Part A - FAQ's for everyone
- What is personal information?
'Personal information' means recorded information or opinion, whether true or not, about a living individual whose identity can reasonably be ascertained. Personal information may include an individual's name, address, sex, age, financial details, marital status, education or employment history and health. Some personal information is called "sensitive information" and given special treatment. It includes data about ethnic origin, religious belief, sexual practices and criminal record.
How is information privacy protected?
Does information privacy apply only to documents?
No, it applies to any personal, sensitive or health information that can be in many forms including film, video, still photography, audio and of course digital forms for storage and display on desk and laptop computers. Personal information can also be recorded on telephones with text capabilities and devices like hand held computers.
Can other State Acts override the Information Privacy Act?
Yes, but only to the extent the laws are inconsistent. Section 6(1) of the Information Privacy Act states that: "If a provision made by or under this Act is inconsistent with a provision made by or under any other Act that other provision prevails and the provision made by or under this Act is (to the extent of the inconsistency) of no force or effect". Section 6(2) of the Information Privacy Act states that: "Without limiting sub-section (1), nothing in this Act affects the operation of the Freedom of Information Act 1982 or any right, privilege, obligation or liability conferred or imposed under that Act or any exemption arising under that Act".
How does the Health Records Act interact with other existing Commonwealth and State legislation concerning privacy, confidentiality, secrecy, access and disclosure?
The HPPs do not override other legislation - existing provisions in other statutes governing the confidentiality, use and disclosure of health information and those that regulate access to certain kinds of personal information (e.g. adoption information) are preserved. Specific statutory provisions will override the general standards in the Health Records Act to the extent of any inconsistency.
Can an organisation transfer personal information outside Victoria?
Basically, IPP 9 and HPP 9 require that if an individual's personal information travels to a source outside the organisation, the individual's privacy protection should travel with it. The general standard is that organisations should transfer personal information outside Victoria only to recipients that protect privacy under standards substantially similar to Victoria's IPPs and HPPs. Those standards need not be in a law, but might be in some other binding scheme or contract that the Victorian organisation establishes with the recipient.
Are the working notes of a health service provider considered health information for the purpose of the Health Records Act?
If the working notes fall within the definition of health information, and they are held by the organisation then they are subject to the Health Records Act
Where a health service provider is employed by the University to provide a health service to students and staff, is it the health service provider or the University who is obliged to comply with the legislation?
The Health Records Act applies to all organisations that hold health information, with an obligation to comply with the Act. If the University holds the records with the health information, then the University must ensure compliance with the health privacy principles. If it is the health service provider who controls the records that hold the health information, then the health service provider must comply with the legislation.
Can the University access my email, internet web logs and other electronic files under the privacy laws?
Yes, the privacy laws allow the University to access email, internet web logs and other electronic files in certain circumstances. All email and internet usage should be conducted in accordance with the University Policy for Use of Computing and Communication Facilities. This policy sets out the circumstances in which the University may access staff emails, internet web logs and other electronic files.
Can I provide personal information about students or staff to other members of the University without regard for the IPPs?
No. You should not assume that, because one part of the organisation collected some personal information, that the collecting part can either use, or subsequently disclose, that personal information to any of the other parts of the organization without having first had regard to IPP 2 - Use and Disclosure.
An individual has complained to me that the University has breached their privacy. What do I do?
If a person has a complaint they should be referred to the University Compliance and Privacy Officer:
University Privacy Officer
Federation University Australia
University Drive, Mt Helen
PO Box 663, Ballarat,
Victoria, 3353 Australia
Telephone: 5327 9021 or 5327 9504
Fax: 5327 9970
Can I take photos of staff and include them on our web page or staff notice board?
No. You must first obtain consent from staff to use their photos for a web page or staff notice board. Consent can be obtained at the time of taking the photo (further details may be obtained from the Victorian Privacy Commissioner's Information Sheet 01.03). It is important to be aware that staff may withdraw consent in the future and if they do, the photo must be removed from the web page or staff notice board.
An organisation, such as a bank or real estate agent, has phoned to ask me about an employee's salary, length of service etc. Can I provide this information to them?
No. Before providing information to an external organisation, such as a bank or real estate agent, about a staff member, it is necessary to obtain the staff members consent to release the information. Verbal consent is sufficient provided that the person seeking consent is reasonably sure of the identity of the staff member.
I have been asked by someone to be a referee. I have information about their health or personal life, which the prospective employer may like to know. Can I tell them?
No. When providing a reference for someone the following are useful guidelines:
- Ascertain the factors that are relevant to the position;
- Only disclose information about the job applicant that is within the applicant's reasonable expectations eg. skills, work experience and personal attributes relevant to the position;
- Do not disclose personal information that the job applicant has requested not be disclosed; and
- Do not disclose information that the job applicant would not reasonably expect you would disclose in the course of providing a reference.
Do individuals have the right to access referee reports we have collected about them?
Yes. Subject to exemptions in the law, individuals may have the right to access referee reports under the Freedom of Information laws. If a prospective employee would like to access their referee reports please refer them to the University's Freedom of Information Officer (Legal - telephone number 5327 9021 or 5327 9504).
Can I disclose information about a staff member to their partner or another family member?
