View Document

Privacy Policy

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) This policy affirms RMIT’s commitment to privacy and its approach to the responsible handling of personal, sensitive and health information in all its forms, consistent with relevant legislation.

Top of Page

Section 2 - Overview

(2) RMIT University is a public institution under Victorian law and stands on Aboriginal Country of the Kulin Nation. RMIT recognises and acknowledges the Bundjil Statement that helps all RMIT staff to respectfully work, live and study on Aboriginal Country.

(3) RMIT is required to comply with the Privacy and Data Protection Act 2014 (Vic) and Health Records Act 2001 (Vic) in respect to the handling of personal, sensitive and health information. RMIT controlled entities in Australia are also required to comply with the Privacy Act 1988 (Cth) and will comply with the Victorian laws when handling personal, sensitive and health information. This policy is modelled on Australian and international privacy requirements, recognising that extra-territorial privacy obligations extend to RMIT’s global activities and operations, including RMIT Europe and RMIT Vietnam.

(4) This policy outlines:

  1. the principles that direct privacy management at RMIT
  2. the responsibilities of RMIT, its staff, students and affiliates when handling personal sensitive and health information (collectively referred to as personal information) across all locations.
Top of Page

Section 3 - Scope

(5) This policy applies to all staff, students, researchers and affiliates of the RMIT Group including contractors and partners providing services on behalf of RMIT.

Top of Page

Section 4 - Policy

Principles

(6) RMIT values the privacy of individuals and will foster a positive and respectful privacy culture which supports a relationship of trust between RMIT and staff, students, researchers and third parties.

(7) RMIT will apply and adhere to the Victorian Information Privacy Principles, the Victorian Health Privacy Principles, the Australian Privacy Principles, and any other relevant laws as they apply to the entities, functions and activities of the RMIT Group. To the extent that inconsistencies or differences might exist in the global context, best practice privacy management will guide RMIT’s actions to achieve compliance.

(8) RMIT adopts a privacy by design approach, proactively incorporating privacy requirements, ensuring compliance with law, and enabling continuous improvement of privacy practices.

(9) RMIT will prescribe its approach to responsible and transparent handling of personal information across the RMIT Group in an accessible RMIT Privacy Statement.

(10) RMIT will ensure those covered by the scope of this policy are made aware of their responsibilities and will provide appropriate information and compliance training opportunities.

Responsibilities

(11) Privacy is everyone’s responsibility and all staff, students, researchers and affiliates have an obligation to manage personal information collected, accessed, used, re-used or disclosed during their engagement with RMIT in accordance with this policy, the RMIT Privacy Statement, and associated information security, information management and data governance policies.

(12) Managers are required to ensure that privacy principles and practices are implemented locally, and suspected or actual breaches of this policy are reported in accordance with the Compliance Breach Management Procedure.

(13) The Privacy Office is responsible for:

  1. establishing the privacy management framework to enable communication and implementation of applicable privacy requirements
  2. reviewing privacy impact assessments
  3. providing privacy training, other education programs and advice
  4. monitoring compliance with this policy and reporting on complaints and breaches of this policy to internal governance bodies and external agencies, as required
  5. investigating privacy breaches, incidents or complaints
  6. appointing a Chief Privacy Officer who issues and maintains the RMIT Privacy Statement and core collection statements
  7. providing a central contact point for and on behalf of the RMIT Group.

(14) The Chief Information Security Officer oversees information security controls and responses to enable RMIT to deliver effective protection of personal data held by RMIT consistent with privacy management obligations across all its operations.

(15) The Chief Financial Officer is responsible for making determinations on external reporting on the recommendation of the Chief Privacy Officer or Chief Audit and Risk Officer, in the event of a privacy breach.

(16) The Privacy Office monitors compliance with this policy and reports on complaints and breaches of this policy to internal governance bodies and external agencies, as required.

Review

(17) The Chief Privacy Officer will review this policy at least every three years in accordance with the Policy Governance Framework, and review and update the RMIT Privacy Statement annually.

Top of Page

Section 5 - Procedures and Resources

(18) Refer to the following documents which are established in accordance with this policy:

  1. General Data Protection Regulation FAQs
  2. Management of Special Category Information Instruction
  3. Privacy Impact Assessment FAQs
  4. RMIT Privacy Statement
  5. Staff Privacy Statement
  6. Student Privacy Statement
Top of Page

Section 6 - Definitions

(19) (Note: Commonly defined terms are in the RMIT Policy Glossary. Any defined terms below are specific to this policy).

Core collection statements Includes the RMIT Staff Privacy Statement and Student Privacy Statement published on RMIT’s Policy Register and in RMIT applications and systems.
Health information Information or an opinion about an individual’s physical, mental or psychological health; a disability; health services provided or future provision of health services; and a variety of other health matters (including information about organ or body substance donation and genetic information).
Personal data Refers to any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (Article 4, GDPR Regulations).
Personal information Information or an opinion, that is recorded in any form about an individual whose identity is apparent or can reasonably be ascertained from the information or opinion. Typically, this includes information like name, date of birth, address, phone number etc. Personal information includes personal data.
Privacy by design The means for ensuring privacy protections are integrated in process and technology design.
Sensitive information A special category of personal information that requires more protection. It includes the following information about an individual: racial or ethnic origin; political opinion; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual preference or practices; criminal record.