Student Privacy Statement

The University of Melbourne (University) is governed by the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) when processing the personal data of individuals. We are also subject to the requirements of federal and international privacy legislation to the extent that these apply to our activities, including when we process the personal data of individuals located in some international jurisdictions. (Together, Privacy Laws)

For the purposes of this statement, personal and health information are referred to collectively as “personal data”, defined broadly in the Privacy Laws as information or opinion that relates to an identified or identifiable individual.

The “processing” of personal data refers to all activities relating to its management by the University, from its collection and use, through to its storage and disposal, and everything in between.

There are various legal bases for our collection and use of your information. The primary purpose for the University processing students’ personal data is that it is necessary to facilitate and administer your enrolment and for us to meet our commitments in delivering on our core functions, such as the provision of teaching, learning and assessment; education and training programs; research and innovation activities; and related student infrastructure, facilities and services, as further outlined in this statement.

We also need to process your personal data to comply with our legal obligations, such as legislated reporting requirements to government agencies or authorities, or responding to an enforceable order from a court or law enforcement agency. In extreme circumstances, the University may need to process your personal data to protect you or others from harm, such as in medical or other emergency situations.

Sometimes the University will need your consent to process specific data, such as certain health information, and personal data classed as “sensitive information” or “special category data”, which require additional protections under the Privacy Laws.

During your engagement with the University, other purposes for the processing of your information not outlined in this statement will be specified in privacy notices for particular activities, detailing how your personal information will be processed in those instances.

The University has a broad legitimate interest in activities that connect to the education of students and contribute to the broader community, as defined in the objects of our enabling legislation the University of Melbourne Act 2009 (Vic). If this is relied upon as the basis for processing your personal data, it is generally in the interest of the University providing or supporting higher education to its students.

The University collects and processes the personal data of students at enrolment and throughout their studies and engagement with us, as part of their student record and for related purposes. We collect and process students’ personal data in a non-intrusive, lawful and fair way.

We only collect personal data that is necessary for the purpose required and directly from you wherever possible. For instance, when you complete enrolment forms or course applications and provide supporting documentation, and when you enter data directly into our student systems.

We will also collect your personal data where you:

• register for events, campus tours, or newsletters;
• become a supporter of, or volunteer with, the University;
• agree to participate in user experience research or provide other feedback.

In such instances, specific privacy notices will be provided to you at the time your information is requested.

Examples of student personal data processed by the University include:

• name, date of birth and residential address;
• assigned student number (unique identifier);
• details of prior qualifications and current course/s of study;
• fee payment details, financial support and scholarship programs information (including Tax File Number and financial institution details);
• citizenship and / or visa status;
• information about your academic progress and standing, examination and assessment results, and details of practical and clinical placements;
• details of any disciplinary or conduct matters;
• details of foreign interest declarations made by students;
• vaccination status and related data, as necessary;
• any other information relevant to your enrolment and education and to facilitate appropriate academic and student services.

Occasionally the University may collect students' personal data indirectly for specific purposes where direct collection is not reasonable or practicable.

These include:

• data collection via the University's wireless network (UniWireless) to inform space utilisation and campus management, and to develop and refine student services and support;
• data collection from the University's Learning Management System (LMS), Library Services, and other student information and relationship systems, to enable reporting analytics, such as academic performance and student progress, and to improve student support and services; and
• data automatically collected from you when you visit websites controlled by The University of Melbourne, as detailed in our Online Privacy Statement.

When you access University facilities and services, it may be necessary for us to process personal data classed as “sensitive information” or “special category data”. This includes:

• where we need to make reasonable adjustments for you due to disability;
• when you access our health and student support services; and/or
• where you undertake courses of study which require us to confirm your fitness to practise in certain regulated professions, or for you to work with children or vulnerable adults, including personal data relating to any criminal record.

Access to, and the sharing of, such data is carefully controlled and you will be given details about our processing at the time we collect it.

