# Privacy Policy
**Source**: https://policy.unimelb.edu.au/MPF1104/
**Parent**: https://about.unimelb.edu.au/strategy/governance/compliance-obligations/privacy
body{
background: white;
}
## **Privacy Policy (MPF1104)**
- **Category:** [Governance and Management](/category/Governance and Management)
- **Version:** 10
- **Document Type:** Policy
- **Document Status:** Published
- **Approved On:** 23 December, 2025
- **Audience:** Staff, Students, Research, Academic
- **Effective Date:** 09 January, 2026
- **Review Date:** 09 January, 2029
- **Policy Approver:** Vice-President Administration & Finance And Chief Operating Officer
- **Policy Steward:** University Secretary
- **Supporting Process:**
[Governance and Management Processes](https://au.promapp.com/unimelb/Process/Group/bb71f4d6-cfdb-464b-9661-1a6a9098726d)
Download
\
<!--
/\* Font Definitions \*/
@font-face
{font-family:Courier;
panose-1:2 7 4 9 2 2 5 2 4 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"Source Sans Pro";}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/\* Style Definitions \*/
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Arial",sans-serif;}
h1
{mso-style-link:"Heading 1 Char";
margin-top:24.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
line-height:115%;
page-break-after:avoid;
font-size:16.0pt;
font-family:"Arial",sans-serif;
color:#365F91;}
a:link, span.MsoHyperlink
{mso-style-name:"Hyperlink\,MPL - Hyperlink";
color:blue;
text-decoration:underline;}
span.Heading1Char
{mso-style-name:"Heading 1 Char";
mso-style-link:"Heading 1";
font-family:"Calibri",sans-serif;
color:#365F91;
font-weight:bold;}
p.MPLParagraphlevel1, li.MPLParagraphlevel1, div.MPLParagraphlevel1
{mso-style-name:"MPL Paragraph level 1";
margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:17.85pt;
text-indent:.15pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLHeading1, li.MPLHeading1, div.MPLHeading1
{mso-style-name:"MPL Heading 1";
margin-top:10.0pt;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:0cm;
text-indent:0cm;
line-height:115%;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Source Sans Pro",sans-serif;
color:#4F81BD;
font-weight:bold;}
p.MPLParagraphlevel2, li.MPLParagraphlevel2, div.MPLParagraphlevel2
{mso-style-name:"MPL Paragraph level 2";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:36.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel2CxSpFirst, li.MPLParagraphlevel2CxSpFirst, div.MPLParagraphlevel2CxSpFirst
{mso-style-name:"MPL Paragraph level 2CxSpFirst";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel2CxSpMiddle, li.MPLParagraphlevel2CxSpMiddle, div.MPLParagraphlevel2CxSpMiddle
{mso-style-name:"MPL Paragraph level 2CxSpMiddle";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel2CxSpLast, li.MPLParagraphlevel2CxSpLast, div.MPLParagraphlevel2CxSpLast
{mso-style-name:"MPL Paragraph level 2CxSpLast";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:36.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel3, li.MPLParagraphlevel3, div.MPLParagraphlevel3
{mso-style-name:"MPL Paragraph level 3";
margin-top:6.0pt;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:53.85pt;
text-indent:.3pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel3CxSpFirst, li.MPLParagraphlevel3CxSpFirst, div.MPLParagraphlevel3CxSpFirst
{mso-style-name:"MPL Paragraph level 3CxSpFirst";
margin-top:6.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:53.85pt;
text-indent:.3pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel3CxSpMiddle, li.MPLParagraphlevel3CxSpMiddle, div.MPLParagraphlevel3CxSpMiddle
{mso-style-name:"MPL Paragraph level 3CxSpMiddle";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:53.85pt;
text-indent:.3pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel3CxSpLast, li.MPLParagraphlevel3CxSpLast, div.MPLParagraphlevel3CxSpLast
{mso-style-name:"MPL Paragraph level 3CxSpLast";
margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:53.85pt;
text-indent:.3pt;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel4, li.MPLParagraphlevel4, div.MPLParagraphlevel4
{mso-style-name:"MPL Paragraph level 4";
margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:72.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel4CxSpFirst, li.MPLParagraphlevel4CxSpFirst, div.MPLParagraphlevel4CxSpFirst
