University enterprise agreement or contract of employment.
13.0 Change of procedure
13.1 Monash University may change this Conduct and Compliance Procedure – Privacy from time to time without prior notice.
15.0 Related Procedures
16.0 Related Documents
17.0 Related Enterprise Agreement Clauses
18.0 Related Forms
19.0 Further information and assistance
19.1 Adherence to this procedure will generally ensure compliance with University requirements and legislation. However, there may be instances where inadvertent breaches could occur. When in doubt users requiring assistance with interpretation of the procedure, or who wish to report an incident, should contact:
All University staff including adjunct and honorary appointees of the University should be aware of, read, understand and comply with this procedure. Whilst there are some differences between the state and federal privacy legislation, staff of Monash controlled entities should also be aware of, read and understand and comply with this procedure. Further advice should be sought regarding specifics under federal legislation.