View Document

Records Management - Access to Records Procedure

This is the current version of this document. To view historic versions, click on the 'Historic Versions' tab above.

Section 1 - Summary

(1) Many VU records will need to be accessed by people outside the University. This Procedure outlines the process for determining whether external access can be provided. The Procedure aims to ensure that sensitive information is adequately protected when access decisions are made.

Top of Page

Section 2 - HESF/ASQA/ESOS Alignment

(2) HESF: Standard 7.3 Information Management.

(3) Standards for Registered Training Organisations (RTOs) 2015 (Cth): Standards 6 and 8 and Schedule 5.

Top of Page

Section 3 - Scope

(4) This Procedure applies to:

  1. all University staff and contractors, council members, honorary, adjunct or visiting academics, and volunteers; and
  2. all records (both physical and electronic) created or held by VU, or created or held by contractors on VU's behalf.
Top of Page

Section 4 - Definitions

(5) Nil

Top of Page

Section 5 - Policy/Regulation

(6) See Records Management Policy.

Top of Page

Section 6 - Procedures

Part A - Summary of Roles and Responsibilities

Roles Responsibilities
Managers
Responsible for authorizing the release of Restricted records created within their unit.
FOI Officer
Responsible for ensuring that Freedom of Information requests are dealt with in accordance with the Freedom of Information Act 1982 (Vic) (Vic).
FOI Decision Maker
Responsible for deciding whether documents should be released under the Freedom of Information Act 1982 (Vic) (Vic).

Part B - Restricted Records

(7) For the purpose of these Procedures “restricted records” are defined as records when the unauthorised access, alteration or destruction could cause a significant level of risk to the University or its affiliates.

Part C - External Access to Records

(8) For the purposes of these Procedures "external access" is defined as the provision of access to anyone outside of VU staff and contractors. It therefore includes access to VU records by students, government bodies, partner organizations, the media and the general public.

(9) The procedures for determining if external access can be provided depend on the security classification of the records:

  1. Records that have been classified as Open can be released to external parties on request.
  2. If a request is received for a record that is classified as Internal, the classification of that record should be reviewed. If the record can be re-classified as Open, then it can be released externally. Staff should consult with their manager in making this decision.
  3. If the record's classification is confirmed as Internal, or if it is classified as Restricted, then it should only be released externally under the following circumstances:
    1. The record is being released under Privacy legislation;
    2. The record is being released under the Freedom of Information Act 1982 (Vic) (Vic);
    3. Release is mandated under some other piece of legislation; or
    4. The record is released to a trusted party under an obligation of confidentiality.

(10) A record should be kept of any external release of University records.

Access under Privacy Legislation

(11) Procedures for providing access to records under privacy legislation are contained in the Privacy Procedure.

Access under Freedom of Information

(12) The Freedom of Information Act 1982 (Vic) (Vic) gives members of the public a general right, subject to specified exemptions, to access information held by VU. An application under the FOI Act is appropriate when a request is received for external access to records that are classified as Restricted or Internal.

(13) All FOI requests should be made on the Freedom of Information Request Form and should be directed to:

Freedom of Information Officer
Records and Archives Services
PO Box 14428
Melbourne VIC 8001

(14) Documents must be provided to the FOI Officer when requested. Staff should provide all relevant documents, even if they believe the documents should not be released, as all documents need to be assessed as part of the Freedom of Information process.

(15) Under the FOI Act, a Decision Maker is appointed who is responsible for deciding whether documents should be released. The Decision Maker is the manager or head of the administrative branch or academic department that is responsible for the majority of the documents requested. If there is a conflict of interest, a manager at the same or higher level with a good understanding of the documents should be appointed Decision Maker. The Decision Maker makes their decision in consultation with the FOI Officer, and based on advice from Legal Services (if necessary).

(16) Personal information, including names of staff members or other identifying information, may be released under the FOI Act if the release is reasonable. If VU decides to release personal information, every effort will be made to notify the person concerned and seek their views on the release. For more information visit the Office of the Victorian Information Commissioner (OVIC).

(17) Applicants will be charged access fees as allowed under the FOI Act to recoup the costs of searching for and copying information.

Access under Other Legislation

(18) There is a range of legislation that may provide third parties with rights to access VU records. For example, the Health Records Act 2001 (Vic), which applies to health services provided by VU clinics and to medical information submitted by staff, provides individuals with a right of access to their health records.

(19) Where such access rights exist, the decision to release records should still be carefully considered to ensure that the release complies with the relevant legislation and does not disclose more information than is required. Depending on the circumstances, a decision to release records should involve:

  1. Approval by the Manager responsible for the relevant records, or release through a process approved by that Manager;
  2. Consultation with Legal Services if there are questions around the interpretation of the legislation; and
  3. Consideration of the Privacy Policy, and whether the release of the record requires approval from the Privacy Officer.

Confidential Release

(20) In some circumstances it may be appropriate to release Restricted or Internal records to a trusted external party under an obligation of confidentiality. This should only occur where:

  1. There is a compelling business reason (from VU's perspective) to release the records; and
  2. The release does not breach Privacy legislation, or other confidentiality obligations; and
  3. There is a high level of confidence that the external party will maintain the confidentiality of the information.

(21) The release of records under an obligation of confidentiality should follow these steps:

  1. The responsible manager determines that it is appropriate to release the records under an obligation of confidentiality.
  2. A confidentiality agreement (or a confidentiality clause in a wider agreement) should be used to enforce confidentiality. A standard confidentiality agreement is available from the Legal Services website.
  3. Each time records are released, it must be made clear to the recipient that they are receiving confidential information, and that they must not release the information to third parties without explicit permission from VU.
  4. A record should be kept of each external release of records.