Surveillance Policy

The University is introducing a Surveillance Policy to promote transparency and clearer governance for the University’s surveillance activities and the use of surveillance information. The Surveillance Policy does not introduce any new surveillance activities and does not replace the University’s existing privacy policies and processes, which continue to apply. The Surveillance Policy explains current practices more clearly and sets out approval steps for decisions about new or changed surveillance activities. These approval pathways are designed to provide oversight for surveillance, and protect against ‘scope creep’. The introduction of the Surveillance Policy is a requirement of the Victorian Privacy and Data Protection Deputy Commissioner following their investigation into certain uses of surveillance by the University.

This policy aims to:

1. Ensure transparency in the University's surveillance activities
2. Establish clear protocols for any new or material changes to surveillance activities
3. Establish clear approval requirements for using or disclosing surveillance information.

When final, the policy will apply to anyone visiting University premises, using University assets or IT systems, or engaging in University activities. This includes University staff, contractors, students, honorary appointees, volunteers and visitors.

The University currently carries out various surveillance activities for specific purposes, which can include:

• Optical surveillance (eg security cameras to protect people and property)
• Data surveillance (eg if appropriate approvals are obtained, reviewing IT system or facilities access, emails, or websites visited when required to investigate potential misconduct, including data matching for identification purposes. Common situations for data matching include determining a person’s location to investigate unauthorised access to University facilities)
• Audio surveillance (eg using recordings of calls made to the University’s Security Control Room or help phones on campus as part of an investigation)
• Tracking surveillance (eg using a GPS or location tracker to locate University equipment).

Current approved surveillance activities, including when the University can use surveillance information or share it with others, are in the Register of Approved Surveillance Activities, available here. Any new or changed surveillance activity or proposed use or disclosure of surveillance information that is not included in the register must be approved on a ‘case by case’ basis in accordance with the Surveillance Policy.

Surveillance activities are generally undertaken to maintain security, ensure academic integrity, comply with legal and regulatory requirements, investigate staff or student misconduct and support the overall safety and wellbeing of the University community.

The University does not undertake any form of surveillance in toilets, washrooms, change rooms or lactation rooms.

Activities are excluded from the Surveillance Policy where they:

• Are required or authorised by law (for example, managing workplace injury claims or assisting law enforcement where reasonably necessary)
• Are covered by other comprehensive governance frameworks (for example, internal audits, approved research projects, or activities protecting financial integrity of University transactions)
• Do not involve targeted surveillance of individuals (for example, maintaining IT security and system availability, or analysing anonymous data for space management purposes – however if this information is later used to investigate a suspected breach of University rules, regulations or policies, the Surveillance Policy will apply, which ensures appropriate oversight and governance where surveillance‑type activities are involved).

Before approving a new surveillance activity, or a material change to an existing surveillance activity, the University must:

• Consider how the activity might affect human rights, such as privacy, freedom of expression or freedom of association
• Ensure the activity will not discriminate against anyone based on protected characteristics like gender, race, or religious or political beliefs
• Ensure that the activity is for a legitimate purpose and is reasonably proportionate – this means the University must balance the need for surveillance against its impact on people’s privacy
• Before using or sharing surveillance information, check that doing so is reasonable and considers relevant human rights.

The Surveillance Policy does not apply where the University is using purely anonymous data that cannot identify an individual. However, the policy will apply if that anonymous data is later matched with other data for a surveillance activity – for example, matching desk sensor data with video surveillance footage to identify whether a person was in a particular location, to investigate potential misconduct.

The University developed this Surveillance Policy in response to the Victorian Privacy and Data Protection Deputy Commissioner’s investigation into certain uses of surveillance by the University. This investigation prompted the University to consider its surveillance activities and develop a dedicated policy to promote transparency and clearer governance for surveillance activities and the use of surveillance information. We are not aware of any other Victorian universities with dedicated surveillance policies. However, workplace surveillance policies are more common for universities in some other jurisdictions where laws require that certain types of surveillance may only be carried out with notice or in accordance with employer policies.

Yes. The policy supports the University’s compliance with various privacy laws including the Privacy and Data Protection Act 2014 (Vic) and the Surveillance Devices Act 1999 (Vic). The University must also consider privacy when approving surveillance activities or the use or disclosure of surveillance information.

Surveillance information can only be used for approved purposes, including:

• Protecting health, safety, and welfare of individuals
• Ensuring the safety and security of University premises and property
• Investigating potential staff, student or research misconduct.

Use of surveillance information must be in accordance with the Surveillance Policy, the Register of Approved Surveillance Activities and other applicable University policies and procedures.

Surveillance information can only be used by:

• The people or roles specified in the Register of Approved Surveillance Activities and for the stated purposes;
• Those who are approved by senior University staff to use surveillance information, in line with the process in section 5 of the policy; or
• Others (such as law enforcement agencies) when required by law.

The University has several safeguards to prevent surveillance information from being misused, including:

• Approval requirements – surveillance activities can only be carried out if they are approved, and must follow any conditions or limits set by the approver, and any operational procedures for the activity
• Clear access and purpose limits – only authorised roles are allowed to use surveillance information, and only for approved purposes
• Scope creep protections – material changes to existing surveillance activities must follow the approval process in the policy
• Privacy and human rights checks – the University must consider how surveillance may impact people’s rights, including by conducting Privacy Impact Assessments in line with the Privacy Policy
• Senior oversight – this policy is overseen by senior University staff, including the Chief Information Officer.

Any new surveillance activity or material change to an existing activity must be approved under this Surveillance Policy. This involves submitting a detailed request, conducting a Privacy Impact Assessment, and obtaining approval from senior University staff. Approvers must be satisfied that the proposed activity is appropriate and proportionate, and that relevant human rights have been properly considered.

Surveillance information is stored and retained in accordance with the University's Retention and Disposal Authority and applicable laws.