{mso-style-name:"MPL Paragraph level 4CxSpFirst";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:72.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel4CxSpMiddle, li.MPLParagraphlevel4CxSpMiddle, div.MPLParagraphlevel4CxSpMiddle
{mso-style-name:"MPL Paragraph level 4CxSpMiddle";
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:72.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParagraphlevel4CxSpLast, li.MPLParagraphlevel4CxSpLast, div.MPLParagraphlevel4CxSpLast
{mso-style-name:"MPL Paragraph level 4CxSpLast";
margin-top:0cm;
margin-right:0cm;
margin-bottom:6.0pt;
margin-left:72.0pt;
text-indent:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLParapgrah, li.MPLParapgrah, div.MPLParapgrah
{mso-style-name:"MPL Parapgrah";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
font-size:10.0pt;
font-family:"Source Sans Pro",sans-serif;}
p.MPLNoNumberingHeadings, li.MPLNoNumberingHeadings, div.MPLNoNumberingHeadings
{mso-style-name:"MPL No Numbering Headings";
margin-top:10.0pt;
margin-right:0cm;
margin-bottom:0cm;
margin-left:0cm;
line-height:115%;
page-break-after:avoid;
font-size:14.0pt;
font-family:"Source Sans Pro",sans-serif;
color:#4F81BD;
font-weight:bold;}
.MsoChpDefault
{font-family:"Cambria",serif;}
.MsoPapDefault
{margin-bottom:10.0pt;
line-height:115%;}
/\* Page Definitions \*/
@page WordSection1
{size:612.0pt 792.0pt;
margin:42.5pt 2.0cm 42.5pt 2.0cm;}
div.WordSection1
{page:WordSection1;}
/\* List Definitions \*/
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
1.
Objectives
1.1. The
objectives of this policy are to:
a)
outline the University of Melbourne (“University”)
approach to privacy management;
b)
define the University’s privacy governance model;
c)
identify the University’s obligations when processing
personal information; and
d)
embed a culture of privacy awareness and good practice
throughout the University.
2.
Scope
2.1. The
University collects and processes personal information that is necessary for
delivering one or more of its functions or activities, including but not
limited to teaching, learning and research, as defined in the objects of our
enabling legislation.
2.2. This
policy applies to all personal, sensitive and health information (together
“personal information”) collected or held by the University, including
information about employees, students and any other individuals associated with
the University, such
as contractors, volunteers, alumni, donors, and members of the public.
2.3. This
policy applies to all staff and honorary appointees of
the University, and individuals and organisations (and their officers and
employees) who are contractually obliged to comply with this policy.
2.4. University’s
controlled entities may choose to adopt this policy in accordance with section
5.3 of the [Controlled Entities
Policy (MPF1376)](https://policy.unimelb.edu.au/MPF1376/).
2.5. Entities
not owned or controlled by the University, such as affiliated organisations or
partnerships, are not automatically covered by this policy. However, they may
have separate agreements in place that address specific aspects of this policy.
3.
Authority
3.1. This
policy is made under the [*University
of Melbourne Act 2009* (Vic)](https://www.legislation.vic.gov.au/in-force/acts/university-melbourne-act-2009/007) and the [Vice-Chancellor Regulation](http://www.unimelb.edu.au/governance/statutes). It supports
compliance with applicable privacy and data protection laws, including:
a)
The [*Privacy
and Data Protection Act 2014* (Vic)](https://www.legislation.vic.gov.au/in-force/acts/privacy-and-data-protection-act-2014/028) and the Victorian Information
Privacy Principles (IPPs);
b)
The [*Health
Records Act 2001* (Vic)](https://www.legislation.vic.gov.au/in-force/acts/health-records-act-2001/047) and the Health Information Principles (HPPs);
c)
The Commonwealth [*Privacy
Act 1988*](https://www.legislation.gov.au/C2004A03712/2016-07-01/text) for certain regulated information, including Tax File
Numbers, or when the University contractually agrees to comply with this Act;
d)
International privacy and data protection law (see
definition), to the extent that these apply to our activities; and
e)
Applicable legislative and regulatory standards
and codes to which the University is subject.
