Staff privacy statement

Our staff are important to us. We need to ensure that the information we hold about you is accurate, complete and current. We ask that you please keep this updated during your employment and engagement with us.

The University of Melbourne (University) respects the privacy of anyone we interact with and is committed to protecting and managing personal and health information fairly and lawfully.

This statement is intended to notify you of the University's usual collections, uses and disclosures of staff personal information and should be read in conjunction with our Privacy Policy and other statements on our Privacy webpage, as well as the University’s Recruitment and Employment Privacy Notice.

The “processing” of personal information refers to all activities relating to its management by the University, from collection, use and disclosure, through to storage and disposal.

The University is governed by the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) when collecting and processing the personal and health information of individuals. In certain circumstances, including where we process the personal or health information of individuals located in some international jurisdictions, we are also subject to the requirements of federal and international privacy legislation. (Together, Privacy Laws).

Personal information (sometimes referred to as “personal data”) is defined in the Privacy Laws. Broadly, this covers information or opinion, whether true or not, that relates to an identified or identifiable individual. Sensitive information and health information are specific types of personal information defined in the Privacy Laws and subject to additional protections.

The University collects and processes your personal information during the recruitment and onboarding processes, and throughout your employment with us as part of your employee record and for related purposes that you would reasonably expect.

We only collect personal information that is necessary for the purpose required and directly from you wherever possible. For instance, when you complete your onboarding and enter your information directly into our systems.

During recruitment and employment, we may require or request relevant information about your identity and personal details, including your citizenship or visa status, personal attributes, qualifications and work-related permits, memberships, affiliations or interests.

For detailed information about the collection of personal information during recruitment and onboarding, please refer to the University’s Recruitment and Employment Privacy Notice.

The University may collect your personal information indirectly or automatically for specific purposes where collection from you is not reasonable or practicable.

This may include:

  • information provided about you by other staff, students, or third parties in the course of University activities;
  • information from publicly available sources, including professional profiles and social media, relevant to your role or activities;
  • data and metadata logged or collected when you use University-provided IT, communication, network or collaboration services, including authentication logs, device connection and configuration data, usage metadata, and data associated with your staff username, credentials, and email account;
  • data generated when using collaboration tools (such as Zoom, Teams, or Echo360) including recordings, transcripts, translations, captions, chat logs, or metadata produced by those platforms for work-related purposes;
  • information collected via the University’s Security Safety System, including CCTV, authorised body-worn cameras, authorised surveillance devices, building access logs, fleet vehicle access, and other approved monitoring systems;
  • data collected when you access or use University property, services or facilities for safety, security, access control, infrastructure or operational purposes;
  • data collected automatically when you visit websites controlled by the University (including via cookies and similar technologies), as described in the University’s Online Privacy Statement.

Before offering you a position, we (or recruitment agencies acting on our behalf) may collect information about you from previous employers and nominated referees, or relevant third parties to conduct probity and background checks regarding your employment history and work and/or to determine your suitability for certain positions. This may include enquiries relating to investigations or legal proceedings regarding your conduct during your current or previous education or employment, where information may be provided by others, or sourced from publicly available information, including social media. We may also review social media or other public sources during your employment to support enquiries and activities relating to workplace or misconduct investigations.

Your use of University computing and network facilities may be logged, monitored, recorded and analysed by authorised University personnel for purposes including to:

  • substantiate an allegation of misuse of University computing and network facilities;
  • facilitate the investigation of an activity that may be contrary to University regulations, policy, or the law;
  • facilitate the investigation of misconduct allegations and investigations, including where the use of the University computing and network facilities is not the subject of the suspected misconduct;
  • ensure the security, integrity, and availability of University systems and networks;
  • maintain and improve IT operations, performance, and service delivery;
  • detect and respond to cybersecurity threats and suspicious activity; or
  • fulfil legislative, regulatory or audit obligations relating to ICT operations.

Where you provide the University with the personal information of other individuals, such as your emergency contacts, you are encouraged to inform those parties that:

  • you are disclosing their personal information to the University;
  • their information will be retained in accordance with relevant University policies; and
  • they can access or seek correction of their information by contacting HR Assist.

The primary purpose for collecting your personal information during recruitment is to assess your application.

If you are employed, we will collect and use your personal information for primary purposes in our legitimate interest and authorised by the University’s legislation, rules and policies, including but not limited to the Appropriate Workplace Behaviour Policy, Provision and Acceptable Use of IT Policy, and Property Policy. This enables us to fulfil our statutory functions under the University of Melbourne Act 2009 (Vic), including delivering teaching, learning and assessment; education and training programs; research and innovation activities; and related infrastructure, services and operations. It also enables us to administer your conditions of employment, workplace obligations, benefits, salary and superannuation, and to maintain, update and manage your employment and performance records.

