The main functions of Monash University are to provide education and conduct research, together with ancillary activities to support students and staff in their study or work at the University and ensure the ongoing effective operation of the University. Personal and health information is collected to enable Monash University to conduct these activities. Information is also collected by Monash University where the government requires the information, for example, for statistical analysis and reporting purposes.
Monash University values the privacy of individual personal and health information and is committed to the protection of personal, sensitive and health information it holds.
This procedure outlines how Monash University handles personal and health information to comply with applicable privacy legislation. It also directs staff on the responsible collection and handling of personal information. The procedure is based on the following principles:
- Monash University supports responsible and transparent handling of personal information;
- Monash University respects an individual’s right to know how his or her personal information will be collected, used, disclosed, stored and disposed of; and
- Monash University is a global university with a distinct international focus.
Monash University has established a privacy regime that strives to:
- ensure that the University and its staff comply with the privacy laws;
- promote an understanding and acceptance of the privacy principles and their objectives throughout the University community;
- educate people within the University about information privacy;
- handle complaints received in an efficient and appropriate manner; and
monitor privacy compliance and keep the University informed of updates to procedures.
This procedure covers all personal and health information held by an Australian campus of Monash University and Monash University controlled entities in Australia.
Staff employed and students studying at Monash University Malaysia should refer to local policies in relation to confidentiality or privacy.
Monash University is required to comply with a number of privacy laws operating throughout Australia, including the Privacy and Data Protection Act 2014 (Vic), the Health Records Act 2001 (Vic) and Monash University Controlled Entities (such as Monash College) are required to comply with the Privacy Act 1988 (Cth), together referred to as the "Privacy Laws". The Privacy Laws regulate how personal information is handled throughout its life cycle, from collection to use and disclosure, storage, accessibility and disposal.
The Privacy and Data Protection Act 2014 (Vic) sets out 10 information privacy principles (IPPs) and the Health Records Act 2001 (Vic) sets out 11 Privacy Principles (HPPs). The Privacy Act 1988 (Cth) sets out 13 Australian Privacy Principles. The manner in which Monash University addresses these principles is available at Privacy at Monash.
The Privacy and Data Protection Act 2014 (Vic) and Privacy Act 1988 do not apply to personal information of a person who is deceased. The Health Records Act 2001 continues to apply to health information of a deceased person for 30 years after their death.
These procedures are to be read with references to Monash University to be references to Monash College, where procedures are adopted by Monash College.
1.1 Health Information: personal information or an opinion including information that is not recorded in material form about:
- the physical, mental or psychological health (at any time) of an individual;
- a disability (at any time) of an individual;
- an individual’s expressed wishes about the future provision of health services to him or her;
- a health service provided or to be provided to an individual;
- other personal information collected to provide, or in providing, a health service;
- other personal information about an individual collected in connection with the donation or intended donation by the individual of his or her body parts, organs or body substances; and/or
- other personal information that is genetic information about an individual in a form which is or could be predictive of the health (at any time) of the individual or of any of his or her descendants.
1.2 Identifier: an identifying name or code (usually a number) assigned by an organisation to an individual in connection with their personal or health information to uniquely identify that individual for the purposes of the operations of the organisation. This does not include an identifier that consists only of the individual’s name.
1.3 Personal Information: information or an opinion (including information or an opinion forming part of a database) that is recorded in any form and whether true or not about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Personal information includes sensitive information. For the purposes of the Privacy Act 1988 (Cth) the personal information does not have to be in a recorded form.
1.4 Primary Purpose: the purpose for which the information is collected. This covers the primary use and primary disclosure of the information. This should be what is necessary to discharge the function or undertake the activity.
1.5 Secondary Purpose: the secondary purpose for which the information is used or disclosed has to be connected or associated with the primary purpose. It must relate to the primary purpose for which it was collected. If sensitive information is involved, the secondary purpose has to be directly related to the primary purpose.
1.6 Sensitive Information: personal information or an opinion about an individual’s:
- Racial or ethnic origin;
- Political opinions;
- Membership of a political association;
- Religious beliefs or affiliations;
- Philosophical beliefs;
- Membership of a professional or trade association;
- Membership of a trade union;
- Sexual preferences or practices; and
- Criminal record.
2.0 Collection of personal information
2.1 To the extent required by the Privacy Laws:
- Monash University will not collect personal information about an individual unless that information is necessary for one or more of its functions or activities.
- Monash University will collect personal information about an individual only by lawful and fair means and not in an unreasonably intrusive manner.
2.2 When Monash University collects personal information directly from an individual (for example if a student enrols in a course), Monash University will take reasonable steps at or before the time of collection (or as soon as practicable thereafter) to ensure that the individual is aware of:
- certain key matters, such as the purposes for which Monash University is collecting the information;
- the organisations (or types of organisations) to which Monash University would normally disclose information of that kind;
- the fact that the individual is able to access the information;
- how to contact Monash University;
- any law requiring the collection;
- whether the information is to be transferred outside of Victoria or Australia; and
- the main consequences for the individual if the information is not provided.