4.
Policy
4.1. The
University is committed to the compliant, responsible and fair management of
personal information upheld by a culture of good privacy governance and
practices that our community can rely on.
4.2. Information
privacy is managed in accordance with the University’s [Privacy
Management Framework](https://unimelbcloud.sharepoint.com/:b:/t/PrivacyManagement/EUU4mMbK-75PtXetJvbCROQBv1D_VlwkU2kHZ0nALgjaxw?e=mPNO5t) (login required).
4.3. The
University’s approach to privacy management is upheld by the following core
principles:
a)
**Privacy by design**: We
proactively embed privacy considerations and strategies into the design of our
systems, processes, and practices.
b)
**Transparency and Fairness**: We provide clear and transparent information about the
University’s main functions, the types of personal information we collect, and
how we use, share and manage that information, including when using emerging
technologies, through accessible [University
Privacy Statements](https://about.unimelb.edu.au/strategy/governance/compliance-obligations/privacy/privacy-statements). This supports individuals in making informed decisions
and helps ensure our practices are fair, reasonable and aligned with community
expectations.
c)
**Automated decision-making and Profiling:** We ensure that any use of Automated Decision-Making or profiling
respects individuals’ privacy, is transparent, and upholds principles of
fairness and accountability.
d)
**Security**: We take
reasonable steps to ensure that personal information is protected throughout
the information lifecycle.
e)
**Compliance**: We manage
personal information in compliance with applicable domestic and international
privacy and data protection laws.
f)
**Data Minimisation**: We
collect, manage, and retain the minimum amount of personal information that we
need, in an ethical and fair manner that respects individual interests.
g)
**Community expectations:** We
manage personal information according to best practices and regulatory
requirements.
4.4. Where
inconsistencies might exist between applicable privacy and data protection
laws, the University will be guided by best practice privacy management and
will seek to meet the most comprehensive legal obligations, ensuring the
highest standard of privacy protection. All employees must seek guidance from
the Privacy and Data Protection team to ensure this standard is met.
5.
Procedural principles
5.1. The
University’s designated Privacy and Data Protection Officer (“PDPO”) oversees
compliance with privacy and data protection laws, policies and processes,
assessments, and audits.
5.2. The
University’s Privacy and Data Protection team supports the PDPO by
operationalising the University’s privacy management program, including
providing guidance on privacy obligations and responsibilities.
5.3. All
employees are responsible for the compliant management of personal information
throughout the information lifecycle, which includes:
a) **Collection**: Collecting the minimum
amount of information required to effectively fulfil a necessary function and
doing so by lawful and fair means. Providing individuals with information about
the collection of their data through a Privacy Collection Notice at or before
the time of collection, clearly explaining:
i. why we are collecting their personal information;
ii. how it will be processed; and
iii. how individuals can access or correct their information.
b)
**Consent**: Where required
by privacy and data protection laws, obtaining explicit, informed and
unambiguous consent from individuals at or before the time of collection. This
includes informing individuals of their right to withdraw consent at any time
and ensuring that consent is explicit, informed, voluntary, specific and
current.
c)
**Storage and security**:
Taking reasonable measures to protect personal information from accidental or
unlawful destruction, misuse, loss, alteration or unauthorised access or
disclosure, and in accordance with the University’s [Information Security Policy
(MPF1270)](https://policy.unimelb.edu.au/MPF1270/).
d)
**Use and disclosure**: Only
using or disclosing personal information for the primary purpose for which it
was collected, or legal compliance purpose. Any transfers of personal
information outside of Australia must comply with applicable privacy
protections and legal requirements.
