The Information Privacy Act has created new privacy rights that enable individual's to exercise greater control over how an organisation collects, uses and discloses personal information that relates to them. The Information Privacy Act has implemented ten Information Privacy Principles (IPP's) to describe how personal information and sensitive information is to be handled.
The purpose of this section is to provide a summary of the ten Information Privacy Principles.
- Use and Disclosure
- Data Quality
- Data Security
- Access and Correction
- Unique Identifiers
- Transborder Data Flows
- Sensitive Information
IPP 1 - Collection
Monash must only collect personal information if it is necessary for our functions and activities.
It is not acceptable for Monash to collect information simply because we would like to have it, or because it might be needed at some time in the future. Information is necessary only if there is legitimate justification for its collection.
Monash must only collect information by lawful and fair means and not in an unreasonably intrusive way.
To decide whether something is fair, lawful and not intrusive, consider whether relevant laws are complied with eg surveillance must be conducted in accordance with the Surveillance Devices Act (Vic), is the individual made aware of the collection eg the use of cookie technology to track an individual’s use of the website without making it clear to them via a prominent privacy notice or do we have an unfair advantage when collecting information eg unequal relationship such as children/adult, non-English speaking people or traumatised individual.
At or before the time of collection, Monash must take reasonable steps to inform individuals of the following matters:
- the identity of Monash and how to contact it;
- the fact that he or she is able to gain access to the information;
- the purposes for which the information is collected;
- to whom, or the types of organisations to whom, Monash discloses information of this kind;
- any law that requires the particular information to be collected; and
- the main consequences (if any) for the individual if all or part of the information is not provided.
Monash University has created the following standard wording which complies with the above requirements. The wording can be amended depending on the circumstances for collection. It is recommended that this wording is included on all forms (paper and electronic) which collect personal information. If you would like to make changes to this wording it is recommended that you obtain confirmation from the Monash University Privacy Officer that the amended wording meets the requirements of the privacy laws.
If it is reasonable and practicable Monash must only collect personal information about an individual only from the individual. However, if Monash collects personal information about an individual from a third party (eg, Monash International, VTAC), we must take reasonable steps to inform the individual of the matters outlined in the box above, unless this would pose a serious threat to the life or health of any individual.
If you regularly collect information about individuals from a third party you may like to consider contractually binding the third party to provide the relevant notification in accordance with the privacy laws and indemnification if they fail to provide the notification. For advice on the necessary contractual clauses please contact the Monash University Privacy Officer or the Solicitor's Office.
IPP 2 - Use and Disclosure
Monash may only use or disclose personal information about an individual for the primary purpose for which it was collected or a related purpose (directly related for sensitive information) the individual would reasonably expect.
To determine how personal information can subsequently be used and to who it can be disclosed, requires an understanding of the primary purpose that the information was collected. If the requirements of IPP 1 have been met, the primary purpose should be clear and should have been communicated to the person at the time of collection.
If in doubt about whether a use or disclosure falls within the secondary purpose obtain consent from the individual or seek advice from the Monash University Privacy Officer.
Personal information can also be used or disclosed for a secondary purpose if:
The individual has consented to the use or disclosure.
It is preferable to obtain written consent. In some circumstances, written consent is not practicable. Verbal or implied consent can be relied upon however if a dispute were to arise it would be more difficult to prove that we had obtained consent.
It is important to consider the elements of consent when obtaining consent:
- individual must have capacity to consent
- consent must be voluntary
- consent must be informed
- consent must be specific
- consent must be current
The use or disclosure is necessary for research in the public interest when it will be published in a non-identifiable format and it is not practicable to seek the individual's consent and in the case of disclosure, Monash reasonably believes the recipient will not disclose the information.
All research conducted by Monash University involving humans must receive ethics approval from the Standing Committee on Ethics in Research Involving Humans (SCERH). SCERH may approve projects which fall within the category of acceptable use and disclosure in accordance with the privacy laws.
Monash believes the use or disclosure is necessary to lessen or prevent a serious and imminent threat to an individual's life, health or safety and welfare or a serious threat to public health, public safety or public welfare.
By their nature, such circumstances would be unusual and uncommon. In general, the recipient of the information would need to be appropriate police, emergency services or health authorities. The Victorian Privacy Commissioner has indicated that the decision to rely on this exemption for using or disclosing information should only be made by senior staff.
Monash has reason to suspect that unlawful activity has been or is being engaged in and uses or discloses the personal information to investigate the matter or to report concerns to relevant persons or authorities.
Suspicion should be based on reasonable grounds and not on gossip or rumour. The activity should be unlawful, not just unethical or objectionable. The information should be confined in the early stages of investigation to only those individuals who must have access. The relevant persons or authorities should be those who need to have access to the information because they have relevant duties to perform.
