Conduct and Compliance Procedure - Privacy

Parent policy

Conduct and Compliance Policy

Preamble

Monash University values the privacy of every individual’s personal and health information and is committed to protecting the information it holds and uses about all individuals who provide personal information to the university.

This procedure outlines how Monash University intends to handle personal and health information. Monash University is required to comply with a number of privacy laws operating throughout Australia, including the Information Privacy Act 2000 (Vic), the Health Records Act 2001 (Vic) ("Privacy Laws"). The Privacy Laws regulate how personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal. This procedure applies to any personal information or health information that a person provides to Australian campuses of Monash University.

The procedure is based on the following principles:

• Monash University supports responsible and transparent handling of personal information;
• Monash University respects an individual’s right to know how his or her personal information will be collected, used, disclosed, stored and disposed of; and
• it is a necessary condition for Monash University to participate in global e-communications and e-transactions.

Board Overview

Monash University

The Information Privacy Act 2000 (Vic) sets out ten information privacy principles (IPPs) and the Health Records Act 2001 (Vic) sets out 11 Health Privacy Principles (HPPs). These principles concern the way in which information is collected, used, disclosed, stored and disposed of.

Monash University has established a privacy regime that strives to:

• ensure that the university and its staff comply with the privacy laws
• promote an understanding and acceptance of the privacy principles and their objectives throughout the university community
• educate people within the university about information privacy
• handle complaints received in an efficient and appropriate manner
• monitor privacy compliance and keep the university informed of updates to procedures.

This procedure explains Monash University’s approach towards protecting the privacy of an individual’s personal and health information.

Monash University Controlled Entities

Monash Controlled Entities are required to comply with two pieces of privacy legislation – the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic).

It is important to note that the Privacy Act 1988 and the Information Privacy Act 2000 are different pieces of legislation and whilst there are similarities, there are also differences.

Application

All University staff and students and other individuals who transact with Australian campuses of the university.

The privacy laws that apply to Monash University arise from Victorian legislation. Consequently, the Conduct and Compliance Procedure - Privacy applies only to personal and health information that a person provides to Australian campuses of Monash University. Staff employed and students studying at Monash Malaysia or Monash South Africa should refer to local policies in relation to confidentiality or privacy.

Monash University Controlled Entities are required to comply with the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic).

1.0 Definitions

1.1 Health Information: Personal Information or an opinion about

• 15.0 the physical, mental or psychological health (at any time) of an individual
• 16.0 a disability (at any time) of an individual
• 17.0 an individual’s expressed wishes about the future provision of health services to him or her
• 18.0 a health service provided or to be provided to an individual

that is also Personal Information; or

• other personal information collected to provide, or in providing, a health service
• other personal information about an individual collected in connection with the donation or intended donation by the individual of his or her body parts, organs or body substances
• other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendents

1.2 Identifier: An identifying name or code (usually a number) assigned by an organisation to an individual in connection with their health information to uniquely identify that individual for the purposes of the operations of the organisation. This does not include an identifier that consists only of the individual’s name.

1.3 Personal Information: Information or an opinion (including information or an opinion forming part of a database) that is recorded in any form and whether true or not about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion.

The Health Records Act excludes from its definition of personal information, information about anyone who has been dead for more than 30 years.

The Health Records Act includes information that is not recorded in a material form, the Information Privacy Act does not.

1.4 Primary Purpose: The purpose for which the information is collected. This covers the primary use and primary disclosure of the information. This should be what is necessary to discharge the function or undertake the activity.

1.5 Secondary Purpose: The secondary purpose for which the information is used or disclosed has to be connected or associated with the primary purpose. It must relate to the primary purpose for which it was collected. If sensitive information is involved, the secondary purpose has to be directly related to the primary purpose.

1.6 Sensitive Information: Information or an opinion about an individual’s-

• Racial or ethnic origin
• Political opinions
• Membership of a political association
• Religious beliefs or affiliations
• Philosophical beliefs
• Membership of a professional or trade association
• Membership of a trade union
• Sexual preferences or practices
• Criminal record

that is also personal information.

2.0 Collection of personal information

2.1 To the extent required by the Privacy Laws:

• Monash University will not collect personal information about an individual unless that information is necessary for one or more of its functions or activities.
• Monash University will collect personal information about an individual only by lawful and fair means and not in an unreasonably intrusive manner.

2.2 When Monash University collects personal information directly from an individual (for example if a student enrols in a course), Monash University will take reasonable steps at or before the time of collection (or as soon as practicable thereafter) to ensure that the individual is aware of:

• certain key matters, such as the purposes for which Monash University is collecting the information;
• the organisations (or types of organisations) to which Monash University would normally disclose information of that kind;
• the fact that the individual is able to access the information;
• how to contact Monash University;
• any law requiring the collection; and
• the main consequences for the individual if the information is not provided.

