Privacy and data protection policy

Intent

To protect the fundamental right to privacy with respect to the processing of personal, sensitive and health information;

To protect the right to confidentiality with regard to information relating to the personal affairs of an individual that may be considered private;

To assure compliance with relevant privacy and data protection legislation; and

To establish principles of transparency and fairness for the management of personal, health, sensitive or confidential information at RMIT University and all its operations.

Scope

This policy covers the management of all personal, sensitive and health information at RMIT no matter how collected or stored.

The policy is applicable to all staff and students within the RMIT Group including offshore campuses and controlled entities.

The policy is applicable to any external providers and contractors contracted by RMIT who may collect, access, use, disclose or manage personal, sensitive, health and confidential information relating to staff, students or any other individual whose information may be collected.

The policy is applicable to RMIT offshore partners regarding RMIT enrolled students and RMIT employed staff via inclusion in relevant partnership agreements or contracts.

Exclusions

This policy does not apply to personal information or data which has been manifestly made public by the data subject or is legitimately already within the public domain.

This policy does not include information that relates to a corporate, government or business entity.

Objectives

To guide staff in the responsible collection, use, disclosure and handling of information collected and managed by the University and all its operations, which relates personally to an individual or their affairs.

Policy provisions

1. Management of personal, sensitive, health and confidential information (relating to an individual)

RMIT is committed to the responsible handling, and open and transparent management, of personal, sensitive, health and confidential information and to protecting the right to privacy of individuals whose information it holds.

RMIT must not act or engage in a practice that breaches any relevant privacy or data protection legislation in Victoria, Australia or other jurisdiction in which RMIT operates; except where other Victorian, Australian or international jurisdiction legislation specifically requires or allows the practice.

Provisions within this policy also apply to unsolicited personal information received.

2. Basic privacy and confidentiality principles

The following basic privacy principles must be applied in accordance with the relevant supporting instruction.

RMIT and all its operations must:

a. Collect only that information necessary to fulfil RMIT functions and activities;

b. Advise individuals of the purpose of collection and their rights to access that information;

c. Use the information only for the purpose for which it was collected, for related secondary purposes, with consent or as required or permitted by law;

d. Manage all data or privacy breaches in accordance with the Compliance Breach Reporting Procedure and always consider, in a non-self-serving manner, notification to impacted individuals;

e. Do not use or disclose personal information for the purpose of direct marketing, unless an exemption applies or unless express consent has been obtained from the individual.

f. Endeavour to ensure that information is accurate, complete and up-to-date;

g. Ensure the security of information and its proper storage, archiving or disposal in accordance with appropriate recordkeeping standards and information technology safeguards.

h. Be open and transparent about the RMIT Privacy and Data Protection Policy, about the type of personal information RMIT holds and what is done with such information;

i. By arrangement, enable individuals to access their data and make appropriate corrections, in accordance with relevant access procedures;

j. Assign and use student and staff numbers only to facilitate efficient management of RMIT business and, where possible, not to use other organisations’ identifiers.

k. Transmit personal information / data across geographical borders only to legitimate recipients, after appropriate risk assessment of privacy protections, and when equivalent safeguards are accorded to the information / data by the recipient;

l. Collect and use sensitive information only in accordance with the relevant RMIT procedure or instruction, or where required or permitted by law.

3. Personal student information

The principles of Victorian privacy law are the base or minimum level of information management and protections for all RMIT students and their personal, sensitive and health information. Where applicable, additional or higher level protections afforded by other jurisdictional law may be applied.

Where a law in any jurisdiction appears to be in conflict with Victorian privacy law, consultation must be undertaken with the RMIT Privacy Officer, the Assistant Director, Compliance or an appropriate legal officer to gain advice on additional processes that may need to be implemented to continue privacy protection assurance.

a.Cross border flows of student personal information

Personal student information can be transferred to RMIT operations in other jurisdictions only where:

    • Assurance has been gained that the recipient RMIT operation manages and protects personal information in accordance with this policy; and
    • That the provision is necessary for legitimate RMIT operations or activities; or
    • Specific consent of the individual has been obtained.

Where doubt exists as to the validity of a cross border transfer of information, the RMIT privacy officer must be consulted.

4. Privacy complaints

Individuals have the right to make a privacy complaint to RMIT. Complaints must be made in accordance with the Privacy complaints procedure.

The RMIT Privacy Officer, or appropriate privacy or legal officer, is responsible for the administration and resolution of complaints related to privacy. Where a complaint is received on another matter that includes a privacy-related component, the RMIT Privacy Officer, or appropriate privacy or legal officer, must be consulted as part of investigation and resolution processes.

5. Privacy breaches or non-compliance

Privacy breaches must be managed in accordance with the Compliance breach reporting procedure.

Where a privacy breach occurs, the initial priority must be to contain the breach and consideration must be given as part of investigation and resolution to whether notification to affected parties should be made (dependent upon potential adverse impact to individuals).

All privacy breaches must be reported to the RMIT privacy officer, or appropriate privacy or legal officer, even when managed by local line management.

6. Privacy impact risk assessments – RMIT policies, projects and contracts

Account must be taken of the RMIT Privacy and Data Protection Policy and supporting procedures / instructions when reviewing and/or developing other university policies and procedures.

The RMIT Privacy Officer, or appropriate privacy or legal officer, must be consulted at an early stage to assess the privacy impact of projects, development of new information systems, or other activities with a potential impact to privacy, data protection and information management (privacy impact assessment). The Information Technology Services (ITS) data security team, or appropriate data security officer, should also be consulted with regard to data security assurance.

Privacy impact assessments must be carried out in accordance with the Privacy impact assessment procedure.

Contracts and agreements relating to activities that may involve personal, sensitive or health information must be developed in conjunction with RMIT Legal Services, or appropriate legal officer, to ensure inclusion of appropriate privacy protection clauses, particularly where that contract or agreement will result in personal information crossing geographical borders.

7. Privacy compliance training

All RMIT staff must complete or attend required privacy training upon commencement of employment at RMIT or upon provision to existing staff (whichever applies), and complete regular refresher training as directed.

[Next: Supporting documents and information]