In general-no. If the staff member was not informed at the time their personal information was collected that the University may disclose it to family members-and if we have not obtained the staff member's permission for this to happen-then usually the University cannot make such a disclosure.
A job applicant worked for a friend/colleague of mine. The job applicant has not listed the friend/colleague as a referee. Can I contact them for a reference?
No. You may be breaching the privacy laws by collecting information from a referee who the individual has not provided consent for the University to contact.
If I am going to collect personal information, what do I need to do?
The University's Information Privacy Principle 1.3 states:
"At or before the time of collection, the University must take reasonable steps to inform individuals of the following matters:
- The identity of Federation University Australia and how to contact us
- The fact that s/he is able to gain access to the information
- The purposes for which the information is collected
- To whom, or the types of organisations to whom, the University discloses information of this kind
- Any law that requires the particular information to be collected
- The main consequences (if any) for the individual if all or part of the information is not provided"
The following standard wording complies (incorporating appropriate insertions) with the above requirements and should be included on all forms (paper and electronic) which collect personal information:
The information on this form is collected for the primary purpose of [insert primary purpose]. Other purposes of collection include [insert secondary purposes]. If you choose not to complete all the questions on this form, it may not be possible for [insert name eg. School of Business] to [insert consequence]. Personal information may also be disclosed to [list any third parties to whom personal information is disclosed (do not include the University's staff)]. You have a right to access personal information that the University holds about you, subject to any exceptions in relevant legislation. If you wish to seek access to your personal information or inquire about the handling of your personal information, please contact the University Privacy Officer at firstname.lastname@example.org
Can I provide information about a student to their family members or guardian? What if they are paying the student's fees? Do different circumstances apply if the student is underage?
You may not provide personal information about students to a parent, friend or partner without the consent of the student. This applies even if the parent pays the fees for the student.
Please also note that privacy laws do not set an age at which an individual can provide consent. Consent is required from students under 18 years of age if it is considered that they have the maturity and intellectual capacity to understand the consequences of providing their consent. For advice please contact the University's Privacy Officer at email@example.com or on telephone number 5327 9021 or 5327 9504.
A parent has called the University to transact on behalf of their child (e.g. to make a payment on a student loan). Can I conduct the transaction for the parent on behalf of the student?
Yes. Providing that no personal information is released to the parent some transactions may be conducted by parents. In determining whether it is appropriate for the parent to conduct the transaction, you will need to determine why the student is not able to do it him/herself. If there is a valid reason, eg they are overseas, and the transaction can be conducted without releasing any personal information to the parent then you may proceed. Before conducting the transaction please take adequate steps to confirm the identity of the parent by asking appropriate questions such as name of student, date of birth of student and ID number of student.
The Victorian Police (or other law enforcement agency) have contacted me requesting information about a student. Am I obliged to provide the information?
No. Police requests are to be distinguished from police demands to release information pursuant to a search warrant or subpoena. If a law enforcement agency requests information (rather than demanding it) the University may assist the law enforcement agency in limited circumstances. The laws relating to this area are quite specific and any release of information to a law enforcement agency pursuant to a request must have either the Privacy Officer or the Legal Office's approval. If a law enforcement agency requests information from your area, please contact the University's Privacy Officer on telephone number 5327 9021 or 5327 9504, or contact a Lawyer in Legal on 5327 9506, prior to releasing information to ensure compliance with the laws.
A student has phoned for information about their academic record. How should I respond?
Steps must be taken to confirm the identity of the student prior to releasing the information. It is recommended that the student be asked to provide their student ID number, date of birth and home address. Providing that this practice is consistently adhered to, staff are not required to keep a record of each disclosure.
A potential / existing employer or other third party has contacted the University to obtain information about a student (e.g. confirmation of attendance or academic results). Can I provide the information?
No. It is necessary to have consent from the student to disclose such information. It is not the University's responsibility to obtain the consent. If the third party wishes to proceed with their enquiry, they should obtain the written consent from the student (or organise for the student to provide it directly to the University). The University must receive a copy of the consent prior to releasing the information.
A student phones/emails to request their tax file number - how should I proceed?
Providing students with their tax file number requires stricter security measures than other personal information. In the first instance, you may refer them to the Australian Taxation Office where tax file numbers are released to individuals in accordance with appropriate security procedures. If this is impractical, please contact the University's Privacy Officer at firstname.lastname@example.org or on telephone number 5327 9021 or 5327 9504 for further information.
Can I provide a list of student details to other students in the class so they can form study groups?
No. Consent should be obtained from students prior to providing their details to other students for the purpose of allowing them to form study groups. Verbal consent may be obtained however it is preferable to get consent in writing. If there were a dispute about consent we would need to prove that consent was obtained.
Can students' results be published in a public venue?
This matter is currently under review. In the interim, please ensure that results can only be accessed via student ID number. Enquiries may be directed to the University's Privacy Officer at email@example.com or on telephone number 5327 9021 or 5327 9504.
Is this different if the health service provider is not an employee but an independent contractor?
If the health service provider is an independent contractor and keeps separate records from the University, then the individuals must be made aware of how to contact that health service provider and access the health information if desired. In this situation the health service provider must also comply with HPP 10 on transfer or closure of a practice when the health service provider leaves the University and does not provide a health service elsewhere.