Part A - FAQ's for everyone
- What is personal information?
- How is information privacy protected?
Does information privacy apply only to documents?
No. It deals with recorded personal information that can be in many forms including film, video, still photography, audio and digital forms for storage display on desk and laptop computers. Personal information can also be recorded on mobile telephones with text capabilities and hand held devices.
Can other State Acts override the Information Privacy Act?
Yes, but only to the extent the laws are inconsistent. Section 6(1) of the PDPA states that: “if a provision made by or under this Act relating to an Information Privacy Principle or applicable code of practice is inconsistent with a provision made by or under any other Act, that other provision prevails and the provision may by or under this Act is (to the extent of the inconsistency) of no force or effect”. Section 6(2) of the PDPA states that: “without limiting subsection (1), nothing in this Act effects the operation of the Freedom of Information Act 1982 or any right, privilege, obligation or liability conferred or imposed under that Act or any exemption arising under that Act."
How does the Health Records Act interact with other existing Commonwealth and State legislation concerning privacy, confidentiality, secrecy, access and disclosure?
The HPPs do not override other legislation – existing provisions in other statutes governing the confidentiality, use and disclosure of health information and those that regulate access to certain kinds of personal information (e.g. adoption information) are preserved. Specific statutory provisions will override the general standards in the Health Records Act to the extent of any inconsistency.
Can an organisation transfer personal information outside Victoria?
IPP 9 and HPP 9 require that if an individual’s personal information travels to a source outside of the organisation, the individual’s privacy protection should travel with it. The general standard is that organisations should transfer personal information outside Victoria only to recipients that protect privacy under standards substantially similar to Victoria’s IPPs and HPPs. Those standards need not be in a law, but might be in some other binding scheme or contract that the Victorian organisation establishes with the recipient.
Are the working notes of a health service provider considered health information for the purpose of the Health Records Act?
If the working notes fall within the definition of health information, and they are held by the organisation then they are subject to the Health Records Act.
Where a health service provider is employed by the University to provide a health service to students and staff, is it the health service provider or the University who is obliged to comply with the legislation?
The Health Records Act applies to all organisations that hold health information, with an obligation to comply with the Act. If the University holds the records with the health information then they must provide access and ensure compliance with the HPPs. If it is the health service provider who controls the records that hold the health information, then the health service provider must comply with the legislation.
Under the Victorian Privacy and Data Protection Act 2014 (PDPA), personal information means information or an opinion (including information or an opinion forming part of a database), that is recorded in any form and whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Some personal information is called ‘sensitive information’ and given special treatment. This includes data about ethnic origin, religious belief, sexual practices, and criminal record.
- Can the University access my email, internet web logs and other electronic files under the privacy laws?
- Can I provide personal information about students or staff to other members of the University without regard for the IPPs?
- An individual has complained to me that the University has breached their privacy. What do I do?
If a person has a complaint they should be referred to the University Compliance and Privacy Officer:
University Privacy Officer
Federation University Australia
PO Box 663,
Ballarat, Victoria 3353
Telephone: 03 5327 9504
- Can I take photos of staff and include them on our web page or staff notice board?
- An organisation, such as a bank or real estate agent, has phoned to ask me about an employee's salary, length of service, etc. Can I provide this information to them?
- I have been asked by someone to be a referee. I have information about their health or personal life, which the prospective employer may like to know. Can I tell them?
No. When providing a reference for someone the following are useful guidelines:
- Ascertain the factors that are relevant to the position;
- Only disclose information about the job application that is within the applicant’s reasonable expectations e.g. skills, work experience and personal attributes relevant to the position;
- Do not disclose personal information that the job applicant has requested not be disclosed; and
- Do not disclose information that the job applicant would not reasonably expect you would disclose in the course of providing a reference.
- Do individuals have the right to access referee reports we have collected about them?
- Can I disclose information about a staff member to their partner or another family member?
In general – no. If the staff member was not informed at the time their personal information was collected that the University may disclose it to family members – and if we have not obtained the staff member’s permission for this to happen – then usually the University cannot make such a disclosure.
A job applicant worked for a friend/colleague of mine. The job applicant has not listed the friend/colleague as a referee. Can I contact them for a reference?
No. You may be breaching the privacy laws by collecting information from a referee who the individual has not provided consent for the University to contact.
- If I am going to collect personal information, what do I need to do?
According to the PDPA Information Privacy Principle 1.3, “at or before the time of collection, the University must take reasonable steps to inform individuals of the following matters:
- The identity of Federation University Australia and how to contact us;
- The fact the University is able to gain access to the information;
- The purpose for which the information is collected;
- To whom (or the types of individuals or organisations to which) the University usually discloses information of that kind;
- Any law that requires the particular information to be collected; and
- The main consequences (if any) for the individual if all or part of the information is not provided."