e)
**Quality**: Taking
reasonable steps to ensure personal information held by the University is
accurate, complete and up to date.
f)
**Access and correction**:
Facilitating individuals seeking access to or correction of their own personal
information, in accordance with the University’s [Freedom
of Information (FOI) obligations](https://about.unimelb.edu.au/strategy/governance/compliance-obligations/freedom-of-information).
g)
**Anonymity and pseudonym**:
Considering where lawful and practical, whether individuals can remain
anonymous when conducting business with the University. Where full anonymity is
not practicable, considering whether individuals can use pseudonyms to interact
without revealing their true identity.
h)
**Retention and disposal**:
Destroying or permanently de-identifying personal information when no longer
required for the purpose it was collected, in accordance with the [University Records
Retention & Disposal Authority](https://records.unimelb.edu.au/guides/disposal/rda).
5.4. All
employees are required to complete mandatory information privacy compliance
training (online module) upon onboarding and every two years thereafter.
5.5. [Privacy
Impact Assessments](https://about.unimelb.edu.au/strategy/governance/compliance-obligations/privacy/privacy-impact-assessments) (PIAs) must be undertaken:
a)
For any new technology or process intended to automate
decision-making (fully or partially), including profiling, in a way that is
likely to have significant impact on individuals;
b)
When making changes to existing systems or activities,
or using existing data, in a way that is likely to have significant impact on
how personal information is processed; or
c)
For any large-scale new project, initiative or process
that involves processing a large volume of personal information.
5.6. PIAs
may be required:
a)
For any new IT system, project, initiative or process
that involves the processing of personal information;
b)
When conducting research that includes the collection,
use, or sharing of personal information, especially if it involves new
methodologies, technologies, or processing techniques that are likely to have
significant impact on individuals; or
c)
As directed by the PDPO or Privacy and Data Protection
team.
d)
Guidance can be sought from the University’s Privacy
and Data Protection team at [privacy-officer@unimelb.edu.au](mailto:privacy-officer@unimelb.edu.au).
5.7. The
Privacy and Data Protection team must ensure [privacy
statements](https://about.unimelb.edu.au/strategy/governance/compliance-obligations/privacy/privacy-statements) outlining how the University generally manages personal
information are available on the University’s public [website](https://about.unimelb.edu.au/strategy/governance/compliance-obligations/privacy/).
5.8. Individuals
can lodge a complaint with the University’s Privacy and Data Protection team at
[privacy-officer@unimelb.edu.au](mailto:privacy-officer@unimelb.edu.au),
if they have concerns that their personal information has not been handled in
accordance with the University’s privacy obligations. Complaints must be
investigated and the complainant responded to within a reasonable timeframe.
More information, including how to contact the supervisory authority or
regulator, is available on the [University’s
website](https://about.unimelb.edu.au/strategy/governance/compliance-obligations/privacy/contact).
5.9. Suspected
or actual privacy incidents must be promptly reported to the University’s
Privacy and Data Protection team and managed in accordance with the
University’s [Process
for Responding to a Privacy Incident](https://au.promapp.com/unimelb/Process/Minimode/Permalink/GJ1oL73p2TEv92K5Ay4K1k) (employee
login required).
6.
