View Document

Privacy - Information Privacy Procedure

This is not a current document. To view the current version, click the 'Current Version' tab above.

Section 1 - Purpose / Objectives

(1) Nil

Top of Page

Section 2 - Scope / Application

(2) Nil

Top of Page

Section 3 - Definitions


(3) Nil

Top of Page

Section 4 - Policy Statement

(4) Nil

Top of Page

Section 5 - Procedures


(5) All staff of the University have an obligation to adhere to and implement the policy and the procedures when collecting and handling personal and health information in the course of their work.


(6) The information the University collects about staff is for the primary purpose of facilitating their employment and towards this end, VU maintains their employee records and administer employee benefits and entitlements, including salary, superannuation and other services. It is necessary for Victoria University to collect this information from staff in order to:

  1. be able to communicate with you;
  2. inform you about the range of facilities, services, benefits and opportunities available to staff;
  3. in the event of an emergency, notify your nominated emergency contact person;
  4. attend to day to day administrative matters;
  5. prepare statistical analysis including legal reporting requirements and workforce planning; and
  6. place your name on the staff electoral roll.

(7) If staff choose not to provide VU with all the information the University asks for, the University may not be able to process a particular request or entitlement.

(8) New staff must provide all personal information requested, including citizenship status documentation and a valid working with children check card or evidence of a satisfactory police check, where relevant. Without this the individual cannot be employed.


(9) The information that the University collects about students is for the primary purpose of enabling them to enrol in their chosen course of study and for Victoria University to deliver that course and related services to them. It is necessary for Victoria University to collect this information from students in order to:

  1. be able to communicate with them;
  2. carry out day to day administrative matters;
  3. inform students about events and activities relevant to their course and other products, services and opportunities that are available to students of the University;
  4. place their name on the student electoral roll;
  5. maintain their academic record;
  6. assist us in providing programs for the health and welfare of students;
  7. facilitate internal planning;
  8. foster alumni relations; and
  9. fulfil the University's State and Commonwealth Government reporting and statistical obligations.


(10) The University holds a range of personal information about individuals "outside" the university including graduates, benefactors and friends of the University, external members of our committees and those people doing business with the University such as consultants and contractors, and potential students. Researchers may also collect and hold data that contains personal information.


(11) At or before the time of collection of information, for example, such as at enrolment or as a result of a query from a prospective student on admission requirements, the University must take reasonable steps to ensure that the individual is aware of:

  1. some key matters, such as the primary purpose(s) for which the information is collected. In the case of students, the primary purpose is for enabling students to enrol in their chosen course of study and for Victoria University to deliver that course and related services to them. In the case of staff, the primary purpose for collecting the information is facilitating staff employment and towards this end, the University maintains employee records and administers employee benefits and entitlements, including salary, superannuation and other services;
  2. any organisations or individuals to which Victoria University would normally disclose information of that kind. For example, under Commonwealth or State Government legislation, the University may include information in its annual reports to government bodies, for example, the Australian Taxation Office and Centrelink, for the administration of schemes such as FEE-HELP and HECS-HELP, the Youth Allowance, Austudy and Abstudy, amongst others;
  3. the fact that he or she is able to gain access to the information;
  4. any law that requires that particular information to be collected;
  5. the main consequences for the individual in not providing all or part of the information being sought in terms of the delivery of the particular service;
  6. Victoria University's contact details, should he or she wish to contact the University.


(12) At Victoria University any document, including electronic media such as the Internet, that involves the collection of personal information (for example, Enrolment Forms, Assignment Cover Sheets, Practical Placement Forms, Student Progress Response Forms and Notices of Appeal and MYVU Portal web forms) should contain a Privacy Collection Statement drafted after consultation with Legal Services. It is the responsibility of each organisational unit that collects personal information to consult an Information Privacy Advisor to ensure that the processes/systems in place to manage this information are compliant with privacy laws.

(13) A Privacy Collection Statement for use in relation to the collection of information from staff and students is available under the Associated Information tab.


(14) Staff are required to consult with the Privacy Officer when considering obtaining sensitive information without consent. The Privacy Officer may authorise collection of information in the following circumstances:

  1. where the collection is necessary for the establishment, exercise or defence of a legal claim; or
  2. where the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns is physically or legally incapable of giving consent to the collection
  3. where the collection:
    1. is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services; or
    2. is of information relating to an individual's racial or ethnic origin and is collected for the purpose of providing government funded targeted welfare or educational services; and
    3. there is no reasonably practical alternative to collecting the information for that purpose; and
    4. it is impractical for the University to seek the individual's consent to the collection.