During your employment with the University, other employment-related purposes for processing your personal data not outlined in this statement will be specified in privacy notices for particular activities, detailing how your personal information will be processed in those instances.

During your employment, any personal information collected directly, indirectly or automatically may be logged, monitored, recorded and analysed by authorised University personnel for the purpose of:

  • managing your health, safety, and performance, and that of your working environment;
  • ensuring the integrity of University activities and processes;
  • assisting the detection and investigation of actual or suspected misconduct, or unlawful activity, or breaches of University regulations or rules (however described, but including codes of conduct or policies that apply to your employment);
  • supporting the secure, efficient and lawful operation of University systems, infrastructure, and services;
  • supporting business continuity, cybersecurity, audit, and assurance processes; and
  • meeting compliance or reporting obligations under applicable laws or external accreditation or regulatory schemes.

We also need to process your personal information to comply with our legal obligations, such as legislated reporting requirements to government agencies or authorities, or responding to an enforceable order from a court or law enforcement agency. Depending on your role and work activities, this may also include compliance with regulatory obligations relating to professional accreditation, research integrity, workplace relations, health and safety, funding agreements, and obligations associated with work conducted in collaboration with affiliates or partner organisations.

The University may need to process your personal information to protect you or others from harm, including but not limited to medical or other emergency situations.

The University’s Recruitment and Employment Privacy Notice further outlines how your personal information is managed throughout our recruitment and employment processes.

We may process your personal information, including data collected about your access to or use of University-provided property, services, or facilities (including email accounts), or from social media or other public sources where relevant to assist in the detection and investigation of actual or suspected misconduct, unlawful activity, breaches of University regulations or rules (however described, but including codes of conduct or policies), or any other breach of duty or condition of employment. Any such processing will be limited to what is reasonably necessary and proportionate for the purpose and will be conducted by authorised personnel only, in accordance with applicable Privacy Laws and University policies.

Your personal information may also be used for the following purposes relevant to your employment and engagement at the University:

Workforce and HR

  • managing staff participation in University activities, programs, professional development, and staff training;
  • managing your eligibility to undertake specialised duties (including compliance checks, working with children checks, occupational licences, or professional accreditation requirements);

Safety and Compliance

  • safely managing your access to University premises, controlled environments, research facilities, laboratories, or sensitive workspaces;
  • delivering services relating to occupational health, safety and wellbeing, including risk management and incident response;
  • complying with University policies, codes and procedures relating to integrity, conduct, regulatory obligations, and audit or assurance requirements;

Affiliates and Collaborations

  • administering, coordinating and supporting joint appointments, adjunct roles, honorary positions, cross-institutional teaching or research arrangements, and other collaborations with affiliates or partner institutions;

Research and Teaching

  • facilitating the administration of grants, research projects, consultancy work, secondments, or externally funded programs;

Operational Analytics

  • analysing workforce trends, staffing needs, quality assurance outcomes, and undertaking internal planning or benchmarking. This includes strategic planning, organisational management, and analysis of operational effectiveness.

The University will only use or disclose your personal information in the following instances:

  • for the purpose for which it was collected;
  • for a related purpose which you would reasonably expect;
  • with your permission (consent) to the disclosure;
  • if we are required or permitted to do so by law;
  • where it is relevant and necessary for the pursuit of our legitimate interests; or
  • to enable our contracted service providers or partners to perform functions on our behalf.

This may include disclosures necessary to deliver the University’s statutory functions and operational requirements, or to support employment-related activities.

The University may also disclose, or provide authorised access to, your personal information to representatives of University affiliates, partner organisations or entities with which the University has a formal relationship. This may occur where it is necessary to support:

  • joint, adjunct, clinical, honorary or affiliate appointments;
  • collaborative teaching, research, supervision or professional placement arrangements;
  • administration of shared programs, services, activities or infrastructure; or
  • compliance with regulatory, accreditation or professional standards applicable to collaborative arrangements.

Where required, the University may share your information with external bodies such as the Australian Taxation Office, and other government departments or regulatory or law enforcement authorities, to meet mandatory reporting or disclosure requirements or where reasonable to do so.

Specific examples of when the University will disclose your personal information to third parties include for the following purposes:

  • to comply with a subpoena, summons, warrant, or other written order or notice from a government department, regulatory or law enforcement authority, court, or tribunal;
  • where disclosure is reasonably necessary to protect you or someone else from a serious threat to your or their life, health, safety, or welfare;
  • organisations that provide salary packaging benefits to eligible and participating staff members, where you are a participant staff member; and
  • insurance purposes, including the management of workers’ compensation or work-related travel claims.

