Principle 1 – Collection
1.1 The University:
- will collect personal information only if the information is necessary for one or more of its functions or activities;
- must collect personal information only by lawful and fair means and not in an unreasonably intrusive way
1.2 When the University collects personal information about an individual from the individual, it must take reasonable steps to ensure that the individual is aware of:
(a) the identity of the University and how to contact it; and
(b) the fact that he or she is able to gain access to the information; and
(c) the purposes for which the information is collected (“the primary purposes”); and
(d) to whom (or the types of individuals or organisations to which) the University usually discloses information of that kind; and
(e) any law that requires the particular information to be collected; and
(f) the main consequences (if any) for the individual if all or part of the information is not provided.
1.3 If it is reasonable and practicable to do so, the University will collect personal information about an individual only from that individual. However, there will be instances where the University will obtain such information from other sources, e.g. references for employment purposes; results data for prospective students, verification of formal qualifications of staff and students etc. In such instances the University will take reasonable steps to ensure that the individual is or has been made aware of the matters listed in Principle 1.2, except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.
Principle 2 – Use and disclosure
2.1 The University will not without the prior consent of an individual use or disclose personal information about that individual for a purpose (the secondary purpose) other than the primary purposes of collection except in any of the following situations:
(a) both of the following apply:
- the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection; and
- the individual would reasonably expect the University to use or disclose the information for the secondary purpose; or
(b) if the use or disclosure is necessary for research, or the compilation or analysis of statistics, in the public interest, other than for publication in a form that identifies any particular individual and:
- the research has approval from the RMIT Human Research Ethics committee
- it is impracticable for the University to seek the individual’s consent before the use or disclosure; and
- in the case of disclosure – the University reasonably believes that the recipient of the information will not disclose the information; or
(c) the University reasonably believes that the use or disclosure is necessary to lessen or prevent either:
- a serious and imminent threat to an individual’s life, health, safety or welfare; or
- a serious threat to public health, public safety or public welfare; or
(d) the University has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or
(e) the use or disclosure is required or authorised by or under law; or
(f) the University reasonably believes that the use or disclosure is reasonably necessary for one or more of the following by or on behalf of a law enforcement agency:
- the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction;
- the enforcement of laws relating to the confiscation of the proceeds of crime;
- the protection of the public revenue;
- the prevention, detection, investigation or remedying of seriously improper conduct;
- the preparation for, or conduct of, proceedings before any court or tribunal, or
(g) the Australian Security Intelligence Organisation (ASIO) or the Australian Secret Intelligence Service (ASIS), in connection with its function, has requested the University to disclose the personal information and:
- the disclosure is made to an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) to receive the disclosure; and
- an officer or employee of ASIO or ASIS (as the case requires) authorised in writing by the Director-General of ASIO or ASIS (as the case requires) for the purposes of this paragraph has certified that the disclosure would be connected with the performance by ASIO or ASIS (as the case requires) of its functions.
Any disclosure under paragraphs c to g can only be made by authority of the Academic Registrar, the Vice-Chancellor or by the University Solicitor, and a written record shall be made of the reasons for that decision.
Principle 3 – Data quality
The University will take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up to date. If the University is to ensure the quality and accuracy of personal information, this places an obligation upon an individual to provide relevant and accurate information to the University.
Principle 4 – Data security
4.1 The University will take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
4.2 The University will take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose. Under the Public Record Act 1973 the University is required to keep full and accurate records and implement a record disposal program. Destruction of personal information will be carried out in accordance with the University’s Operating Procedures for Destruction of Records (220.127.116.11).
Principle 5 – Openness
5.1 The University will make this Procedure available to anyone who asks for it.
5.2 On request by a person to the Privacy Officer, the University will take reasonable steps to let the person know, generally, what sort of personal information it holds, for what purposes, and how it collects, holds, uses and discloses that information.
Principle 6 – Access and correction
6.1 If the University holds personal information about an individual, it will provide the individual with access to the information on request by the individual, except to the extent that:
(a) providing access would pose a serious and imminent threat to the life or health of any individual; or
(b) providing access would have an unreasonable impact on the privacy of other individuals; or
(c) the request for access is frivolous or vexatious; or
(d) the information relates to existing legal proceedings between the University and the individual, and the information would not be accessible by the process of discovery or subpoena in those proceedings; or
(e) providing access would reveal the intentions of the University in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
(f) providing access would be unlawful; or
(g) denying access is required or authorised by or under law; or
(h) providing access would be likely to prejudice an investigation of possible unlawful activity; or
(i) providing access would be likely to prejudice:
- the prevention, detection, investigation, prosecution or punishment of criminal offences or beaches of a law imposing a penalty or sanction; or
- the enforcement of laws relating to the confiscation of the proceeds of crime; or
- the protection of public revenue; or
- the prevention, detection, investigation or remedying of seriously improper conduct; or
- the preparation for or conduct of, proceedings before any court or tribunal, or implementation of its orders by or on behalf of a law enforcement agency; or
(j) ASIO, ASIS or a law enforcement agency performing a lawful security function asks the University not to provide access to the information on the basis that providing access would be likely to cause damage to the security of Australia.
