|Monash home | About Monash | Faculties | Campuses | Courses | Contact Monash|
|Staff directory | A-Z index | Site map|
Conduct and Compliance Procedure - Privacy
The main functions of Monash University are to provide education and conduct research, together with ancillary activities to support students and staff in their study or work at the University and ensure the ongoing effective operation of the University. Personal and health information is collected to enable Monash University to conduct these activities. Information is also collected by Monash University where the government requires the information, for example, for statistical analysis and reporting purposes.
Monash University values the privacy of individual personal and health information and is committed to the protection of personal, sensitive and health information it holds.
This procedure outlines how Monash University handles personal and health information to comply with applicable privacy legislation. It also directs staff on the responsible collection and handling of personal information. The procedure is based on the following principles:
Monash University has established a privacy regime that strives to:
This procedure covers all personal and health information held by an Australian campus of Monash University and Monash University controlled entities in Australia.
Staff employed and students studying at Monash University Malaysia should refer to local policies in relation to confidentiality or privacy.
Monash University is required to comply with a number of privacy laws operating throughout Australia, including the Privacy and Data Protection Act 2014 (Vic), the Health Records Act 2001 (Vic) and Monash University Controlled Entities (such as Monash College) are required to comply with the Privacy Act 1988 (Cth), together referred to as the "Privacy Laws". The Privacy Laws regulate how personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal.
The Privacy and Data Protection Act 2014 (Vic) sets out 10 information privacy principles (IPPs) and the Health Records Act 2001 (Vic) sets out 11 Privacy Principles (HPPs). The Privacy Act 1988 (Cth) sets out 13 Australian Privacy Principles. The manner in which Monash University addresses these principles is available at Privacy at Monash.
The Privacy and Data Protection Act 2014 (Vic) and Privacy Act 1988 do not apply to personal information of a person who is deceased. The Health Records Act 2001 continues to apply to health information of a deceased person for 30 years after their death.
These procedures are to be read with references to Monash University to be references to Monash College, where procedures are adopted by Monash College.
1.1 Health Information: personal information or an opinion including information that is not recorded in material form about:
1.2 Identifier: an identifying name or code (usually a number) assigned by an organisation to an individual in connection with their personal or health information to uniquely identify that individual for the purposes of the operations of the organisation. This does not include an identifier that consists only of the individual’s name.
1.3 Personal Information: information or an opinion (including information or an opinion forming part of a database) that is recorded in any form and whether true or not about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information includes sensitive information. For the purposes of the Privacy Act 1988 (Cth) the personal information does not have to be in a recorded form.
1.4 Primary Purpose: the purpose for which the information is collected. This covers the primary use and primary disclosure of the information. This should be what is necessary to discharge the function or undertake the activity.
1.5 Secondary Purpose: the secondary purpose for which the information is used or disclosed has to be connected or associated with the primary purpose. It must relate to the primary purpose for which it was collected. If sensitive information is involved, the secondary purpose has to be directly related to the primary purpose.
1.6 Sensitive Information: personal information or an opinion about an individual’s:
2.0 Collection of personal information
2.1 To the extent required by the Privacy Laws:
2.2 When Monash University collects personal information directly from an individual (for example if a student enrols in a course), Monash University will take reasonable steps at or before the time of collection (or as soon as practicable thereafter) to ensure that the individual is aware of:
2.3 Monash University will collect personal information directly from an individual where it is reasonable and practicable to do so. Where Monash University collects information about an individual from a third party (for example if a student authorises a parent, spouse or partner to deal with Monash University on their behalf), Monash University will still take reasonable steps to ensure that the individual is made aware of the details set out above.
2.4 While Monash University generally collects personal or health information directly from the relevant individual, in some cases we may collect it from a third party, such as Victorian Tertiary Admissions Centre (VTAC), another educational institution, an employment agency, a former employer, a contractor or a government authority such as Victoria Police.
2.6 If an individual chooses not to provide the information requested, Monash University may not be able to provide services to that individual.
3.0 Kinds of personal information collected
Personal information is collected relative to the relationship the individual has with the University. For staff, the personal health information relates to the employment of the individual. For students, the personal and health information relates to the candidature of the individual as a student of Monash University. Members of the public personal information may be collected in the course of addressing inquiries and requests. For further information refer to the Privacy Collection Statements.