(15) In order that staff can disclose information about a student to a person other than that student, the student's express permission authorising this arrangement is required. Any authorisation that is made by an individual empowering someone to act on their behalf must be in writing and include the following details:

  1. the purpose of the authorisation;
  2. the duration of the authorisation;
  3. the date on which it is made;
  4. where the authorisation is made by a student or a staff member, it will include their student or staff ID number;
  5. the name and contact details of the proxy.

(16) Unless the express permission states otherwise, each request for information or undertaking of transactions requires new express permission from the student.


(17) Staff have the option to remove or prevent their details from being published externally through the Staff Finder by following the steps below.

  1. The steps to remove or publish details to Staff Finder would be as follows:
    1. Log in to eGuide.
    2. Choose False in the drop down menu for "Publish to Staff Finder?" (Default is True).
    3. Select Save.
  2. The choice to 'Opt out' of Staff Finder is explained more fully in the information sheet provided in Associated Information.


(18) Victoria University will not use or disclose information about an individual for a secondary or other purpose other than the main purpose of collection unless:

  1. both of the following apply:
    1. the secondary purpose is related to the main purpose of collection and, in the case of sensitive and health information, determined by the Privacy Officer to be directly related to the main purpose of collection; and
    2. the individual would reasonably expect the University to use or disclose the information for the secondary purpose;
  2. the individual has consented to the use or disclosure;
  3. the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual and:
    1. it is impracticable for the University to seek the individual's consent before the use or disclosure; and
    2. in the case of disclosure, the University reasonably believes that the recipient of the information will not disclose the information;
  4. the use or disclosure is permitted or authorised by the Privacy Laws;
  5. after notification, the Privacy Officer reasonably believes that the use or disclosure is necessary to lessen or prevent either:
    1. a serious and imminent threat to an individual's life, health, safety or welfare; or
    2. a serious threat to public health, public safety or public welfare.

(19) There are limited additional circumstances where the University may use or disclose personal information. To ensure compliance with the policy, the Privacy Officer must be consulted in relation to the release or use of information contrary to the above guidelines and in the following specific circumstances:

  1. Victoria Police or another Law Enforcement body contact a staff member requesting information about a student;
  2. A telephone query requiring disclosure of information where the security measures for confirming identity as outlined in section nine of the Procedure cannot be made.

(20) Victoria University staff are prohibited from disclosing information or undertaking transactions, in writing or verbally, about a student or a member of staff without the informed consent of that individual authorising another person to act on their behalf. (See clause (16) of the Procedure.) This includes disclosure of information to or undertaking transactions with parents, partners, relatives, friends or organisations, including disability access organisations.

(21) Disclosures that are made by the Privacy Officer will be detailed in a Disclosures Register.


(22) Requests involving the release of information over the phone have some risk attached and wherever possible callers should be asked to seek information in person keeping in mind the University's service orientation. However in situations where this is not feasible, it is critical to take reasonable steps to confirm their identity. A minimum of three security questions should be used. Suggestions include:

  1. Student/Staff ID Number;
  2. Home and/or mobile phone number;
  3. Middle Name(s);
  4. Date of Birth; and
  5. Semester and/or home address.

(23) In cases where the staff member receives a request over the phone but does not have the information allowing him/her to ask the required security questions in order to confirm the identity of the caller, the staff member should either put that person on hold or call back as soon as these details are known in order to advance the request.


(24) Victoria University stores information using electronic and hardcopy records systems. The security of personal and health information is important to the University and it will take all reasonable steps (including electronic and physical security) to ensure that this information is housed, and as may occasionally be necessary, moved safely to protect it against loss, unauthorised access, use, modification, disclosure or any other misuse. The University will ensure that personal information is kept for no longer than is necessary for the purposes for which it may lawfully be used. Records will be disposed of securely and in accordance with any requirements for the retention and disposal of personal information. Organisational Units will need to consult the University Archivist to ensure that records are retained in a way that is consistent with the Records Management Policy.

(25) In the event that health information is deleted in circumstances allowable under the Health Privacy Principles, the Privacy Officer must record on a register the name of the individual to whom the health information relates, the period covered by it and the date on which it was deleted.


(26) Staff, students and members of the public can access information that the University holds about them in accordance with this policy, the University's Freedom of Information guidelines and the Victorian Freedom of Information Act (1982).

