Privacy and Information Management Policy
Details responsible management of information.
Purpose
To guide staff in the responsible collection, use, disclosure and handling of information collected and managed by the RMIT Group and all its operations.
Scope
The policy is applicable to:
- staff, students and clients of the RMIT Group
- external providers and contractors who may collect, access, use, disclose or manage personal, sensitive, health and confidential information relating to staff, students or any other individual whose information may be collected
- staff and RMIT offshore partners regarding RMIT information as per inclusion in relevant partnership agreements or contracts.
Provisions
1.1. Only information that is necessary to fulfil RMIT functions and activities is collected;
1.2. Sensitive information is only collected and used in accordance with relevant RMIT processes, or where required or permitted by law;
1.3. Individuals are advised of the purpose of collection and their rights to access that information; and
1.4. Maintained information is accurate, complete and up-to-date.
2.1. Personal or sensitive information is only used for the purpose for which it was collected, or for related secondary purposes with consent or as required or permitted by law;
2.2. Is open and transparent about the type of personal or sensitive information RMIT collects from individuals and how the information is used;
2.3. Stores personal or sensitive information securely in accordance with the Information Security Classification Schedule (Schedule 1).
2.4. Ensures personal credit card details that could inappropriately disclose personal information is never retained or stored at RMIT.
2.5. RMIT must assign and use student and staff numbers only to facilitate efficient management of RMIT business and, where possible, not to use other organisations’ identifiers.
2.6. Personal information must only be collected, stored or handled in accordance with the processes and guidance materials developed and approved by:
2.6.1. the RMIT Privacy Officer (for RMIT Melbourne, RMIT Vietnam and RMIT Europe)
2.6.2. the Chief Executive Officer (for RMIT Training).
2.6.3. The CEO of RMIT Online.
2.7. Where RMIT information or personal information is stored on a portable storage device (PSD), the device owner must take all reasonable steps to ensure the security of the PSD and the information stored on it.
2.8. Personal or sensitive information stored on a PSD is protected.
2.9. Personal or sensitive information must not be stored on any application or software that has not been provided by RMIT.
3.1. RMIT records must be stored in an approved RMIT business application or EDRMS.
3.2. New RMIT business applications are assessed before deployment by the ITS project team in accordance with the Information Security Classification Schedule (Schedule 1) and the Information technology policy.
3.3. Access to the EDRMS is in accordance with the processes approved by the Manager, Information Management.
3.4. EDRMS users are required to undergo appropriate training as directed and organised by Information Management and must follow the requirements set out in the TRIM Manual.
4.1. RMIT must only transmit personal information across borders to a location where different privacy laws apply when trans-border transmission is reasonably necessary for RMIT functions or business activities and:
4.2. RMIT can reasonably ensure the recipient does not breach the law; and
4.3. The transmission is permitted by law; or
4.4. Specific consent of the individual has been obtained.
5.1. The following RMIT staff are responsible for the management and access of Academic Student Records and development of the associated processes:
5.1.1. Academic Registrar (for RMIT Melbourne)
5.1.2. Executive Director (Students) (for RMIT Vietnam)
5.1.3. Director, Partner and Client support (for RMIT Training)
5.1.4. Principle Knowledge Architect (for RMIT Online).
6.1. The following RMIT staff are responsible for the management and access of Employee Records and development of the associated processes:
6.1.1. Deputy Director, HR Shared Services (RMIT Melbourne)
6.1.2. Executive Director (RMIT Europe)
6.1.3. Director, Human Resources (RMIT Vietnam)
6.1.4. Director, Human Resources (RMIT Training)
6.1.5. Human Resources Director (RMIT Online)
7.1. The Research policy governs the retention and disposal of research records.
7.2. Retention and disposal of RMIT business information and records must follow the processes established by the Assistant Director, Information Management and Archives and, where necessary, approved via the Application for Disposal form prior to disposal or deletion.
7.3. Information that is part of a current Freedom of Information request must be retained.
7.4. Information that is reasonably likely to be required in future legal proceedings must not be destroyed.
7.5. The transfer of records must follow the Transfer of records policy process developed by the Assistant Director, Information Management and Archives.
7.6. Access to RMIT information or personal information stored at RMIT Archives is granted in accordance with the Access to Archives policy process developed by the Assistant Director, Information Management and Archives.