2.3 Monash University will collect personal information directly from an individual where it is reasonable and practicable to do so. Where Monash University collects information about an individual from a third party (for example if a student authorises a parent, spouse or partner to register for them on their behalf), Monash University will still take reasonable steps to ensure that the individual is made aware of the details set out above.

2.4 While Monash University generally collects personal or health information directly from the relevant individual, in some cases we may collect it from a third party, such as VTAC, another educational institution, an employment agency, a former employer, a contractor or a government authority such as Victoria Police.

2.5 The main functions of Monash University are to provide teaching and research services, together with ancillary services which may support students and staff in their study or work at the university. Some information needs to be collected by Monash University as the government requires the information, for example, for statistical purposes.

2.6 If an individual chooses not to provide the information requested, Monash University may not be able to provide services to that individual.

3.0 Use and disclosure of personal information

3.1 Monash University has a duty not to disclose staff and students’ personal and health information. To the extent required by the Privacy Laws, Monash University will only use or disclose personal information for a secondary purpose other than the primary purpose for which it was originally collected where:

• the secondary purpose is related to the primary purpose (or is directly related, in the case of sensitive information or health information), and a person would reasonably expect Monash University to use or disclose the personal information for that secondary purpose; or
• a person has consented to the use or disclosure of their personal information for the secondary purpose; or
• the use or disclosure is required or authorised by or under law; or
• the use or disclosure is otherwise permitted by the Privacy Laws.

4.0 Security and quality of personal information

4.1 Monash University is committed to ensuring that personal and health information is held securely. To the extent required by the Privacy Laws, Monash University will take reasonable steps to:

• ensure that any personal information Monash University collects, uses and discloses is accurate, complete and up to date;
• protect the personal information that Monash University holds from misuse, loss, unauthorised access, modification or disclosure: and
• destroy or permanently de-identify personal information when required by the Privacy Laws.

4.2 Personal information may be stored in hard copy documents, as electronic data, or in Monash University’s software or systems. Some of the ways Monash University seeks to protect personal information include the following:

• confidentiality requirements on the use of information by Monash University’s employees
• policies on document storage and security
• security measures for access to Monash University’s computer systems
• controlling access to Monash University’s premises
• web site protection measures.

4.3. Staff and students can help Monash University keep the personal information that it holds accurate, complete and up to date, by directly updating information on-line through the ESS or Callista systems for address and contact details, or by promptly notifying Human Resources (staff) or Student Services (students).

4.4 Contact details for the Privacy Officer are as follows:

Privacy Officer
Human Resources Division
PO Box 92
Monash University, Victoria 3800
Email: privacyofficer@adm.monash.edu.au
Phone: 03 9902 9589
Fax: 03 9902 9591

5.0 Access to personal information

5.1 Monash University will, on request, from staff and students disclose to them documents it holds about them, unless there is an exemption that applies under the Freedom of Information Act 1982 (Vic) such as:

• the document contains health information and disclosure would pose a serious threat to the life or health of the person ;
• disclosure would have an unreasonable impact on the personal affairs of others;
• the request is frivolous or vexatious;
• the document is of a business, commercial or financial nature and disclosure would be likely to expose the university unreasonably to a disadvantage;
• disclosure would prejudice enforcement activities or the proper administration of the law;
• the document is subject to legal professional privilege; or
• the document contains matters communicated in confidence to the university and disclosure is contrary to the public interest because it is reasonably likely to impair the ability to obtain such information in future.

5.2 To make an application to access personal information, please contact the Freedom of Information Officer on (03) 9905 5137.

Students wishing to gain access to their student records may be permitted to do so by contacting the Manager of Student Administration. Requests for access should be made in writing to the Divisional Director, Manager of Student Administration, PO Box 3C, Monash University, Vic 3800.

5.3 If Monash University doesn’t provide a staff or student member with access, the staff or student member will be provided with written reasons for the refusal and informed of any exemptions relied upon.

5.4 Any request to provide information will be dealt with in a reasonable time (which will be no later than 45 days of receipt of a formal request) and Monash University may recover from a student or staff member the reasonable cost of accessing and supplying this information.

6.0 Commonwealth and State Government identifiers

6.1 Except to the extent permitted by the Privacy Laws, Monash University will not use Commonwealth or State government identifiers as its own identifier nor will it disclose such identifiers to anyone else.

6.2 Monash University will only assign identification numbers to individuals if the assignment of identifiers is reasonably necessary to enable it to carry out its functions efficiently. For example, both staff and student numbers a

7.0 Anonymity

7.1 Monash University will provide an individual with the option of not identifying who they are when it is lawful and practicable to do so. The nature of the business carried on by Monash University means that, generally, it is not possible for the university to provide services to student or staff members in an anonymous way.

