Understanding Privacy An Overview of our Responsibilities

Gioconda Di Lorenzo - University Secretary Privacy Officer & Freedom of Information Officer Education and Regulatory Compliance – Legal & Risk Raffaella Di Maio Privacy & Freedom of Information Coordinator Mary Oppy Education and Training Officer Introductions Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy

Information Privacy  What Governs Information Privacy?  The 10 Information Privacy Principles  The information privacy lifecycle  Managing Breaches Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy

Privacy Protection Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy Privacy and Data Protection Act 2014 (Vic) Privacy and Data Protection Act 2014 (Vic) All recorded personal information handled by the University, State and local government agencies (other than health related info) Health Records Act 2001 (Vic) Health Records Act 2001 (Vic) All health related personal information held in public and private sectors. Most of the personal info handled by health service

What is Personal Information?  Recorded information or opinion whether true or not about an individual whose identity is apparent or can be reasonably ascertained Education & Regulatory Compliance Legal & Risk, University Services Name Signature Telephone Number , Home or Work Address Employment Position Voice Recordings, Photographs or Videos Medical Records Academic Records Raffaella Di Maio & Mary Oppy

What is Sensitive Information?  Recorded information or opinion whether true or not about an individual whose identity is apparent or can be reasonably ascertained that is of a sensitive nature Education & Regulatory Compliance Legal & Risk, University Services Racial or ethnic origin Political opinions Membership of a political association Religious beliefs or affiliations Philosophical beliefs Membership of a professional or trade association Membership of a trade union Sexual preferences or practices Criminal record Raffaella Di Maio & Mary Oppy

10 Information Privacy Principles Education & Regulatory Compliance Legal & Risk, University Services IPPs 1.Collection 2.Use & Disclosure 3.Data Quality 4.Data Security 5.Openness 6.Access & Correction 7.Unique Identifiers 8.Anonymity 9.Transborder Data Flows 10Sensitive Information Raffaella Di Maio & Mary Oppy

Lifecycle of IPPs I. Prior to, or at the time of collection II. While holding information III. When using the information IV. When you no longer need the information Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy

Prior to, or at the time of, collection  Is collection necessary (IPP 1)?  Do we need to collect sensitive information (IPP 10) and unique identifiers (IPP 7.4)?  Can the University allow individuals to transact anonymously (IPP 8)?  Provide a collection notice of the intended uses and individuals’ rights of access (IPP 1)  Does the University have a policy outlining its information handling practices (IPP 5)? Tools: A Privacy Impact Assessment can be used for new or amendments to existing projects or processes. Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy

A collection notice must include : Raffaella Di Maio & Mary Oppy Education & Regulatory Compliance Legal & Risk, University Services 1. The identity and contact details of the department/division which is collecting the information. 2. The Primary Purpose for which the information is collected 3. To whom generally (the types of individuals or organisations) the information will be routinely disclosed to. 4. Any Law that requires the particular information to be collected. 5. The main consequences (if any) for the individual if all or part of the information is not provided. 6. The fact that the individual is able to gain access to the Personal Information they have provided. 7. A statement of the University's obligations to protect personal information, and information about the University's Privacy Policy. Item 4 may be omitted if there are no specific Laws that require the collection. Item 5 may be omitted if the consequences of not providing all or part of the information is nil or minimal.

While holding information:  Ensure the University has security measures in place for the information (IPP 4.1)  Provide mechanisms to enable individuals to access and correct their information. IPP 6 / Freedom of Information Act 1982 (Vic)  Update, amend and supplement the information, as necessary (IPP 3) Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy

When using the information  Check that the proposed use is permitted under the Privacy and Data Protection Act or otherwise authorised under law, taking extra care with sensitive information (IPP 2)  Ensure that privacy protection travels with information if it is to leave Victoria (IPP 9)  Be careful about assigning, using or disclosing unique identifiers (IPP ) Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy

When you no longer need the information  Consider whether, and when, the organisation should destroy or de-identify the information (IPP 4.2)  Do not destroy documents that are required to be retained under other laws Eg Public Records Act 1973 (Vic), Electronic Transactions (Victoria) Act 2000 (Vic), Crimes Act 1958 (Vic) Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy Tools: The Records Services team can provide advice on how long records should be retained and how to manage records no longer required. A comprehensive retention and disposal schedule is available at

Reporting the breach Preventing future breaches Notifying relevant people Evaluating the risks Containing the breach Head of Department Breaches Education & Regulatory Compliance Legal & Risk, University Services Raffaella Di Maio & Mary Oppy

Scenario 1 Omar is a University lecturer who is organising a field-trip for his students. He asks them to complete a form on which they have to give various details including their ethnicity and religion without explaining why he needs this personal information. Has Omar collected this sensitive information appropriately?

Raffaella Di Maio & Mary Oppy Education & Regulatory Compliance Legal & Risk, University Services A Faculty HR Officer receives a phone call from a staff member asking for the home address of a colleague. The staff member is unwell and the team would like to send flowers. What can or should the HR Officer do?

Raffaella Di Maio & Mary Oppy Education & Regulatory Compliance Legal & Risk, University Services “Privacy is not secrecy. It is about giving individuals control over how their personal information is handled; creating customer confidence and trust. As such, good privacy practices and great innovation directly support each other.” Office of the Australian Information Commissioner