General Privacy Statement

Your personal information will be managed in accordance with our privacy obligations. We are governed by applicable privacy laws, including the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) when processing your personal and health information. To the extent that they apply to our activities, we are also subject to the requirements of the Privacy Act 1988 (Cth) and the European Union General Data Protection Regulation 2016/679 (which relates to individuals located in the European Economic Area). (Together, ‘Privacy Laws’).

For the purposes of this statement, health and personal information are referred to collectively as “personal information” (sometimes known as “personal data”), which is defined broadly in the Privacy Laws as recorded information or opinion that relates to an identified or identifiable individual.

The “processing" of personal information refers to all activities relating to the management of personal information by the University, from its collection and use, through to its storage and disposal, and everything in between.

We collect and process personal information through lawful and fair means and in a non-intrusive way. We will collect your personal information directly from you wherever possible. However, where this is not practicable, we may collect information you have provided through other avenues, as detailed in the specific privacy collection notice provided to you at the time your personal information is collected.

We only process personal information as necessary, for specified purposes, and in accordance with the relevant Privacy Laws. The purpose and lawful basis for collecting your personal information is detailed in the specific privacy collection notices for particular activities.

We will only use or disclose your personal information under the following circumstances:

• for the purpose for which it was collected
• for a related purpose which you might reasonably expect
• where you have consented to the disclosure
• if we are required or permitted to do so by law
• where it is necessary for the pursuit of our legitimate interests (such as facilitating teaching, learning and research)
• where we have engaged a contracted service provider or partner to perform legitimate functions on our behalf, such as those outlined in the privacy collection notice.

Where relevant, examples of third parties we provide personal information to, and for what purposes, are captured in the privacy collection notice provided to you at the time your personal information is collected.

We do not sell your personal information to third parties under any circumstances or permit third parties to sell on the information we have shared with them.

We take great care to ensure that personal information is handled, stored and disposed of confidentially and securely. Your personal information is collected, stored and transmitted securely in a variety of paper and electronic formats. This includes databases that are shared across the University. Accordingly, your personal information is not segregated or treated differently from any other personal information based on your geographic location or jurisdiction.

Our staff receive regular privacy and data protection training, and the University has implemented organisational and technical measures so that personal information is processed in accordance with the Privacy Laws as applicable.

We take all reasonable steps to ensure that any personal information we (or third parties operating on our behalf) collect, transmit, store or otherwise process, is accurate and complete, and that appropriate technical and organisational measures are implemented and maintained to protect it from accidental or unlawful destruction, misuse, loss, alteration, or unauthorised access or disclosure.

Access to your personal information is limited to authorised University staff and contracted third parties, or affiliates' representatives, who have a legitimate interest in it for the purpose of carrying out necessary duties. Where personal information is disclosed to third parties, it will be done so only to the extent necessary to fulfill the purpose of such disclosure. Where required, we ensure we have appropriate information sharing and/or processing agreements in place before sharing your personal information with any third parties.

In some instances, your personal information may be transferred outside of Victoria or Australia (for example, where providers are located internationally or use a cloud-based system with servers based in international jurisdictions). We take all reasonable steps to ensure that the interstate or overseas transfer of personal information is in accordance with this privacy statement, relevant University policies and the Privacy Laws, as applicable.

Once your personal information is no longer required for the purpose it was collected, and in accordance with our other legislative obligations, it is securely destroyed in compliance with the University’s retention and disposal authority.

You may request access to, or correction of, your personal information we hold, or exercise your individual rights as applicable (including under GDPR if applicable), unless this would have an unreasonable impact on the privacy of others or would contravene our other legislative obligations.

For access to personal information that we hold about you, you should contact the department that holds the information in the first instance. In some circumstances, the department or area of the University that holds that information may need to liaise with our Legal and Risk area before determining whether they can provide the information directly to you.

At times, we may require requests for access to or correction of personal information to be made in accordance with the Freedom of Information Act 1982 (Vic). Further information about this process is available on our Freedom of Information web page.

If the lawful collection of your personal information is based on your consent, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing of your information prior to you withdrawing your consent.

The University Secretary is the University's designated Privacy & Data Protection Officer (PDPO). The privacy team in Legal & Risk provide guidance on privacy obligations and responsibilities.

Please refer to our Privacy webpage, view our Privacy Policy or contact our privacy team for more information about how the University processes personal data and for details of how to make an enquiry or lodge a complaint.

If you are dissatisfied with our response to a complaint, you may lodge a complaint with the applicable supervisory authority:

• Office of the Victorian Information Commissioner (in relation to personal information and/or sensitive information)
• Health Complaints Commissioner (in relation to health information)
• Office of the Australian Information Commissioner (to the extent that the Privacy Act 1988 (Cth) applies)
• Data Protection Authority (to the extent that GDPR applies)

We periodically refine our privacy statements. The overall level of privacy protection is maintained when changes or inclusions are made. Wherever possible, we will inform you of any substantive changes to this Privacy Statement. However, we may occasionally make changes without notice, particularly where there are amendments to the relevant laws or we adopt new working practices.

We therefore encourage you to regularly review this statement for any updates. The most recent substantive changes were made 12 March 2021.