4.0 Purpose of collection, holding, use and disclosure of personal information
Monash University must not collect, hold use or disclose personal and health information except as permitted by the Privacy Laws. The purposes for collection are outlined in the privacy collection statement. Monash University will use and disclose personal and health information for the primary purposes for which it was collected. Monash University may also use or disclose personal information for a secondary purpose where:
5.0 Data security and the quality of personal information
5.1 Monash University is committed to ensuring that personal and health information is held securely. To the extent required by the Privacy Laws, Monash University will take reasonable steps to:
5.2 Personal information may be stored in hard copy documents, as electronic data, or in Monash University’s software or systems until it is securely destroyed according to timeframes in the Public Records Act, Monash University document retention procedures or when no longer required by Monash University. Some of the ways Monash University seeks to protect personal information include the following:
5.3. Personal information may be corrected as explained in 6.0 below.
6.0 Access to and correction of personal information
6.1 Students and staff can help Monash University keep the personal information that it holds accurate, complete and up to date, by directly updating information on-line through the Web Enrolment System (WES) or Employee Self Service (ESS) systems for address and contact details.
6.2 A person is not able to access these systems may ask for personal information held by Monash University to be corrected by request to the person nominated in the policy referred to in 6.3 below.
6.3 Monash University has policies for the provision of access to information held about an individual. For students, refer to the Privacy of Student Records. For staff, refer to the Freedom of Information Policy. For students and staff seeking wider access, and for other persons, refer to the Freedom of Information Policy.
7.0 Use of identifiers
7.1 Except to the extent permitted by the Privacy Laws, Monash University will not use Commonwealth or State government identifiers as its own identifier nor will it disclose such identifiers.
7.2 Monash University will only assign an identifier (such as staff or student ID numbers) where this is reasonably necessary to enable it to carry out its functions efficiently.
8.1 Monash University will provide an individual with the option of not identifying who they are or using a pseudonym when it is lawful and practicable to do so. The nature of the activities conducted by Monash University means that, generally, it is not possible for the University to deal with a student or staff member anonymously or using a pseudonym.
9.0 Flows of personal information outside Victoria or (for controlled entities) outside Australia
9.1 Monash University may transfer your personal information interstate or overseas where it is necessary for the operation of the University or to facilitate the activities of an individual conducted at or thorough the University. For example, where a student studies and an employee works at an international campus, or to utilise the services of contracted service providers, such as cloud based IT service providers that operate servers outside Victoria. Where Monash University transfers personal information outside Victoria, it complies with the requirements of the Privacy Laws for personal information flows outside Victoria.
9.2 This involves Monash University:
10.0 Obligations of staff and students
10.1 Where a staff member collects, uses, discloses, stores or disposes of personal information on behalf of Monash University, the staff member must meet the requirements of the Privacy Laws by implementing these procedures. Staff members must only collect, use, disclose, store, or dispose of the information in accordance with these procedures and Privacy Laws.
10.2 Where a staff member receives unsolicited personal information the following should occur:
11.0 Opting out of receiving material produced by Monash University
11.1 If a student or staff member does not wish to receive Monash University’s communications, the student or staff member can opt out by sending an email to Monash University’s Privacy Officer on firstname.lastname@example.org or by utilising the unsubscribe options on the specific publication. However, some communications are not optional and must continue to enable the University to effectively provide education, teaching, research or employment.
12.0 How to raise a concern or make a complaint about a privacy issue
12.1 If a student or staff member has a privacy issue or concern that he or she would like to discuss, the person may contact the Privacy Co-ordinator within their faculty/divisional unit. The Privacy Co-ordinator will look into the matter and provide a response to the person who raised the issue. Complaints for a breach of privacy should be raised in the first instance with the Privacy Co-ordinator who will seek to resolve the matter and advise the individual what action, if any, Monash University will take to resolve the complaint.
12.2 If the student or staff member is not satisfied with the response of the Privacy Co-ordinator, the student or staff member can provide a written complaint to Monash University’s Privacy Officer. The Privacy Officer will conduct an investigation and will respond to the person who raised the issue with a decision. The Privacy Officer will also advise on action taken on the complaint including the outcome of any investigation conducted by or on behalf of the Privacy Officer.
12.3 A member of the public should contact the Privacy Officer directly with any privacy issues he or she would like considered at:
13.0 Further information and assistance
13.1 Adherence to this procedure will generally ensure compliance with university requirements and legislation. However, there may be instances where inadvertent breaches could occur. When in doubt, users requiring assistance with interpretation of the procedure, or who wish to report an incident, should contact:
14.0 Breach of this procedure
14.1 If a staff member breaches this procedure, depending on the circumstances it may be regarded as misconduct or unsatisfactory performance of their duties and may result in action being taken in accordance with the provisions set out in the applicable Monash University enterprise agreement or contract of employment.
15.0 Change of procedure
Monash University may change this Conduct and Compliance Procedure – Privacy from time to time without prior notice.
All university staff including adjunct and honorary appointees of the University are responsible for being aware of and complying with this procedure. Whilst there are some differences between the state and federal privacy legislation, staff of Monash controlled entities should also be aware of and comply with this procedure.
The Students are responsible for being aware of and complying with this procedure and updating details when requested.
The Privacy Co-ordinators are responsible for:
The Privacy Officer is responsible for:
Related Enterprise Agreement Clauses