Monash University controlled entities are required to comply with the Privacy Act 1988 (Cth).
Compliance with the Privacy Act
Amendments to the Federal Privacy Act took effect from 12 March 2014. With limited exemptions, private sector bodies and Commonwealth government agencies must comply with the legislation.
The Act contains 13 Australian Privacy Principles (APP's) which are the central part of the laws. These encapsulate the requirements and obligations of organisations when handling personal information.
The Privacy Act applies to the types of information as follows:
Personal Information: means information or an opinion about an identified individual, or an individual who is reasonably identifiable; whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not. Examples: name, address, telephone number, title.
Sensitive Information: means information or an opinion about an individual's racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or membership of a trade union, sexual orientation or practices, or criminal record that is also personal information or health information about an individual, or genetic information about an individual that is not otherwise health information, or biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or biometric templates.
Health Information: means information or an opinion about the health or a disability (at any time) of an individual or an individual's expressed wishes about the future provision of health services to him or her or a health service provided, or to be provided to an individual; that is also personal information, or other personal information collected to provide, or in providing, a health service; or other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.
Differences between the Federal Privacy Act and the State Privacy and Data Protection Act 2014 (Vic)
The differences between the State Privacy and Data Protection Act 2014 (Vic) and the Federal Privacy Act can be summarised as follows. Please note, this is a guide only and should not be relied on as a definitive source in determining obligations under the various privacy laws.
|Privacy Act 1988||Privacy and Data Protection Act 2014 (Vic)|
|Applies to||Monash Controlled Entities
||Victorian Government Agencies
|Definition of Personal Information||‘whether recorded in a material form or not’||‘that is recorded in any form’|
|Direct Marketing||Assumed secondary purpose, can market providing it is not reasonable to obtain consent from individual and individual can opt out of receiving future marketing material.||Not assumed, must be related to purpose of collection. Individual must opt in e.g. consent must be obtained prior to marketing to them unless included within a privacy data collection statement.|
|Staff Records||Are excluded from the coverage of the act if it is directly related to the employment relationship between a current or former employee. Note: the Act applies to prospective employees.||All staff records (in so far as personal and sensitive information) are covered by the Act.|
|Related Body Corporate||Personal information (excluding sensitive or health information) can be disclosed to related body corporate (e.g. Monash University).||This exemption does not apply. To disclose personal, sensitive or health information to the Monash Controlled entities it must fall within the primary or secondary purpose of collection or Monash should obtain consent from the individual. If Monash University wants to disclose information to the controlled entities it is also recommended that Monash and the Controlled Entity enter a contractual agreement to ensure that the privacy protection is guaranteed.|