The University may also disclose your personal information, where necessary and proportionate, for the following purposes:

  • managing your salary, superannuation, payroll administration or benefits, including disclosures to payroll processors, superannuation funds, financial institutions, or salary packaging providers;
  • administering professional development, training, staff performance systems, or external certification programs;
  • facilitating travel, insurance, risk management, or incident response processes;
  • administering research funding, grant compliance, consultancy work or externally funded projects;
  • supporting the administration of collaborative programs involving affiliates, external research institutes, clinical partners or teaching hospitals;
  • confirming employment status or providing information to accreditation or professional regulatory bodies where relevant to your role; and
  • engaging external contractors or service providers who support HR, ICT, security, audit, legal, finance, risk, occupational health and safety, or infrastructure functions.

The University may disclose limited personal information to auditors, investigators, claims managers, insurance providers or legal advisers where required to support audit obligations, claims administration, legal rights, dispute resolution or assurance activities.

The University does not sell your personal information under any circumstances and will not permit third parties to sell personal information we share with them.

If you choose not to provide the information requested, it may not be possible for the University to consider you for employment, administer your employment as a staff member, or it may limit the benefits and assistance available to you.

It is your ongoing responsibility during employment with us to ensure the information we hold about you in our systems is accurate and up to date.

The University takes care to manage personal information appropriately and securely. Your personal information is processed in a variety of formats, both electronic and hardcopy, including in enterprise-wide databases. Accordingly, your personal information is not segregated or treated differently from any other personal information based on your geographic location or jurisdiction.

The University takes reasonable steps to ensure that any personal information we (or parties operating on our behalf) collect, transmit, store or otherwise process, is accurate and complete, and that technical and organisational measures are in place to protect it from accidental or unlawful destruction, misuse, loss, alteration, or unauthorised access or disclosure. These measures include access controls, authentication safeguards, secure storage and transmission practices, audit and monitoring procedures, and requirements that third-party providers implement equivalent protections.

Access to your personal information is limited to authorised University staff, and authorised representatives of affiliates where necessary, and contracted third parties, for the purpose of carrying out necessary duties in supporting the University’s functions and activities. Where personal information is disclosed to third parties, it will be done so only to the extent necessary to fulfill the purpose of such disclosure. Where required, the University ensures that appropriate agreements, confidentiality obligations, or information-sharing arrangements are in place before personal information is accessed by or disclosed to third parties or affiliates. Access and handling practices are supported by organisational and technical measures designed to safeguard personal information, in accordance with the University’s information security, records management and privacy governance frameworks.

Staff receive regular privacy and data protection training, and the University has implemented organisational and technical measures so that personal information is processed in accordance with applicable Privacy Laws.

In some instances, your personal information may be transferred outside Victoria or Australia. For example, where providers are located internationally or use a cloud-based system with servers based in other jurisdictions. We take reasonable steps to ensure that the interstate or overseas transfer of personal information is in accordance with this privacy statement, relevant University policies, and applicable Privacy Laws, including ensuring that appropriate safeguards or contractual protections are applied.

Once your personal information is no longer required for the purpose it was collected, or for another legitimate purpose, it will be securely destroyed in compliance with the University’s retention and disposal authority.

You may request access to, or correction of, your personal information held by the University, or exercise your individual rights as applicable, unless this would have an unreasonable impact on the privacy of others or would contravene our other legislative obligations.

In many instances you will be able to access and update or correct your personal information directly through the applicable HR system.

To access other personal information we hold about you, contact the relevant faculty or area of the University in the first instance. Sometimes the University may need to manage requests for access to, or correction of, personal information in accordance with the Freedom of Information Act 1982 (Vic). Further information about this process is available on our Freedom of Information webpage.

If the lawful basis for us collecting and processing your personal information was with your consent, you may withdraw this at any time. This will not, however, affect the lawfulness of our processing of your data prior to that point. We would also need to consider such a request in relation to any other legal obligations we may have.

The University Secretary is the University's designated Privacy and Data Protection Officer (PDPO). The privacy office in Legal and Risk provide guidance on the University’s privacy obligations and responsibilities.

Please refer to our Privacy webpage, view our Privacy Policy or contact privacy-officer@unimelb.edu.au for more information about how the University processes personal information and for details of how to make an enquiry or lodge a complaint.

If you are not satisfied with our response to your query or concern, you may lodge a complaint with the applicable supervisory authority:

The University periodically updates its privacy statements to reflect changes in our practices or obligations. We encourage you to review this statement regularly. Where updates materially affect how your personal information is collected, used or disclosed, we will communicate these changes through appropriate staff channels.

The most recent substantive changes were made 22 January 2026.