8.0 Transborder data flows

8.1 Monash University may transfer your personal information interstate or overseas where it is necessary to do so, for example where a student studies or an employee works at an international campus. If Monash University transfers personal information outside Victoria, Monash University will comply with the relevant requirements of those Privacy Laws that relate to transborder data flows outside Victoria.

8.2 This stipulates that the recipient of the information must protect privacy of personal information to a similar standard as the Victorian IPPs.

9.0 Obligations of staff and students

9.1 When a staff or student member provides Monash University with personal and health information about other individuals, Monash University relies on that person to have made the other individuals aware:

• that their information will or may be provided to Monash University,
• of the types of third parties to whom Monash University may provide that information,
• of the relevant purposes for which Monash University may use or disclose the information, and
• how they can access it.

If it is sensitive information, Monash University relies on the staff or student member to have obtained consent from other individuals for the above uses.

9.2 If a staff member collects, uses, discloses, stores or disposes of personal information on Monash University’s behalf, the staff member must meet the relevant requirements of the Information Privacy Principles set out in the Information Privacy Act 2000 and the Health Privacy Principles set out in the Health Records Act 2001. Staff members must only collect, use, disclose, store, or dispose of the information for the agreed purposes only.

10.0 Opting out of receiving material produced by Monash University

10.1 If a student or staff member does not wish to receive Monash University’s publications, then the student or staff member can opt out by sending an email to Monash University’s Privacy Officer on privacyofficer@adm.monash.edu.au or by contacting Monash University’s Privacy Officer on 03 9902 9589.

11.0 How to contact Monash University regarding privacy issues

11.1 If a student or staff member has any privacy issues that he or she would like considered by Monash University, the person may contact the Privacy Co-ordinator within their faculty/divisional unit. The Privacy Co-ordinator will look into the complaint and report back to the person who raised the issue with what action, if any, Monash will take in response to the complaint. The Privacy Co-ordinator will also indicate what action, if any, Monash University will take to rectify the situation.

11.2 If the student or staff member is not satisfied with the response of the Privacy Co-ordinator, the student or staff member can provide a written complaint to Monash University’s Privacy Officer for consideration. The Privacy Officer will conduct an investigation and will report back to the person who raised the issue and his or her view of whether there has been a breach of this procedure. The Privacy Officer will also indicate what action, if any, Monash University will take to address the breach.

11.3 If a member of the public has an issue he or she would like considered then the member of the public should contact the Privacy Officer directly.

12.0 Breach of this procedure

12.1 If a staff member breaches this procedure, depending on the circumstances it may be regarded as misconduct or unsatisfactory performance of their duties and may result in action being taken in accordance with the provisions set out in the applicable Monash University enterprise agreement or contract of employment.

13.0 Change of procedure

13.1 Monash University may change this Conduct and Compliance Procedure – Privacy from time to time without prior notice.

14.0 Legislation

• Information Privacy Act 2000 (Vic)
• Health Records Act 2001 (Vic)
• Freedom of Information Act 1982 (Vic)
• Privacy Act 2000 (Cth)

15.0 Related Procedures

• Conduct and Compliance procedure: Representing Monash (Public Utterances)
• Conduct and Compliance procedure: Whistleblowers

16.0 Related Documents

• Privacy at Monash University
• Privacy Compliance Manual [pdf]
  
• Collection of Personal Information including:
  • Enrolment Forms Collection Statement
  • HR Services Collection Statement
  • Admission Forms Collection Statement
• Guidelines for Collecting / Distributing Student Results / Assignments and Other Information
• Collection and Storage of Tax File Numbers
• Monash University Collection, Storage and Destruction of Credit Card Details Policy
• Monash University IT Security Policy
• Monash University IT Security Framework
• Monash University enterprise agreement
• Confidentiality of Student Records Policy
• Client Confidentiality Policy – Disability Liaison Unit (DLU)
• Other Helpful Guidelines

17.0 Related Enterprise Agreement Clauses

• Clause 51 Termination of Employment and Disciplinary Action – Academic Staff
• Clause 52 General Staff Disciplinary Procedures

18.0 Related Forms

• Authorisation for Information Disclosure Form [Word] [PDF]

19.0 Further information and assistance

19.1 Adherence to this procedure will generally ensure compliance with University requirements and legislation. However, there may be instances where inadvertent breaches could occur. When in doubt users requiring assistance with interpretation of the procedure, or who wish to report an incident, should contact:

• The Privacy Officer on ext. 29589 or by email privacyofficer@adm.monash.edu.au
• The University Solicitor’s Office on ext. 55126.

19.2 For more information on privacy see the Victorian Privacy Commissioner’s website or the Office of the Health Services Commissioner.

Responsibility

All University staff including honorary appointees of the University should be aware of, read, understand and comply with this procedure. Whilst there are some differences between the state and federal privacy legislation, staff of Monash controlled entities should also be aware of, read and understand and comply with this procedure. Further advice should be sought regarding specifics under federal legislation.