8.1. Staff must complete a Privacy Impact Assessment for:
8.1.1. projects (excluding research projects),
8.1.2. development of new information systems,
8.1.3. or other activities with a potential impact to privacy, data protection and information management.
8.2. For research projects the privacy impact is assessed as part of the human research ethics process.
8.3. Privacy impact assessment and investigations about a privacy breach or complaint must be conducted in accordance with the processes and guidance materials developed by the Assistant Director Compliance. For entities, the processes and guidance material are agreed to by:
8.3.1. The President RMIT Vietnam
8.3.2. The Executive Director, RMIT Europe
8.3.3. The CEO of RMIT Training.
8.3.4. The CEO of RMIT Online.
9.1. Investigations of breaches of this policy or non-compliance with legislation are undertaken in accordance with the guidelines developed and agreed. For entities, investigations are undertaken in conjunction with:
9.1.1. The President RMIT Vietnam
9.1.2. The Executive Director, RMIT Europe
9.1.3. The CEO of RMIT Training.
9.1.4. The CEO of RMIT Online.
Schedules
| Access | Examples | Impact if disclosed | |
|---|---|---|---|
| Public | Information is accessible by external parties from any location. | Newsletter, education material created for public use, course schedule, course catalogue, campus brochure, campus map, annual report. | Negligible adverse impact to RMIT if disclosed. |
| Trusted | Access to information must be restricted to specific job roles, and requires authentication and password protection. | Budget and financial information, de-identified clinical research information, audit reports, student academic records, student grades, strategy and planning documents, purchasing data. | Could harm RMIT reputation, lead to financial loss and/or harm to individuals such as identity theft. |
| Protected | Access to information requires authentication and password protection. Information accessible by only a limited number of authorised people. Devices and records must be stored in a secured (locked) location. Google applications must not be used to store this information. |
Intellectual property, commercially sensitive research, personally identifiable sensitive information, disciplinary information, salary information, examination papers, binding contracts, HR employee evaluations, medical / health information. | Would cause exceptional damage to RMIT, staff or students if disclosed. These records are evidence of RMIT functions or business activities where greater restrictions are required to protect the rights and interests of both RMIT and individuals, or to limit RMIT’s liabilities. |
| Restricted | Access to records and files requires authentication and password protection. Record and file access must be protected and accessible by only top level management within the University. Devices and records must be stored in a secured (locked) location. Google applications must not be used to store this information. |
Confidential out-of-court settlements, records affecting national security, protected disclosures, security vulnerabilities. | Could cause physical harm to individuals or significantly impact RMIT operations and business objectives if disclosed These records are evidence of RMIT functions or business activities where wider dissemination would expose RMIT or individuals to significant risks or liabilities. |
Status & details
Custodian: Vice-President Strategy & Governance
Operational responsibility: Compliance / Information Management & Archives
Effective from: 12 July 2017
Last updated: 7 March 2018
Version: 1.1
Contact: privacy@rmit.edu.au
Document reference: POL/2018/00057[V2]
Academic Student Record Set of documents and information gathered from interactions with enrolled students. |
Business application Any software or set of computer programs that are used to store RMIT information and perform business functions. |
Confidential information Material containing sensitive personal or business data. |
Electronic Document and Records Management System (EDRMS) A system used to manage the creation, use, maintenance and disposal of documents and records for the purposes of providing evidence of business activities. |
Health Information Personal information about (from the Health Record Act (VIC) 2001):
|
Personal Information Any information or opinion recorded in any form about an identifiable individual. Examples of personal information include (from the Privacy and Data Protection Act (VIC) 2014):
|
Employee Records Personal information relating to the employment of RMIT staff (from the Fair Work Act (Cth) 2009). |
Portable storage device (PSD) Any portable device that is designed to hold digital data. These include, but are not limited to, portable hard drives, flash drives, notebook computers, handheld computers, tablets and mobile phones. |
Retain/Retention Period of time that RMIT information must be retained in its place of origin before transferral to the RMIT Archive or otherwise disposed of. |
RMIT information Data and records, regardless of format, created or collected to fulfil RMIT functions and activities. |
RMIT records RMIT business information that evidences business decisions and transactions including:
|
Research records Documents related to the carrying out of the research project, including:
For how to manage research records, refer to the Research data management policy process. |
Research management records Documents related to the management of research projects, including contractual materials, grant or funding applications, and ethics approval. |
Sensitive information Personal Information about an individual’s privacy (from the Privacy and Data Protection Act (VIC) 2014):
|