Roles and Responsibilities
| | | |
| --- | --- | --- |
| *Role/Decision/Action* | *Responsibility* | *Conditions and limitations* |
| Overall accountability for privacy compliance and contact point for relevant supervisory authorities and regulators. | Privacy and Data Protection Officer (University Secretary) | Operational support provided by Privacy and Data Protection team (Legal and Risk). |
| Oversee compliance with privacy and data protection laws, policies and processes, assessments, and audits. | Privacy and Data Protection Officer (University Secretary) | Privacy and Data Protection team monitor performance and report to the Privacy and Data Protection Officer. |
| Develop and maintain the University’s Privacy Management Framework. | Privacy and Data Protection team (Legal and Risk) | |
| Conduct regular privacy assessments, audits and continuous improvement activities. | Privacy and Data Protection team (Legal and Risk) | Privacy and Data Protection Officer provides advice and oversight where required. |
| Inform and advise on privacy and data protection obligations and best practice. | Privacy and Data Protection team (Legal and Risk) | |
| Raise awareness and train all employees on privacy and data protection compliance and best practice. | Privacy and Data Protection team (Legal and Risk) | |
| Manage privacy enquiries, complaints, and incidents. | Privacy and Data Protection team (Legal and Risk) | Privacy and Data Protection Officer provides advice, and oversight where required. |
| Respond to requests from individuals to inform them about how their personal information is being used and what measures we put in place to protect their data. | Privacy and Data Protection team (Legal and Risk) | |
| Ensure that requests from individuals to access or amend their personal information, or to exercise other individual rights where applicable, are fulfilled or responded to appropriately. | Privacy and Data Protection team (Legal and Risk) | |
| Manage and maintain a central Privacy Collection Notice Register. | Privacy and Data Protection team (Legal and Risk) | |
| Promptly report any actual or suspected privacy incident to the Privacy and Data Protection team (Legal and Risk) | All employees | |
| Comply with the University’s Privacy Policy. | All employees | |
| Complete mandatory privacy compliance training (online module) when required. | All employees | |
| Manage personal information in compliance with applicable privacy and data protection laws and community expectations. Where compliance requirements are unclear, seek guidance from the Privacy and Data Protection team. | All employees | |
| Create and maintain accurate and current Privacy Collection Notices for their functions or services. | All employees | |
| Complete and submit a PIA for any new technology or process intended to automate decision-making, when making changes to existing systems or activities, or using existing data in a way that is likely to significantly impact how personal information is processed. A PIA is also required for any large-scale new project, initiative, or process that involves the processing of a substantial volume of personal information. | All employees | |
7.
Definitions
**Automated decision-making** means a decision made
either in a fully automated manner, without a human decision-maker ; or where a
computer program substantially and directly informs or shapes the outcome, even
if a human is involved in the final step of the process.
**Controlled entity** means an entity that is subject
to the control of the University in terms of section 50AA of the *Corporations
Act 2001 (Cth)* and includes an entity which is subject to the control of a
controlled entity.
**Employee**means an individual employed by the
University and is a national system employee within the meaning of the *Fair
Work Act 2009* (Cth). Employee is also commonly referred to as staff
member, academic staff member or professional staff member.
**Health information** means information or an opinion
about a person’s physical, mental or psychological health, any disability they
may have, and any treatment they have received or wish to receive, that is also
personal information. It includes genetic data that could be predictive of
their or their family’s health, and personal information collected in relation
to the provision of a health service or in connection with organ or tissue
donation.
**Information privacy** means the policies,
procedures, and other controls that establish how personal information or data
is collected and processed.
**International privacy and data protection law** means
any privacy and data protection law established outside of Australia that:
·
may apply to the University’s activities overseas; or
·
may have extraterritorial scope and apply to the University’s
domestic activities in limited circumstances.
This includes the [European
Union General Data Protection Regulation (GDPR) 2016/679](https://gdpr.eu/tag/gdpr/), [UK GDPR
(Data Protection Act 2018)](https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted), and [China’s
Personal Information Protection Law (PIPL) 2021](https://digichina.stanford.edu/work/translation-personal-information-protection-law-of-the-peoples-republic-of-china-effective-nov-1-2021/).
**Personal information or personal data** means
information that relates to an identified or identifiable (living) individual.
It is information or an opinion about an individual whose identity is apparent
or is reasonably ascertainable. For the context of this policy, ‘personal
information’ includes personal, sensitive and health information.
**Privacy impact assessment** means a systematic
assessment to identify potential privacy and data protection risks and
recommendations to manage, minimise or eliminate them.
**Privacy incident** means when personal information
held by the University is subject to misuse, loss, unauthorised access,
modification or disclosure.
**Privacy management** means the program of activities
adopted by the University to address privacy obligations and risks, as
established by the University’s Privacy Management Framework.