6.2 Where providing access would reveal evaluative information generated within the University in connection with a commercially sensitive decision-making process, the University may give the individual an explanation for the commercially sensitive decision rather than direct access to the information.
6.3 If the University is not required to provide the individual with access to the information because of one or more of paragraphs 6.1(a) to (j) (inclusive), the University will, if reasonable, upon request by the individual to the University’s Privacy Officer consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties.
6.4 The University reserves the right to charge for providing access to personal information, and if it does so it will:
(a) advise an individual who requests access to personal information that the University will provide access on the payment of the prescribed fee; and
(b) may refuse access to the personal information until the fee is paid.
6.5 If the University holds personal information about an individual and the individual is able to establish to the satisfaction of the University that the information is not accurate, complete and up to date, the University will take reasonable steps to correct the information so that it is accurate, complete and up to date.
6.6 If the University and the individual disagree about whether the information is accurate, complete and up to date, and the individual asks the University to associate with the information a statement from the individual claiming that the information is not accurate, complete or up to date, the University will take reasonable steps to do so.
6.7 The University will provide reasons for denial of access or a refusal to correct personal information.
6.8 If an individual requests access to, or the correction of, personal information held by the University, the University will:
(a) provide access, or reasons for the denial of access; or
(b) correct the personal information, or provide reasons for the refusal to correct the personal information; or
(c) provide reasons for the delay in responding to the request for access to or for the correction of personal information as soon as practicable, but no later than forty five (45) days after receiving the request.
6.9 Nothing in the RMIT Privacy Principles applies to a document containing personal information, or the personal information contained in a document which would be subject to the provisions of the Freedom of Information Act 1992 (“FOI Act”).
If a person requires access to such a document then he or she must make an application under the FOI Act and access and correction of any errors will then be determined by the FOI Act. However in the case of the personal file access of a staff member may be available to the staff member under the University’s “Personal Files – Access” Policy No. 500 and in the case of students, access may be available to a student’s own personal enrolment and academic records under the University’s Procedure “Release of Information from Academic Student Files V3.1.”
6.10 The University is not required to provide an individual with access to information about that individual if that information is generally available to the public.
Principle 7 – Unique identifiers
7.1 The University will assign unique identifiers to staff and students because this is considered necessary for the University to carry out its functions efficiently. The University may also assign a numerical code to a participant in University research in order to protect the privacy of that person.
7.2 Unless required by law, the University will not adopt as its own unique identifier of an individual the unique identifier of the individual that has been assigned by another organisation.
7.3 The University will not require an individual to provide a unique identifier in order to obtain a service unless the provision of the unique identifier is required or authorised by law or the provision is in connection with the purpose (or a directly related purpose) for which the unique identifier was assigned.
Principle 8 – anonymity
When it is lawful and practicable to do so RMIT will provide an individual with the option of not identifying who they are. However, the nature of the business carried on by RMIT means that, generally, it is not possible for the university to provide services to, or interact with, student or staff members in an anonymous way.
Principle 9 – Trans-border data flows
9.1 The University will only transfer personal information about an individual to someone (other than the University or the individual) who is outside Victoria if:
(a) the University reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the Privacy Principles set out in this Procedure; or
(b) the individual consents to the transfer; or
(c) the transfer is necessary for the performance of a contract between the individual and the University, or for the implementation of pre-contractual measures taken in response to the individual’s request; or
(d) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual between the University and a third party; or
(e) all of the following apply:
- • the transfer is for the benefit of the individual;
- • it is impracticable to obtain the consent of the individual to that transfer;
- • if it were practicable to obtain that consent, the individual would be likely to give it; or
(f) the University has taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with the Privacy Principles set out in this Procedure.
Principle 10 – Sensitive information
10.1 The University will not collect sensitive information about an individual unless:
(a) the individual has consented; or
(b) the collection is required under law; or
(c) the collection is necessary to prevent or lessen a serious and imminent threat to the life or health of any individual, where the individual whom the information concerns:
- is physically or legally incapable of giving consent to the collection; or
- physically cannot communicate consent to the collection; or
(d) the collection is necessary for the establishment, exercise or defence of a legal or equitable claim.
10.2 Despite paragraph 10.1, the University may collect sensitive information about an individual if:
(a) the collection:
is necessary for research, or the compilation or analysis of statistics, relevant to government funded targeted welfare or educational services; or
is of information relating to an individual’s racial or ethnic origin and is collected for the purpose of providing government funded targeted welfare or educational services; and
(b) there is no reasonably practicable alternative to collecting the information for that purpose; and
(c) it is impracticable for the University to seek the individual’s consent to the collection.
The provisions of this attachment to policy are subject to any other legislation that may over-ride the Information Privacy Act 2000 (Vic.) and, where relevant, the Health Records Act 2001 (Vic).
For the purposes of clause 23 of Schedule 1A Part 1 Division 4 of the Higher Education Support Act (HESA) 2003 (Cth) and section 19-60 of Chapter 2 Part 2-1, Division 19 of the HESA Act the University complies with the information privacy principles set out in the Privacy Act 1988 (Cth).[Next: Supporting documents and information ]