• Section 1 - Summary
• Section 2 - Scope 
• Section 3 - Definitions
• Section 4 - Policy Statement
• Collecting information
• Using and disclosing information
• Accessing and correcting information
• Maintaining data quality
• Securing, storing and retaining data
• Disposing of and destroying information
• Health information
• Privacy Support
• Section 5 - Procedures
• Section 6 - Guidelines

Section 1 - Summary

(1) To provide a consolidated statement of VU's approach to and expectations regarding privacy.

Section 2 - Scope 

(2) This Policy covers the management of all information at VU.

(3) This Policy applies to all VU staff, students and agents and individuals with whom VU interacts.

Section 3 - Definitions

(4) In this Policy:

1. 'information' means personal information and sensitive information as defined in the Privacy and Data Protection Act 2014 (Vic); and health information as defined in the Health Records Act 2001 (Vic).
2. 'agent' means a person or organisation external to VU who is authorised to act on VU's behalf.

Section 4 - Policy Statement

(5) VU values the privacy of all individuals and is committed to handling their information in a lawful and responsible manner. VU is committed to ensuring that it is compliant with the Information Privacy Principles (IPPs) in the Privacy and Data Protection Act 2014 (Vic), the Health Privacy Principles (HPPs) in the Health Records Act 2001 (Vic), and to the related legal obligations by which it is bound. Where legally required VU will comply with the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Clth).

Collecting information

(6) VU will collect information only where it is necessary in order to carry out its functions and activities.

(7) As part of running the business of the university, VU collects information for various purposes, including for:

1. the provision of education and related activities
2. the employment of staff; and
3. the provision of health services through its clinics.

(8) Overarching privacy statements for staff and students are attached to this Policy.

(9) When collecting information, VU expects that it will only be collected by lawful and fair means and not in an unreasonably intrusive way. When collecting information, the individual to whom the request relates should be advised of:

1. the purpose for which VU is collecting the information;
2. how the individual can access their information;
3. to whom the information will be disclosed;
4. whether the collection is required by law; and
5. the consequences of not providing the information.

(10) VU will only collect sensitive information in limited circumstances (e.g. with the individual's informed consent, if required by law).

Providing information to VU anonymously

(11) Where lawful and practicable, individuals may choose not to identify themselves when transacting with VU. However, VU may consequently be unable to provide services in these circumstances.

Using and disclosing information

(12) In most cases, VU will only use or disclose an individual's information for the primary purpose for which it was collected.

(13) However, VU may use and disclose information for a secondary purpose if the secondary purpose is:

1. related to the primary purpose in the case of personal information; or
2. directly related to the primary purpose in the case of health and sensitive information; and

(14) In all other cases, VU may use and disclose the information if:

1. the individual has consented to the use and disclosure; or
2. the disclosure is authorised or required by law.

(15) For further guidance regarding use and disclosure of information, including responding to requests for access to information, please see the privacy statements for staff and students attached to this Policy.

Sending information outside of Victoria

(16) Staff and agents sending information outside of Victoria as part of VU's functions and activities must only do so:

1. if the recipient is subject to principles for fair handling of information that are substantially similar to Victoria's;
2. with the individual's consent, or if it is impracticable to obtain their consent if the transfer is for their benefit and they would be likely to consent if they could;
3. if contracting with the individual, or with a third party for the individual's benefit; or
4. in accordance with the applicable legislation.

How VU assigns identifiers

(17) VU will only assign identifiers to individuals, or use or disclose identifiers assigned by other organisations, in accordance with IPP7 or other applicable legislation.

Accessing and correcting information

(18) VU will provide individuals with access to information it holds about them, subject to legal requirements.

(19) Requests for access to information will be considered in accordance with the applicable legislation, the Privacy Procedure and the Records Management - Access to Records Procedure.

(20) In some cases, requests for access to information will need to be made through VU's Freedom of Information process.

(21) Where there is a concern, staff should contact the VU Privacy Officer for advice.

(22) If an individual establishes and notifies VU that their information is inaccurate, incomplete or not up to date, VU will take reasonable steps to correct the information or to record that the individual disagrees with the information on file.

Maintaining data quality

(23) VU expects its staff, students and agents to take reasonable steps to ensure that any information is collected, used or disclosed is accurate, complete and up to date.

Securing, storing and retaining data

(24) VU will take reasonable steps to ensure that the information it handles is protected from misuse, loss, unauthorised access, modification and disclosure.

(25) VU's requirements in relation to information technology security are set out in the Information Security Policy, the Records Management Policy and relevant associated Procedures.

Disposing of and destroying information

(26) VU will take reasonable steps to destroy or permanently de-identify personal or sensitive information if it is no longer legally required to be held. VU's requirements in relation to the destruction of documents are governed by the Records Management Policy and related Procedures.

(27) VU will only destroy or permanently de-identify health information in accordance with the Health Records Act 2001 (Vic).

Health information

(28) In addition to the above, there are specific obligations with respect to health information received in confidence and transferring health records to other health service providers. Refer to the Privacy Procedure for further information.

(29) Health records may be created in many circumstances at VU. Examples include: through VU's health clinics; through research or teaching and learning activities; through work performed by People & Culture; through student counselling; through the work of the student disability liaison, etc. These must be managed in accordance with the Health Records Act 2001 (Vic). Further guidance on this is provided in the Privacy Procedure and the Records Management Policy and associated procedures.

Privacy Support

(30) VU has a Privacy Officer who carries out the functions listed in the Privacy Procedure. Any queries or concerns regarding Privacy should be directed to the Privacy Officer at privacy.officer@vu.edu.au.

Section 5 - Procedures

(31) This Policy is supplemented by the Privacy Procedure and Privacy Security Breach Procedure.

Section 6 - Guidelines

(32) Operational areas within VU may develop guidelines tailoring the requirements under this Policy and the Privacy Procedure to suit their business needs.

(33) Privacy Appendix 1 to this Policy is the Privacy Statement for the collection of student information.

(34) Privacy Appendix 2 to this Policy is the Privacy Statement for the collection of staff information.