The use or disclosure is required or authorised by or under law.
Examples of use or disclosure required or authorised by or under law at Monash is the reporting of certain student information to the Department of Education, Science and Training, or information about international students to the Department of Immigration, Multicultural and Indigenous Affairs. For advice about whether something is required or authorised by or under law please contact the Monash University Privacy Officer or the Solicitor's Office.
A law enforcement agency has requested personal information and authorisation has been obtained from the Monash University Privacy Officer to assist the law enforcement agency.
The law relating to use and disclosure of personal information to a law enforcement agency (eg Victoria Police, Australian Federal Police) is complex and advice must be obtained from the Monash University Privacy Officer prior to releasing information.
TIP: If you are in doubt about whether you can use or disclose personal information in accordance with Information Privacy Principle 2 obtain the consent of the individual for the use or disclosure of information or alternatively, contact the Monash University Privacy Officer for advice.
IPP 3 - Data Quality
Monash must take reasonable steps to make sure that personal information it collects, uses or discloses is accurate, complete and up to date.
The accuracy, completeness and currency of the information should be established at the time of collection, and reviewed when the information is used or re-used, and when it is disclosed to another organisation. Organisations do not have to monitor data quality when information is dormant. Personal information collected and used for a particular purpose and then archived does not need to be constantly checked for accuracy.
Staff and students should be encouraged to keep their personal information accurate by directly updating their information online or by completing the relevant form and forwarding it to Monash.
IPP 4 - Data Security
Monash must take reasonable steps to protect personal information from:
- unauthorised access;
- unauthorised modification; and
- unauthorised disclosure.
In the case of a large organisation such as Monash, just because an individual provides personal information to one part of Monash, does not mean that they expect all parts of Monash to use this information. This is particularly relevant in the case of sensitive information. Personal information must be protected from misuse, loss, unauthorised access, modification or disclosure both within Monash as well as from misuse, loss etc to external parties.
There are a number of things that individual staff members can do to enhance compliance with this privacy principle which include:
- locking offices when unattended
- not leaving personal information lying around
- for open plan offices, staggering lunch breaks to ensure someone is always present in the office
- storing sensitive or confidential personal information in locked filing cabinets
- changing passwords on computers regularly
- activating a screen saver on computers
- Monash must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed.
Staff should comply with the Public Records Act when considering when information is no longer needed. When determining how long personal information should be stored for please refer to the ‘Records Disposal Authority’ which is managed by Monash University Archives.
Personal information must be destroyed securely when it is no longer needed. Examples of secure destruction include shredding, pulping or disintegration of paper files, fire, confidential disposal in accordance with any guidelines provided by Records & Archives, or contracting an authorised disposal company for secure disposal.
IPP 5 - Openness
Monash must set out in a document clearly expressed policies on its management of personal information. The organisation must make the document available to anyone who asks for it.
On request by a person, Monash must take reasonable steps to let the person know generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information. If a request of this type by a student, please refer them to the Privacy Co-ordinator from the relevant faculty. If the request is made by a staff member, please refer them to the Privacy Officer.
IPP 6 - Access and Correction
Individuals have the right to seek access to their personal information and make corrections. Monash will, on request, provide students and staff with access to information it holds about them and allow them to make corrections unless an exemption applies at law.
Monash University may, on request, provide staff and students with access to information it holds about them, unless there is an exception that applies under the Information Privacy Principles or Health Privacy Principles. To make an application for formal access to your personal information, please see the FOI information on the Monash Executive Services website and contact the Freedom of Information Officer (FOI) in writing.
Students may access their files in accordance with the Monash University Freedom of Information Policy. This policy states that if a student would like to access their student records they need to contact the Manager, Client Services, Student and Staff Services Division.
Freedom of Information laws continue to apply. If access cannot be granted under either of the above policies, please contact the Monash University Privacy Officer or the Monash University Freedom of Information Officer (contact details below).
For more information about Freedom of Information at Monash University is available from the University Secretariat website, or contact the Freedom of Information Officer by telephone (03) 9905 5137 or email firstname.lastname@example.org.
IPP 7 - Unique Identifiers
'Unique identifiers' are numbers or codes which are assigned to an individual to assist with identification. Examples of common unique identifiers used by Monash University are the student ID number and the staff ID number.
Monash must only assign unique identifiers if it is necessary for Monash to carry out any of its functions efficiently.
When thinking about creating a new type of unique identifier (other than the student/staff number), consider whether it is necessary, eg would it be sufficient to identify the individual by their name. In some sensitive or delicate situations unique identifiers may enhance privacy. In testing whether efficiency is established, an assessment of efficiency from the perspective of both Monash and those with whom it deals is required.