2.3 Monash University will collect personal information directly from an individual where it is reasonable and practicable to do so. Where Monash University collects information about an individual from a third party (for example if a student authorises a parent, spouse or partner to deal with Monash University on their behalf), Monash University will still take reasonable steps to ensure that the individual is made aware of the details set out above.
2.4 While Monash University generally collects personal or health information directly from the relevant individual, in some cases we may collect it from a third party, such as Victorian Tertiary Admissions Centre (VTAC), another educational institution, an employment agency, a former employer, a contractor or a government authority such as Victoria Police.
2.6 If an individual chooses not to provide the information requested, Monash University may not be able to provide services to that individual.
3.0 Kinds of personal information collected
Personal information is collected relative to the relationship the individual has with the University. For staff, the personal health information relates to the employment of the individual. For students, the personal and health information relates to the candidature of the individual as a student of Monash University. Members of the public personal information may be collected in the course of addressing inquiries and requests. For further information refer to the Privacy Collection Statements.
4.0 Purpose of collection, holding, use and disclosure of personal information
Monash University must not collect, hold use or disclose personal and health information except as permitted by the Privacy Laws. The purposes for collection are outlined in the privacy collection statement. Monash University will use and disclose personal and health information for the primary purposes for which it was collected. Monash University may also use or disclose personal information for a secondary purpose where:
- the secondary purpose is related to the primary purpose (or is directly related, in the case of sensitive information or health information), and a person would reasonably expect Monash University to use or disclose the information for that secondary purpose; or
- a person has consented to the use or disclosure of their personal information for the secondary purpose; or
- the use or disclosure is required or authorised by or under law; or
- the use or disclosure is otherwise permitted by the Privacy Laws.
5.0 Data security and the quality of personal information
5.1 Monash University is committed to ensuring that personal and health information is held securely. To the extent required by the Privacy Laws, Monash University will take reasonable steps to:
- ensure that any personal information Monash University collects, uses and discloses is accurate, complete and up to date;
- protect the personal information that Monash University holds from misuse, loss, unauthorised access, modification or disclosure; and
- destroy or permanently de-identify personal information when required by the Privacy Laws.
5.2 Personal information may be stored in hard copy documents, as electronic data, or in Monash University’s software or systems until it is securely destroyed according to timeframes in the Public Records Act, Monash University document retention procedures or when no longer required by Monash University. Some of the ways Monash University seeks to protect personal information include the following:
- confidentiality requirements on the use of information by Monash University’s employees;
- policies on document storage and security;
- security measures for access to Monash University’s computer systems;
- controlling access to Monash University’s premises; and
- web site protection measures.
5.3. Personal information may be corrected as explained in 6.0 below.
6.0 Access to and correction of personal information
6.1 Students and staff can help Monash University keep the personal information that it holds accurate, complete and up to date, by directly updating information on-line through the Web Enrolment System (WES) or Employee Self Service (ESS) systems for address and contact details.
6.2 A person is not able to access these systems may ask for personal information held by Monash University to be corrected by request to the person nominated in the policy referred to in 6.3 below.
6.3 Monash University has policies for the provision of access to information held about an individual. For students, refer to the Privacy of Student Records. For staff, refer to the Freedom of Information Policy. For students and staff seeking wider access, and for other persons, refer to the Freedom of Information Policy.
7.0 Use of identifiers
7.1 Except to the extent permitted by the Privacy Laws, Monash University will not use Commonwealth or State government identifiers as its own identifier nor will it disclose such identifiers.
7.2 Monash University will only assign an identifier (such as staff or student ID numbers) where this is reasonably necessary to enable it to carry out its functions efficiently.
8.1 Monash University will provide an individual with the option of not identifying who they are or using a pseudonym when it is lawful and practicable to do so. The nature of the activities conducted by Monash University means that, generally, it is not possible for the University to deal with a student or staff member anonymously or using a pseudonym.
9.0 Flows of personal information outside Victoria or (for controlled entities) outside Australia
9.1 Monash University may transfer your personal information interstate or overseas where it is necessary for the operation of the University or to facilitate the activities of an individual conducted at or thorough the University. For example, where a student studies and an employee works at an international campus, or to utilise the services of contracted service providers, such as cloud based IT service providers that operate servers outside Victoria. Where Monash University transfers personal information outside Victoria, it complies with the requirements of the Privacy Laws for personal information flows outside Victoria.
9.2 This involves Monash University:
- de-identifying personal information; or
- ensuring the recipient is subject to a legal or binding scheme that provides protection which is substantially similar to the applicable Information Privacy Principles; or
- taking reasonable steps (including contractual agreements) to ensure that the recipients of the information do not breach the Information Privacy Principles; or
- seeking the consent of the individual prior to transferring the information outside of the jurisdiction covered by the Privacy Laws; or
- as is otherwise permitted by the Privacy Laws.
