Privacy and information management policy

Purpose

To guide staff in the responsible collection, use, disclosure and handling of information collected and managed by the RMIT Group and all its operations.

Scope

The policy is applicable to:

  • staff, students and clients of the RMIT Group
  • external providers and contractors who may collect, access, use, disclose or manage personal, sensitive, health and confidential information relating to staff, students or any other individual whose information may be collected
  • staff and RMIT offshore partners regarding RMIT information as per inclusion in relevant partnership agreements or contracts.

Policy provisions

1. Collection of personal and sensitive information

1.1. Only information that is necessary to fulfil RMIT functions and activities is collected;

1.2. Sensitive information is only collected and used in accordance with relevant RMIT processes, or where required or permitted by law;

1.3. Individuals are advised of the purpose of collection and their rights to access that information; and

1.4. Maintained information is accurate, complete and up-to-date.

2. Use and storage of personal and sensitive information

2.1. Personal or sensitive information is only used for the purpose for which it was collected, or for related secondary purposes with consent or as required or permitted by law;

2.2. Is open and transparent about the type of personal or sensitive information RMIT collects from individuals and how the information is used;

2.3. Stores personal or sensitive information securely in accordance with the Information Security Classification Schedule (Schedule 1).

2.4. Ensures personal credit card details that could inappropriately disclose personal information is never retained or stored at RMIT.

2.5. RMIT must assign and use student and staff numbers only to facilitate efficient management of RMIT business and, where possible, not to use other organisations’ identifiers.

2.6. Personal information must only be collected, stored or handled in accordance with the processes and guidance materials developed and approved by:

2.6.1. the RMIT Privacy Officer (for RMIT Melbourne, RMIT Vietnam and RMIT Europe)

2.6.2. the Chief Executive Officer (for RMIT Training).

2.7. Where RMIT information or personal information is stored on a portable storage device (PSD), the device owner must take all reasonable steps to ensure the security of the PSD and the information stored on it.

2.8. Personal or sensitive information stored on a PSD is protected.

2.9. Personal or sensitive information must not be stored on any application or software that has not been provided by RMIT.

3. Management of RMIT records and information

3.1. RMIT records must be stored in an approved RMIT business application or EDRMS.

3.2. New RMIT business applications are assessed before deployment by the ITS project team in accordance with the Information Security Classification Schedule (Schedule 1) and the Information technology policy.

3.3. Access to the EDRMS is in accordance with the processes approved by the Manager Information Management.

3.4. EDRMS users are required to undergo appropriate training as directed and organised by Information Management and must follow the requirements set out in the TRIM Manual (PDF).

4. Transmission of information across borders

4.1. RMIT must only transmit personal information across borders to a location where different privacy laws apply when trans-border transmission is reasonably necessary for RMIT functions or business activities and:

4.2. RMIT can reasonably ensure the recipient does not breach the law; and

4.3. The transmission is permitted by law; or

4.4. Specific consent of the individual has been obtained.

5. Access to and management of Academic Student Records

5.1. The following RMIT staff are responsible for the management and access of Academic Student Records and development of the associated processes [insert link]:

5.1.1. Academic Registrar (for RMIT Melbourne)

5.1.2. Executive Director (Students) (for RMIT Vietnam)

5.1.3. Director, Partner and Client support (for RMIT Training).

6. Access to and management of Employee Records

6.1. The following RMIT staff are responsible for the management and access of Employee Records and development of the associated processes:

6.1.1. Deputy Director, HR Shared Services (RMIT Melbourne)

6.1.2. The Executive Director (RMIT Europe)

6.1.3. The Director, Human Resources (RMIT Vietnam)

6.1.4. The Director, Human Resources (RMIT Training)

7. Retention and disposal

7.1. The Research policy governs the retention and disposal of research records.

7.2. Retention and disposal of RMIT business information and records must follow the processes established by the Assistant Director, Information Management and Archives and, where necessary, approved via the Application for Disposal form prior to disposal or deletion.

7.3. Information that is part of a current Freedom of Information request must be retained.

7.4. Information that is reasonably likely to be required in future legal proceedings must not be destroyed.

7.5. The transfer of records must follow the Transfer of records policy process developed by the Assistant Director, Information Management and Archives.

7.6. Access to RMIT information or personal information stored at RMIT Archives is granted in accordance with the Access to Archives policy process developed by the Assistant Director, Information Management and Archives.

8. Privacy Impact Assessment and investigations

8.1. Staff must complete a Privacy Impact Assessment (DOCX) for:

8.1.1. projects (excluding research projects),

8.1.2. development of new information systems,

8.1.3. or other activities with a potential impact to privacy, data protection and information management.

8.2. For research projects the privacy impact is assessed as part of the human research ethics process.

8.3. Privacy impact assessment and investigations about a privacy breach or complaint must be conducted in accordance with the processes and guidance materials developed by the Assistant Director Compliance. For entities, the processes and guidance material are agreed to by:

8.3.1. The President RMIT Vietnam

8.3.2. The Executive Director, RMIT Europe

8.3.3. The CEO of RMIT Training.

9. Breaches and complaints

9.1. Investigations of breaches of this policy or non-compliance with legislation are undertaken in accordance with the guidelines developed and agreed. For entities, investigations are undertaken in conjunction with:

9.1.1. The President RMIT Vietnam

9.1.2. The Executive Director, RMIT Europe

9.1.3. The CEO of RMIT Training.

[Next: Definitions]