Information Privacy

Information Privacy Procedure

Policy Code: IM1893

Responsibility

Definitions

Term Definition
Business day means Monday through to Friday but excluding days which are designated as University holidays.
Health information

means:

  1. Personal information about:
    1. The physical, mental or psychological health (at any time) of an individual; or
    2. A disability (at any time) of an individual; or
    3. An individual’s expressed wishes about the future provision of health services to him or her; or
    4. A health service provided, or to be provided, or an individual; or
  2. Other personal information collected to provide, or in providing, a health service; or
  3. Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or

Other personal information that is genetic information about an individual in a form which is or could predictive of the health (at any time) of the individual or any of his or her descendants.

Identification information

Biographic and demographic personal information about an individual that is collected for the purposes of reporting and provision of educational services, including but not limited to:

  1. Name;
  2. date of birth;
  3. citizenship;
  4. languages;
  5. ethnicity;
  6. family background; and
  7. educational background.
Personal information means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
Sensitive information

means personal information or an opinion about an individual’s:

  1. Racial or ethnic origin;
  2. Political opinions;
  3. Membership of a political association;
  4. Religious beliefs or affiliations;
  5. Philosophical beliefs;
  6. Membership of a professional or trade association;
  7. Membership of a trade union;
  8. Sexual preferences or practices; or
  9. Criminal record;

that is also personal information.

What information can be collected?

The University may collect a variety of information about an individual in order to provide services related to University activities. This information may include, but is not limited to:

  • information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion;
  • Information or an opinion about:
    • The physical, mental or psychological health (at any time) of an individual; or
    • A disability (at any time) of an individual; or
    • An individual’s expressed wishes about the future provision of health services to him or her; or
    • A health service provided, or to be provided, to an individual.
  • Other personal information collected to provide, or in providing, a health service; or
  • Other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
  • Other personal information that is genetic information about an individual in a form which is or could predictive of the health (at any time) of the individual or any of his or her descendants;
  • Identification information;
  • Basic information about financial or credit status (eg starting dates) and infringements;
  • Information about payments and payment plans;
  • Information about academic credit and previous results; and
  • Various publicly available information like bankruptcy and credit-related court judgements.

It is important to note that the University will not seek or store any of the above information unnecessarily.

Method of collection

The University will, if possible, collect personal information directly from the individual. In some circumstances, personal information will be collected from outside bodies. If these circumstances arise, the University will take all reasonable steps to obtain the consent of the individual for this collection. Information may be obtained through a variety of methods, including (but not limited to) the completion of online forms, paper-based forms, and verbally.

The University seeks to ensure the security of the campus and members of the University community through the appropriate application of closed circuit television (CCTV) surveillance systems.

The primary security use of CCTV is to discourage and/or detect unlawful behaviour in and around university property thereby enhancing the safety and security of all people and property. Other applications and benefits of CCTV include traffic management and assisting some access control environments. However, the use of CCTV may result in the recording of personal information about an individual. All footage containing personal information will be treated in accordance with the University’s Information Privacy Policy and Procedure, including restricting access.

The University will take all reasonable steps to ensure the accuracy and currency of the personal information it holds.

Storage of information

An individual’s personal information will primarily be stored in the University’s ICT systems. Some information may be retained in hard copy.

The security of personal information is governed by the Information Security Policy. All staff are required to familiarise themselves and comply with the requirements of this policy. In some circumstances, personal information obtained by the University may be stored in cloud storage, which may involve some storage of information in offshore servers. The University will not knowingly transmit personal information to a location that does not provide privacy protections substantially similar to those in Victoria.

In circumstances where information is transmitted to an offshore partner provider or agent, the partner provider or agent will be subject to binding contractual obligations to ensure compliance with the University’s policies and procedures relating to privacy and information security.

All information relating to administrative and academic matters should be stored securely.

Access to information

Personal information will not be made accessible to University staff unnecessarily.

An individual may wish to review the personal information held by the University about them. Requests to access information should be directed to the University’s Privacy Officer at privacyofficer@federation.edu.au.

The University will respond to requests for access to information as soon as reasonably practicable. Access will be provided within 30 days of the receipt of a request and sufficient identification of the applicant, unless unusual circumstances arise. If access cannot be provided within 30 days, the University will notify the applicant of the reason for the delay as soon as reasonably practicable, and seek consent for an extension of time.

Correction of information

You have the right to request the correction of any of your personal information held by the University. Requests to correct information should be directed to the University’s Privacy Officer at privacyofficer@federation.edu.au.

The University will respond to requests for correction of information as soon as reasonably practicable. Corrections will be made within 30 days of the receipt of a request and sufficient identification of the applicant, unless unusual circumstances arise. If correction cannot be completed within 30 days, the University will notify the applicant of the reason for the delay as soon as reasonably practicable, and seek consent for an extension of time.

If the University cannot correct personal information, the applicant will be notified in writing within 5 business days. Applicants may be directed to external bodies that may be able to correct the information as requested.

Disposal of information

You have the right to request the disposal of any of your personal information held by the University. Requests for disposal of information should be directed to the University’s Privacy Officer at privacyofficer@federation.edu.au.

However, this does not mean that a request will automatically result in the disposal of your personal information. All disposal of personal information will be made in accordance with the University’s Records Management Policy and Procedure, this procedure, and the University’s obligations under privacy and public records legislation.

Personal information of minors

The personal information of persons under the age of 18 should not be collected without the permission of a parent or guardian. The University takes its obligations for protection of persons under the age of 18 seriously, and extra care should be taken during the collection, use, disclosure and disposal of their personal information.

Complaints

Complaints relating to privacy or personal information are governed by the University’s grievance policies and procedures and should be directed to the University's Privacy Officer on 5327 9021 or privacyofficer@federation.edu.au. If you feel your privacy has been breached, you can contact theStudent Advisory Service, a Grievance Officer or the University's Privacy Officer for a discussion.

Grievances will be acknowledged within 7 days of receipt. The University will endeavour to resolve any grievance within 30 days, or an extended time frame agreed to by the applicant.

In the event that a complaint relating to privacy or personal information cannot be resolved under the University’s Grievance Policy and Procedure, the complaint may be referred to the Commissioner for Privacy and Data Protection.

Reporting

All staff dealing with personal information are required to accurately document:

  • the nature of any personal information disclosed;
  • the date of the disclosure;
  • the person(s) responsible for the disclosure;
  • the person(s) who received the disclosure;
  • evidence that the disclosure was permitted or that consent was given;
  • any relevant written notices or correspondence;
  • details of any subsequent action taken; and
  • any other relevant information.

Documentation should be retained for 5 years.

Associated documents