Monash must not adopt as its own unique identifier of an individual, the unique identifier of the individual which has been created by another organisation unless it is necessary to enable Monash to carry out any of its functions efficiently, or it has consent from the individual for the use of the unique identifier. Examples of unique identifiers which have been created by other organisations are VTAC number, drivers licence number, tax file number or medicare number.
Monash can only use or disclose a unique identifier assigned to an individual by another organisation in the following circumstances:
- the use or disclosure is necessary for Monash to fulfil its obligations to the other organisation
- Monash has the consent of the individual to the use or disclosure
- Monash believes the use or disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or a serious threat to public health, public safety or public welfare.
- Monash has reason to suspect that unlawful activity has been or is being engaged in and uses or discloses the personal information to investigate the matter or to report concerns to relevant persons or authorities.
- The use or disclosure is required or authorised by or under law.
- A law enforcement agency has requested personal information and authorisation has been obtained from the Monash University Privacy Officer to assist the law enforcement agency.
In most cases reviewed at Monash University to date, the use or disclosure of unique identifiers which have been created by another organisation (eg VTAC number, tax file number) are in accordance with the above requirements. (Eg authorised by law or with the individuals consent). If you are unsure about whether the use of a unique identifier created by another organisation is in accordance with the laws please contact the Monash University Privacy Officer.
Monash must not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorised by law or the provision is in connection with the purpose (or a directly related purpose) for which the unique identifier was assigned.
In most cases, the requirement to provide a unique identifier to Monash is required by law (eg tax file number for HECS or employment) or is in connection with the purpose for which the unique identifier was assigned. If you are unsure as to whether the provision of a unique identifier by an individual is in accordance with the laws please contact the Monash University Privacy Officer.
IPP 8 - Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering into a transaction with Monash.
As a general rule, it is not lawful and practicable for individuals to remain anonymous when dealing with Monash. For example it is not possible to award a degree to someone without knowing who they are. Examples of situations where individuals remain anonymous are the sale of products or services by cash such as books or theatre tickets, or the making of general enquiries such as ‘What time are you open?’
IPP 9 - Transborder Data Flows
Monash may only transfer information about an individual to someone (other than the individual or Monash) who is outside of Victoria if one or more of the following applies:
Monash reasonably believes the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of information that are substantially similar to the Information Privacy Principles.
Commonwealth government organisations, companies with annual turnover of more than $3 million, some state government agencies (eg NSW) or a selection of other types of organisations in Australia have equivalent privacy laws. Therefore transfers to these types of organisations located outside of Victoria comply with this Transborder Data Flow principle.
Some countries have equivalent privacy laws in place (eg United Kingdom) and transfer can occur under this provision. However, many countries do not have equivalent privacy laws (eg no laws in Malaysia or South Africa) and a transfer must fall within one of the following categories in order to comply with this principle
The individual consents to the transfer
When obtaining consent from the individual to transfer information to a organisation who is located outside Victoria, the individual must be made aware of whether the privacy protection will travel with the information for legitimate consent to be obtained.
The transfer is necessary for the performance of a contract between the individual and the organisation, or for the implementation of pre-contractual measures taken in response to the individual’s request
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the organisation and a third party
All of the following apply:
- the transfer is for the benefit of the individual
- it is impracticable to obtain the consent of the individual to that transfer
- if it were practicable to obtain that consent, the individual would be likely to give it.
The organisation has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Information Privacy Principles.
If a transfer of personal information outside of Victoria does not fall within any of the above categories, then this category can be complied with if the recipient of the information is requested to sign a contract which binds them to comply with the Information Privacy Principles. The standard privacy contract can be obtained from the Monash University Privacy Officer.
PLEASE NOTE: Monash University South Africa and Monash University Malaysia are not considered to be transfers to Monash and therefore transfers to these overseas campuses must be treated in accordance with this principle. The Monash University centres located in Prato, Italy and London, United Kingdom are considered to be transfers to Monash and therefore do not have to be treated in accordance with this principle.
IPP 10 - Sensitive Information
Monash must not collect sensitive information about an individual unless:
The individual has consented (eg implied consent by including details on form)
The collection is required under law (eg collection of racial/ethnic origin for DEST reporting)
The collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns-
- is physically or legally incapable of giving consent to the collection or
- physically cannot communicate consent to the collection
The collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
If you would like to collect sensitive information to provide additional services, for statistical analyses or for any other purpose which is not required under law, it is recommended that the question is made optional. If the person chooses to complete an optional question we have implied consent to use the sensitive information for the purposes outlined in the privacy notice required by IPP 1.