**Privacy statement** means the University’s
statements that explain generally what information the University collects and
why, who we share it with, and how individuals can exercise their rights
regarding their information.
**Processing** of personal data means all activities
relating to its management by the University, from its collection and use,
through to its storage and disposal, and everything in between.
**Profiling** means any form of automated or other
processing of personal information used to evaluate certain personal aspects
about an individual, such as their personality, behaviour, interests, habits,
performance at work, economic situation, health, reliability, location or
movements, in order to analyse, predict, or make decisions about them.
**Sensitive information** means information or opinion
revealing an individual’s racial or ethnic origin, political opinions,
membership of a political association, religious or philosophical beliefs or
affiliations, membership of a professional or trade association, membership of
a trade union, sexual orientation ("sexual preferences or practices"
in Privacy and Data Protection Act 2014 (Vic)), or criminal record.
International privacy and data protection laws, in addition to other privacy
and data protection laws, can include additional categories of sensitive
information with specific compliance obligations, such as genetic and biometric
characteristics, financial accounts, and individual location tracking.
**Supervisory authority or regulator** means the
authority or regulator of privacy compliance for a specific jurisdiction. This
may include the Office of the Victorian Information Commissioner (in relation
to personal information and/or sensitive information), Health Complaints
Commissioner (in relation to health information), Office of the Australian
Information Commissioner (to the extent that the Privacy Act 1988 (Cth)
applies) or other overseas privacy regulators (to the extent that international
privacy and data protection laws apply).
POLICY APPROVER
Vice-President Administration & Finance and Chief
Operating Officer
POLICY STEWARD
University Secretary
REVIEW
This policy is to be reviewed by 9 January 2029.
#
## **VERSION HISTORY**
| Version | Approved By | Approval Date | Effective Date | Sections Modified |
| --- | --- | --- | --- | --- |
| 1 | Council | 8 October 2012 | 8 October 2012 | New version arising from the Policy Simplification Project. Loaded into MPL as Version 1. |
| 2 | University Secretary | 23 March 2016 | 23 March 2016 | Update legislation reference to the Privacy and Data Protection Act 2014 (Vic). |
| 3 | Vice-Chancellor | 11 March 2016 | 21 July 2016 | New version arising from the Policy Consolidation Project. This policy and its supporting processes replace the Privacy Policy and the Privacy Procedure MPF1105. |
| 4 | University Secretary | 18 August 2016 | 18 August 2016 | Add hyperlink to Privacy Impact Assessment in section 5.2. |
| 5 | University Secretary | 13 September 2016 | 5 October 2016 | Update hyperlink to Privacy Impact Assessment in section 5.2. Correct error identified in version history table. |
| 6 | Vice-Chancellor | 7 March 2019 | 19 August 2019 | Changed Policy Approver to Vice-President (Strategy & Culture) (previously Vice-Chancellor). |
| 7 | Vice-President (Strategy & Culture) | 16 August 2019 | 19 August 2019 | Incorporated new provisions relating to the European Union General Data Protection Regulation and Commonwealth Notifiable Data Breaches scheme. Amended Policy Steward title. Editorial amendments to correct minor errors or align with the University’s policy style guide. |
| 8 | Policy Officer | 30 November 2022 | 30 November 2022 | Formatting changes. |
| 9 | Vice-President Administration & Finance and Chief Operating Officer | 10 August 2023 | 28 November 2023 | Policy Approver updated to reflect retirement of Vice-President (Strategy & Culture) role. |
| 10 | Vice-President Administration & Finance and Chief Operating Officer | 23 December 2025 | 9 January 2026 | Major amendments to reflect the University’s Privacy Management Framework. Major review requirements met under Policy Framework (MPF1308). |
table, th, td{
padding: 0.75rem !important;
vertical-align: top !important;
border: 1px solid #dee2e6 !important;
width: auto !important;
}
table, th, td{
padding: 0.75rem !important;
vertical-align: top !important;
border: 1px solid #dee2e6 !important;
width: auto !important;
}