Legislation, Privacy and Health Information Principles

The Privacy and Data Protection Act 2014 (Vic)

The Act governs the collection and handling of personal information (excluding health information). Monash University privacy obligations arise due to the operation of this Act.

The Act includes 10 Information Privacy Principles which are contained in Schedule 1 of the Privacy and Data Protection Act 2014 (Vic). The Information Privacy Principles provide how personal information should be collected, held, managed, used, disclosed or transferred. This Act is administered by the Office of the Victorian Information Commissioner (OVIC).

Summary of the Information Privacy Principles

The Health Records Act 2001 (Vic)

The Health Records Act regulates the way an individual’s health information is collected and handled throughout Victoria. This Act is administered by the Health Services Commissioner. Monash University’s health information privacy obligations arise from the operation of this Act.

The Act includes 11 Health Privacy Principles which are contained in Schedule 1 of the Health Records Act 2001 (Vic).

The Health Privacy Principles align with the Information Privacy Principles. In particular the first 9 principles are similar with only a number of key differences. HPP 10 and 11 differ significantly from the IPPS.

Summary of the Health Privacy Principles

A comparison of the similarities and differences between the IPPs and HPPs is available here.

European Union General Data Protection Regulation 2016/679 (EU)

This EU Regulation aims to harmonise and boost the protection of fundamental rights and freedoms of people within the EU with regard to the processing and movement of personal data.  For further information, please refer to our page on GDPR.

For staff, please refer to this page for further information.

The Privacy Act 1988 (Cth)

The Privacy Act regulates the way individuals’ personal information is handled. It includes 13 Australian Privacy Principles (APPs)  which outline how APP entities must handle, use and manage personal information.

Monash University is NOT required to comply with the Privacy Act 1988.

Monash Controlled Entities ARE required to comply with two pieces of privacy legislation which are:

  • Privacy Act 1988 (Cth); and
  • Health Records Act 2001 (Vic)

A Monash Controlled Entity refers to University controlled entities in which the University has:

  • Ownership of more than 50% of the entity, or
  • More than 50% of the directors on the board are Monash representatives.

It is important to note that the Privacy Act 1988 and the Privacy and Data Protection Act 2014 (Vic) are different pieces of legislation and whilst there are similarities, there are also a number of differences.

The Australian Privacy Principles

The APPs cover:

  1. Open and transparent management of personal information
  2. Anonymity and pseudonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal information – ie transferring information outside of Australia
  9. Adoption, use or disclosure of government related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information

Summary of the Australian Privacy Principles

Australian Privacy Principles Guidelines – published by the Office of the Australian Information Commissioner (OAIC)