Where you provide the University with the personal data of others, such as your emergency contacts, you are encouraged to inform those parties that:

• you are disclosing their data to the University;
• their data will be retained in accordance with relevant University policies; and
• they can access their data by contacting student services.

If you choose not to provide the personal data requested, the University may not be able to enrol you, provide you with your course of study, or provide you with the information, assistance, facilities, or services you have requested, and it may limit opportunities available to you.

Primarily we process your personal data to establish and maintain your student entitlements and obligations during your enrolment and studies with us, to engage with you, and to improve your experience with the University. The personal data processed by us, or on our behalf, is necessary:

• to properly administer your course/s of study;
• to provide and administer student support services, such as health and safety, physical security, and facilities services;
• to facilitate internal and strategic planning requirements, such as providing appropriate infrastructure and sustainable resources; and
• for government reporting purposes relevant to providing and supporting higher education to its students.

Your personal data may also be used for benchmarking purposes, analysis, quality assurance and planning, and to ensure we can provide you with the services and information you have requested.

Other purposes for which we process your personal data include:

• to enable individual faculties to administer courses and programs;
• to allow the Advancement Office to foster and facilitate alumni relationships and networks, and promote University activities;
• to comply with government legislation and directions, including administering and reporting on government run or supported programs; and
• providing limited personal data of sample students to the Department of Education (or its authorised representatives) to facilitate research to improve higher education, quality assurance, and planning.

The Academic Registrar is responsible for maintaining the information of currently enrolled students.

The University will only use or disclose your personal data:

• for the purpose for which it was collected;
• for a related purpose which you might reasonably expect;
• with your permission (consent) to the disclosure;
• if we are required or permitted to do so by law;
• where it is necessary for the pursuit of our legitimate interests (if relevant); or
• to enable our contracted service providers or partners to perform functions on our behalf.

Wherever possible, details of any third parties processing personal data on our behalf are outlined in specific privacy notices provided at the time your personal data is collected. The University does not sell your personal data to third parties under any circumstances or permit third parties to sell personal data we have shared with them.

The University will not disclose your personal data, including results or addresses, to family members without your consent, unless we are required or permitted to do so by law (such as in an emergency). We may engage with you to determine the validity and appropriateness of such consent before accepting it.

We will not confirm to third parties that you are, or have been, a student at the University, except as outlined in this statement, unless you have a record of graduation which is a public document.

• Services Australia (Centrelink) facilitating government programs, such as the Higher Education Loan Program (HELP) and Youth Allowance (Austudy and ABSTUDY);
• The Department of Education supporting and reporting on Commonwealth assistance schemes for eligible students, such as Commonwealth Supported Places (CSP) and HELP, including using Unique Student Identifiers (USI) where necessary;
• The Department of Foreign Affairs and Trade (DFAT) administering the Australia Awards Scholarships program, and the University’s preferred service providers facilitating this, such as our travel agency and health insurance provider;
• The Department of Home Affairs, Department of Education, Australian Taxation Office (ATO), or other federal government departments or agencies, receiving necessary personal data as required by law;
• The Department of Education, or authorised representatives, administering the Quality Indicators for Learning and Teaching (QILT) surveys (Higher Education Support Act 2003 (Cth));
• Space utilisation, campus management, and the development and refinement of University services and facilities by the University or its authorised service providers;
• Another tertiary institution or tertiary admission centre administering the transfer of your studies, including the provision of necessary information about your academic progress and any Government funded research training entitlement;
• Other institutions you are enrolled at being able to facilitate your student exchange program, cross-institutional study, dual degree, shared teaching, industry or clinical experience, or other multi-institutional arrangement; including sharing academic progress and results, and administrative information;
• To meet the compliance requirements of work placement providers, such as Work Integrated Learning or clinical placements, including providing them with relevant health and vaccination information;
• To enable voting at elections for student organisations by providing a list of enrolled students to the returning officer or appointed electoral bodies;
• To confirm your enrolment with bodies affiliated with the University of which you are a member, such as UMSU, GSA, student residences or residential colleges;
• To allow externally contracted parties to perform functions on behalf of the University, such as conducting student surveys or providing academic services, by sharing limited personal data of students with them as necessary;
• To allow sponsors and providers of student prizes, scholarships or awards to contact recipients and otherwise administer and promote their programs;
• Graduate’s details being processed by the University’s Advancement Office so they can contact you about alumni services and events;
• To maintain academic integrity and assist authorised staff in investigating any potential breaches, in accordance with the Student Academic Integrity Policy;
• To comply with a subpoena, summons, warrant, or other written order from a government department, authority, court or tribunal; and
• Where disclosure is necessary to protect a student or someone else from a serious and imminent threat to their life, health, or safety.