The following standard wording complies (incorporating appropriate insertions) with the above requirements and should be included on all forms (paper and electronic) which collect personal information:
The information on this form is collected for the primary purpose of [insert primary purpose]. Other purposes of collection include [insert secondary purposes]. If you choose not to complete all the questions on this form, it may not be possible for [insert name e.g. School of Business] to [insert consequence]. Personal information may also be disclosed to [list any third parties to whom personal information is disclosed (do not include the University’s staff)]. You have a right to access personal information that the University holds about you, subject to any exceptions in relevant legislation. If you wish to seek access to your personal information or inquire about the handling of your personal information, please contact the University Privacy Officer at email@example.com
Yes, the privacy and data protection laws allow the University to access email, internet web logs, and other electronic files in certain circumstances. All email and internet usage should be conducted in accordance with the University Policy for Use of Computing and Communication Facilities. This policy sets out the circumstances in which the University may access staff emails, internet web logs, and other electronic files.
No. You should not assume that because one part of the organisation (collector) collected some personal information, that the collector can either use, or subsequently disclose that personal information to any of the other parts of the organisation without first having regard to IPP 2 – Use and Disclosure.
No. You must first obtain consent from staff to use their photos for a web page or staff notice board. Consent can be obtained at the time of taking the photo (further details may be obtained from the OIVC Guidelines to the Information Privacy Principles). Staff may withdraw consent in the future and if they do, the photo must be removed from the web page or staff notice board.
No. Before providing information about a staff member to an external organisation it is necessary to obtain the staff members consent to release the information. Verbal consent is sufficient provided the person seeking consent is reasonably sure of the identity of the staff member.
Yes. Subject to exemptions in the law, individuals may have the right to access referee reports under the Freedom of Information laws. If a prospective employee would like to access their referee reports please refer them to the University’s Freedom of Information Officer (Legal Office – Telephone 03 5327 9504).
- Can I provide information about a student to their family members or guardian? What if they are paying the student's fees? Do different circumstances apply if the student is underage?
You may not provide personal information about students to a parent, friend or partner without the consent of the student. This applies even if the parent pays the fees for the student.
Privacy laws do not set an age at which an individual can provide consent. Consent is required from students under 18 years of age if it is considered that they have the maturity and intellectual capacity to understand the consequences of providing their consent. For advice, please contact the University’s Privacy Officer at firstname.lastname@example.org or 03 5327 9504.
- A parent has called the University to transact on behalf of their child (e.g. to make a payment on a student loan). Can I conduct the transaction for the parent on behalf of the student?
The Victorian Police (or other law enforcement agency) have contacted me requesting information about a student. Am I obliged to provide the information?
No. Police requests are to be distinguished from police demands to release information pursuant to a search warrant or subpoena. If a law enforcement agency requests information (rather than demanding it) the University may assist the law enforcement in limited circumstances. The laws relating to this area are quite specific and any release of information to a law enforcement agency pursuant to a request must have either the Privacy Officer or the Legal Office’s approval. If a law enforcement agency requests information from your area, please contact the University’s Privacy Officer on 03 5327 9504, or contact the Legal Office on 03 5327 9506 prior to releasing information to ensure compliance with the laws.
- A student has phoned for information about their academic record. How should I respond?
- A potential / existing employer or other third party has contacted the University to obtain information about a student (e.g. confirmation of attendance or academic results). Can I provide the information?
- A student phones/emails to request their tax file number - how should I proceed?
- Can I provide a list of student details to other students in the class so they can form study groups?
Can students' results be published in a public venue?
This matter is currently under review. In the interim, please ensure that results can only be accessed via student ID number. Enquiries may be directed to the University’s Privacy Officer at email@example.com or 03 5327 9504.
- Is this different if the health service provider is not an employee but an independent contractor?
Yes. Providing that no personal information is released to the parent. In determining whether it is appropriate for the parent to conduct the transaction, you will need to determine why the student is not able to do it themselves.
If there is a valid reason, e.g. they are overseas, and the transaction can be conducted without releasing any personal information to the parent then you may proceed. Before conducting the transaction please take adequate steps to confirm the identity of the parent by asking appropriate questions such as name of student, date of birth of student, and ID number of student.
Steps must be taken to confirm the identity of the student prior to releasing the information. It is recommended that the student be asked to provide their student ID number, date of birth, and home address. Providing that this practice is consistently adhered to, staff are not required to keep a record of each disclosure.
No. It is necessary to have consent from the student to disclose such information. It is not the University’s responsibility to obtain the consent. If the third party wishes to proceed with their enquiry, they should obtain the written consent from the student (or organise for the student to provide it directly to the University). The University must receive a copy of the consent prior to releasing the information.
Providing students with their tax file number requires stricter security measures than other personal information. In the first instance, you may refer them to the Australian Taxation Office where tax file numbers are released to individuals in accordance with appropriate security procedures. If this is impractical, please contact the University’s Privacy Officer at firstname.lastname@example.org or 03 5327 9504 for further information.
No. Consent should be obtained from students prior to providing their details to other students for the purpose of allowing them to form study groups. Verbal consent may be obtained, however, it is preferable to get consent in writing. If there were a dispute about consent, we would need to prove that consent was obtained.
If the health service provider is an independent contractor and keeps separate records from the University, then the individuals' must be made aware of how to contact that health service provider and access the health information if desired. In this situation, the health service provider must also comply with HPP 10 on transfer or closure of a practice when the health service provider leaves the University and does not provide a health service elsewhere.