10.0 Obligations of staff and students
10.1 Where a staff member collects, uses, discloses, stores or disposes of personal information on behalf of Monash University, the staff member must meet the requirements of the Privacy Laws by implementing these procedures. Staff members must only collect, use, disclose, store, or dispose of the information in accordance with these procedures and Privacy Laws.
10.2 Where a staff member receives unsolicited personal information the following should occur:
- the information should be de-identified or destroyed if it is not to be retained; or,
- if the information is to be retained, the person who the information relates to should be provided with a copy of the relevant privacy collection statement explaining the purposes of collection, where such a statement has not already been provided.
11.0 Opting out of receiving material produced by Monash University
11.1 If a student or staff member does not wish to receive Monash University’s communications, the student or staff member can opt out by sending an email to Monash University’s Privacy Officer on firstname.lastname@example.org or by utilising the unsubscribe options on the specific publication. However, some communications are not optional and must continue to enable the University to effectively provide education, teaching, research or employment.
12.0 How to raise a concern or make a complaint about a privacy issue
12.1 If a student or staff member has a privacy issue or concern that he or she would like to discuss, the person may contact the Privacy Co-ordinator within their faculty/divisional unit. The Privacy Co-ordinator will look into the matter and provide a response to the person who raised the issue. Complaints for a breach of privacy should be raised in the first instance with the Privacy Co-ordinator who will seek to resolve the matter and advise the individual what action, if any, Monash University will take to resolve the complaint.
12.2 If the student or staff member is not satisfied with the response of the Privacy Co-ordinator, the student or staff member can provide a written complaint to Monash University’s Privacy Officer. The Privacy Officer will conduct an investigation and will respond to the person who raised the issue with a decision. The Privacy Officer will also advise on action taken on the complaint including the outcome of any investigation conducted by or on behalf of the Privacy Officer.
12.3 A member of the public should contact the Privacy Officer directly with any privacy issues he or she would like considered at:
Building 2, Level 3
195 Wellington Rd
Clayton Vic 3800
Phone: 03 9902 9589
13.0 Further information and assistance
13.1 Adherence to this procedure will generally ensure compliance with university requirements and legislation. However, there may be instances where inadvertent breaches could occur. When in doubt, users requiring assistance with interpretation of the procedure, or who wish to report an incident, should contact:
- The Privacy Officer on ext. 29589 or by email email@example.com
- Privacy Co-ordinators
The Office of the General Counsel on ext. 55126
14.0 Breach of this procedure
14.1 If a staff member breaches this procedure, depending on the circumstances it may be regarded as misconduct or unsatisfactory performance of their duties and may result in action being taken in accordance with the provisions set out in the applicable Monash University enterprise agreement or contract of employment.
15.0 Change of procedure
Monash University may change this Conduct and Compliance Procedure – Privacy from time to time without prior notice.
All university staff including adjunct and honorary appointees of the University are responsible for being aware of and complying with this procedure. Whilst there are some differences between the state and federal privacy legislation, staff of Monash controlled entities should also be aware of and comply with this procedure.
The Students are responsible for being aware of and complying with this procedure and updating details when requested.
The Privacy Co-ordinators are responsible for:
- assisting staff and students with general queries regarding privacy; and
escalating queries to the Privacy Officer where appropriate.
The Privacy Officer is responsible for:
- providing expert assistance with interpretation and compliance regarding Privacy Laws;
- managing concerns and complaints lodged within the applicable timeframes; and
- providing guidance to Privacy Co-ordinators on escalated privacy queries.
- Privacy and Data Protection Act 2014 (Vic)
- Health Records Act 2001 (Vic)
- Freedom of Information Act 1982 (Vic)
- Privacy Act 2000 (Cth)
- Conduct and Compliance procedure: Representing Monash (Public Utterances)
- Conduct and Compliance procedure: Whistleblowers
- Privacy at Monash University
- Privacy Compliance Manual [pdf]
- Monash University Privacy Collection Statements including:
- Guidelines for Collecting / Distributing Student Results / Assignments and Other Information
- Guidelines for local storage of personnel files
- Collection and Storage of Tax File Numbers
- Payment Card Industry Data Security Standards (PCI-DSS) Procedures (Australia only)
- Electronic Information Security Policy
- Monash University Enterprise Agreement (Academic and Professional Staff) 2014
- Privacy of Student Records Policy
- Other Helpful Guidelines
Related Enterprise Agreement Clauses
- Clause 53 Termination of Employment and Disciplinary Action – Academic Staff
- Clause 54 Professional Staff Disciplinary Procedures
|Effective date:||21 October 2014|
|Procedure author:||Director, Workplace Relations|
|Procedure owner:||Executive Director, Monash HR|