Your personal information will be managed in accordance with our privacy obligations. We are governed by applicable privacy laws, including the Privacy and Data Protection Act 2014 (Vic) and the Health Records Act 2001 (Vic) when processing your personal and health information. To the extent that they apply to our activities, we are also subject to the requirements of the Privacy Act 1988 (Cth) and the European Union General Data Protection Regulation 2016/679 (which relates to individuals located in the European Economic Area). (Together, ‘Privacy Laws’).

For the purposes of this statement, health and personal information are referred to collectively as “personal information” (sometimes known as “personal data”), which is defined broadly in the Privacy Laws as recorded information or opinion that relates to an identified or identifiable individual. The “processing” of personal information refers to all activities relating to the management of personal information by the University, from its collection and use, through to its storage and disposal, and everything in between.

We collect and process personal information through lawful and fair means and in a non-intrusive way. We will collect your personal information directly from you wherever possible. However, where this is not practicable, we may collect information you have provided through other avenues, as detailed in the specific privacy collection notice provided to you at the time your personal information is collected.

We only process personal information as necessary, for specified purposes, and in accordance with the relevant Privacy Laws. The purpose and lawful basis for collecting your personal information is detailed in the specific privacy collection notices for particular activities.

We will only use or disclose your personal information under the following circumstances:

• for the purpose for which it was collected
• for a related purpose which you might reasonably expect
• where you have consented to the disclosure
• if we are required or permitted to do so by law
• where it is necessary for the pursuit of our legitimate interests (such as facilitating teaching, learning and research)
• where we have engaged a contracted service provider or partner to perform legitimate functions on our behalf, such as those outlined in the privacy collection notice.

Where relevant, examples of third parties we provide personal information to, and for what purposes, are captured in the privacy collection notice provided to you at the time your personal information is collected.

We do not sell your personal information to third parties under any circumstances or permit third parties to sell on the information we have shared with them.

Accuracy, Storage and Security

We take great care to ensure that personal information is handled, stored and disposed of confidentially and securely. Your personal information is collected, stored and transmitted securely in a variety of paper and electronic formats. This includes databases that are shared across the company. Accordingly, your personal information is not segregated or treated differently from any other personal information based on your geographic location or jurisdiction.

Our staff receive regular privacy and data protection training, and we have implemented organisational and technical measures so that personal information is processed in accordance with the Privacy Laws as applicable.

We take all reasonable steps to ensure that any personal information we (or third parties operating on our behalf) collect, transmit, store or otherwise process, is accurate and complete, and that appropriate technical and organisational measures are implemented and maintained to protect it from accidental or unlawful destruction, misuse, loss, alteration, or unauthorised access or disclosure.

Access to your personal information is limited to authorised staff and contracted third parties, or affiliates’ representatives, who have a legitimate interest in it for the purpose of carrying out necessary duties. Where personal information is disclosed to third parties, it will be done so only to the extent necessary to fulfill the purpose of such disclosure. Where required, we ensure we have appropriate information sharing and/or processing agreements in place before sharing your personal information with any third parties.

In some instances, your personal information may be transferred outside of Victoria or Australia (for example, where providers are located internationally or use a cloud-based system with servers based in international jurisdictions). We take all reasonable steps to ensure that the interstate or overseas transfer of personal information is in accordance with this privacy statement, relevant University policies and the Privacy Laws, as applicable.

Your rights

You may request access to, or correction of, your personal information we hold, or exercise your individual rights as applicable (including under GDPR if applicable), unless this would have an unreasonable impact on the privacy of others or would contravene our other legislative obligations.

For access to personal information that we hold about you, you should contact the department that holds the information in the first instance. In some circumstances, the department or area of our company that holds that information may need to liaise with our Legal and Risk area before determining whether they can provide the information directly to you. At times, we may require requests for access to or correction of personal information to be made in accordance with the Freedom of Information Act 1982 (Vic).

Further information about this process is available on our Freedom of Information web page. If the lawful collection of your personal information is based on your consent, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of our processing of your information prior to you withdrawing your consent.