The University takes care to manage personal data appropriately and securely. Your personal data is processed in a variety of formats, both electronic and hardcopy, including in enterprise-wide databases used across the University. Accordingly, your personal data is not segregated or treated differently from any other personal data based on your geographic location or jurisdiction.

Our staff receive regular privacy and data protection training, and the University has implemented organisational and technical measures so that personal data is processed in accordance with applicable Privacy Laws.

We take reasonable steps to ensure that any personal data we (or parties operating on our behalf) collect, transmit, store or otherwise process, is accurate and complete, and that technical and organisational measures are implemented and maintained to protect it from accidental or unlawful destruction, misuse, loss, alteration, or unauthorised access or disclosure.

Access to your personal data is limited to authorised University staff and representatives of our affiliates', and contracted third parties, for the purpose of carrying out necessary duties in supporting the University’s functions and activities. Where personal data is disclosed to third parties, it will be done so only to the extent necessary to fulfill the purpose of such disclosure. Where required, we ensure we have appropriate information sharing and/or processing agreements in place before sharing your personal data with any third parties.

In some instances, your personal data may be transferred outside Victoria or Australia. For example, to facilitate your participation in an exchange arrangement, report to an overseas funding provider, or where providers are located internationally or use a cloud-based system with servers based in other jurisdictions. We take reasonable steps to ensure that the interstate or overseas transfer of personal data is in accordance with this privacy statement, relevant University policies, and applicable Privacy Laws.

Once your personal data is no longer required for the purpose it was collected, or for another legislative purpose, it will be securely destroyed in compliance with the University’s retention and disposal authority.

Your academic record, however, is retained indefinitely so that details of your academic achievements can be confirmed and for statistical or historical research purposes.

You may request access to, or correction of, your personal data held by the University, or exercise your individual rights as applicable, unless this would have an unreasonable impact on the privacy of others or would contravene our other legislative obligations.

In many instances you will be able to access and correct your personal data directly through the student portal or by contacting Student Services at Stop 1. Information obtained via course application or online enrolment, which is reported to the Commonwealth Government, can be viewed at my.unimelb.edu.au. If this information is incorrect, or needs to be updated, you will be able change it online or by contacting Stop 1.

To access other personal data we hold about you, contact the relevant faculty or area of the University in the first instance. Sometimes the University may need to manage requests for access to, or correction of, personal data in accordance with the Freedom of Information Act 1982 (Vic). Further information about this process is available on our Freedom of Information webpage.

If the lawful basis for us collecting and processing your personal data was with your consent, you may withdraw this at any time. This will not, however, affect the lawfulness of our processing of your data prior to that point. We would also need to consider such a request in relation to any other legal obligations we may have.

The University Secretary is the University's designated Privacy and Data Protection Officer (PDPO). The privacy team in Legal and Risk provide guidance on the University’s privacy obligations and responsibilities.

Please refer to our Privacy webpage, view our Privacy Policy or contact our privacy team for more information about how the University processes personal data and for details of how to make an enquiry or lodge a complaint.

If you are not satisfied with our response to your query or concern, you may lodge a complaint with the applicable supervisory authority:

• The Office of the Victorian Information Commissioner, in most instances; or
• The Health Complaints Commissioner (specifically regarding health information); or
• Another privacy and data protection authority (federal or international), to the limited extent that their jurisdiction might apply to the University’s activities.