(27) The Victorian Freedom of Information Act (1982) also stipulates exemptions for accessing information.


Stage 1

(28) The University will meet all reasonable requests for access to information through normal administrative arrangements. Under normal circumstances requests for access to personal information should in the first instance be addressed to the relevant organizational unit that routinely holds the information.

Stage 2

(29) In dealing with less than straightforward requests for access, the staff member handling the matter should refer this to a senior officer at a level at least equivalent to an Administrative Director for determination. Any determination that is made by the senior officer will occur only after he/she has obtained advice from Legal Services.

Stage 3

(30) Acting upon legal advice the matter can be referred to the Privacy Officer to make a ruling that can result in the determination that an FOI application is needed to seek access to the document(s) requested. Such a decision needs to be conveyed in writing to the individual within 30 working days of the request been made and informing the person that the University's Manager, Records Services and Archives is available to assist with such an application.

(31) A FOI request is made to the Manager, Records Services and Archives. Contact details are -

Postal address:
Manager, Records Services and Archives
Ms Kirsten Wright
Victoria University
Office of the Library
Footscray Park Campus
Ballarat Road, Footscray
PO Box 14428
Victoria 8001
Telephone: 9919-5093
Fax: 9919-5340

Stage 4

In some cases, your access to personal information held about you by the University may result in a request by you to correct this information. The request must be settled within 30 working days and the decision communicated to the applicant as appropriate.


The Privacy Officer or in relevant cases, the Manager, Counselling Services, acting on behalf of the Privacy Officer will determine all requests for access and correction of health privacy information after consulting with Legal Services and where appropriate the head of the area holding the information to which the request pertains. A decision on the request to access or correct health information should be made as soon as practicable, but no later than 30 days after the request has been received. The decision needs to be communicated to the applicant in writing and include reasons for the decision.




A staff member who believes that Victoria University has breached the Privacy Policy or the Privacy laws can use the Staff Issue and Complaint Resolution policy to seek a resolution of the matter.


A student who believes that Victoria University has breached the Privacy Policy or the Privacy laws can use the Student Complaints Resolution policy to seek a resolution of the matter.

Other individuals

A person other than a student or member of staff of Victoria University who believes that Victoria University has breached the Privacy Policy or the Privacy laws can use the procedure outlined below to seek a resolution of this matter.
  1. Step 1
    1. Where an individual believes that the University has breached the policy and/or Privacy laws, he/she should endeavour to resolve the matter directly with the area concerned.
  2. Step 2
    1. If, through informal discussion, a complaint cannot be resolved to the satisfaction of the complainant, a written complaint should be lodged with the Privacy Officer about any act or practice of the University that the individual reasonably believes constitutes a breach of this policy, specifying details of the alleged breach. Details to be provided in the complaint should include:
      • the name and address of person lodging the complaint;
      • details about the privacy concern/s;
      • if applicable, how concern/s could be remedied.
    2. The written complaint should be made within 10 working days of the time the complainant first became aware of the alleged breach.
  3. Step 3
    1. Within 10 University days of receipt of a complaint, the Privacy Officer, will:
      • confirm receipt of the complaint in writing,
      • inform the complainant that an investigation will be conducted and a response provided as soon as practicable, but in no more than 30 University days from the day the complaint is received,
      • commence an investigation into the complaint.
  4. Step 4
    1. The Privacy Officer shall investigate complaints expeditiously and shall provide a written copy of the findings of fact and recommendations made to both the Vice-Chancellor and to the complainant within 30 University days of the receipt of the complaint.
  5. Step 5
    1. The Vice-Chancellor (or the Chancellor in cases where the complaint involves the Vice-Chancellor) will determine what action will be taken on any recommendation contained in the findings of the Privacy Officer, and advise the complainant in writing of the result of the investigation.
    2. The Privacy Officer will keep a record of all Privacy related complaints.


You can also make a complaint to the Commissioner for Privacy and Data Protection (where the issue involves personal information) or to the Health Services Commissioner (where the issue involves Health Information) at any time if you are of the belief that your privacy has been breached.
You should be aware that there are jurisdictional and time limits that can apply for making a complaint. For example, in the case of the Commissioner for Privacy and Data Protection complaints should be made within 45 days of you finding out about the breach of one or more of the Information Privacy Principles .
You can also make a complaint to Ombudsman Victoria regarding the administrative actions of the University.
Top of Page

Section 6 - Guidelines