Records Management Network Legal Risk Records Services Image

Records Management Network Legal & Risk Records Services Image source: University of Melbourne Archives, 1993. 0058. 00002, Old Wilson Hall fire, University of Melbourne, 25 January 1952. 1

Agenda Welcome Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Records Service Update Lucy Davies, Manager, Records Services, Legal & Risk Changing Privacy Landscapes and the University Susan Maye, Manager, Regulatory Advisory Services, Legal & Risk Records Online Project Update Narelle Moorhouse, Organisational Change & Communications Manager, Records Online Project Thank You and Notice for the Next Meeting Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Networking/Morning Tea 2

Agenda Welcome Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Records Service Update Lucy Davies, Manager, Records Services, Legal & Risk Changing Privacy Landscapes and the University Susan Maye, Manager, Regulatory Advisory Services, Legal & Risk Records Online Project Update Narelle Moorhouse, Organisational Change & Communications Manager, Records Online Project Thank You and Notice for the Next Meeting Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Networking/Morning Tea 3

Records Services Update

Update • Content Manager upgrade to 9. 2. 1 - 16 – 19 November • Smart Contracts go-live with email notifications end of November • e-Signatures project – pilot launched https: //staff. unimelb. edu. au/legal-audit-records-policies/legal-services-advice/guidelines-for-usingelectronic-signatures/onespan-sign-esignatures • Enterprise Classification Scheme and Retention and Disposal Authority web pages to change late November • Planning transition of Records Online Project to Records Services in Q 3 2019 5

Agenda Welcome Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Records Service Update Lucy Davies, Manager, Records Services, Legal & Risk Changing Privacy Landscapes and the University Susan Maye, Manager, Regulatory Advisory Services, Legal & Risk Records Online Project Update Narelle Moorhouse, Organisational Change & Communications Manager, Records Online Project Thank You and Notice for the Next Meeting Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Networking/Morning Tea 6

Changes in Privacy Legislation and the University An Overview of Our Responsibilities Records Management Network November 2018 7

Key contacts Gioconda Di Lorenzo University Secretary Privacy Officer & Freedom of Information Officer Data Protection Officer under the EU General Data Protection Regulation (GDPR) Regulatory Advisory Services – Legal & Risk Susan Maye Manager, Regulatory Advisory Service Privacy-Officer@unimelb. edu. au PIA-Review@unimelb. edu. au FOI-Officer@unimelb. edu. au

Session outline • What is Privacy? • The University’s privacy and data protection context – The Victorian Privacy and Data Protection Act 2014 and the Health Records Act 2001 – What is the Commonwealth Notifiable Data Breach Scheme (NDB)? – What is the European Union General Data Protection Regulation (GDPR)? • Interaction between GDPR, the NDB Scheme and Victorian legislation • How is GDPR the same as other privacy/data protection regimes? • How is GDPR different? • Next steps for the University

What is privacy? Enables us to create Manage boundaries to protect ourselves from unwarranted interference in our lives Protecting information that says who we are, what we do, what we think, what we believe Data protection is about safeguarding our right to privacy The right to protection of personal data A qualified, fundamental human right Legislation is mainly about information or data protection - not about bodily or territorial privacy What is Privacy? Empowering individuals to have control over their personal information

Privacy and the University Privacy and Data Protection Act 2014 (Vic) Health Records Act 2001 (Vic) All recorded personal information handled by the University, State and local government agencies (other than health related info) All health related personal information held in public and private sectors. Most of the personal info handled by health service Note: The privacy protections of the PDPA apply to both the University and to contracted service providers who provide a service on our behalf.

What is personal information? Recorded information or opinion whether true or not about an individual whose identity is apparent or can be reasonably ascertained • • Name Signature Telephone Number Email, Home or Work Address Employment Position Voice Recordings, Photographs or Videos Medical Records Academic Records

What is sensitive information? Recorded information or opinion whether true or not about an individual whose identity is apparent or can be reasonably ascertained racial or ethnic origin political opinions membership of a political association religious beliefs or affiliations philosophical beliefs membership of a professional or trade association • membership of a trade union • sexual preferences or practices • criminal record • • •

Lifecycle of the Information Privacy Principles IPPs 1. Collection 2. Use & Disclosure 3. Data Quality 4. Data Security 5. Openness 6. Access & Correction 7. Unique Identifiers 8. Anonymity 9. Transborder Data Flows 10 Sensitive Information IV. When you no longer need the information I. Prior to, or at the time of collection III. When using the information II. While holding information

When can I use or disclose personal and sensitive information? Personal information Sensitive information Primary Purpose As outlined in the collection notice Only as outlined in the collection notice Secondary Purpose A related purpose and one the individual would reasonably expect A directly related purpose and one the individual would reasonably expect

Prior to, or at the time of, collection § § § Is collection necessary (IPP 1)? Provide a collection notice of the intended uses and individuals’ rights of access (IPP 1) Do we need to collect sensitive information (IPP 10) or unique identifiers (IPP 7. 4)? Can the University allow individuals to transact anonymously (IPP 8)? Does the University have a policy outlining its information handling practices (IPP 5)?

While holding information • Ensure the University has security measures in place for the information (IPP 4. 1) • Provide mechanisms to enable individuals to access and correct their information. IPP 6 and the Freedom of Information Act 1982 (Vic) • Update, amend and supplement the information, as necessary (IPP 3)

When using the information • Ensure that privacy protection travels with information if it is to leave Victoria (IPP 9) • Check that the proposed use is permitted under the Privacy and Data Protection Act or that it is otherwise authorised under law, taking extra care with sensitive information (IPP 2) • Be careful about assigning, using or disclosing unique identifiers (IPP 7. 1 -7. 3)

When you no longer need the information • Consider whether, and when, the organisation should destroy or de-identify the information (IPP 4. 2) • Do not destroy documents that are required to be retained under other laws, such as the Public Records Act 1973 (Vic), the Electronic Transactions (Victoria) Act 2000 (Vic), and the Crimes Act 1958 (Vic) Tools: The Records Services team can provide advice on how long records should be retained and how to manage records no longer required. A comprehensive retention and disposal schedule is available at http: //records. unimelb. edu. au/

Privacy Impact Assessment (PIA) • A PIA is a tool designed to identify and assess potential privacy risks and mitigation strategies • Should be completed at the design stage of a new system or program, and revisited as requirements and legal obligations change. • This proactive privacy approach embeds privacy considerations into the design and architecture of systems and business processes. Tools: The University new online PIA form makes it easier for you to consider your obligations, seek advice and receive a risk assessment from: • The Privacy Office • IT Security • Records Services • Risk and Compliance

Notifiable Data Breach Scheme (NDB) • Came into effect on 22 February 2018 • Imposes an obligation on Cwth entities to notify the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches within 30 days • Uo. M is not an 'entity' under the Cwth legislation • However, exceptions apply where we are operating as a TFN recipient and where we have agreements with Cwth agencies effectively making us an entity for a specific purpose • Failure to comply with the NDB scheme can attract fines up to $2. 1 million • The APPs (Cwth) and the IPPs (Vic) share many common requirements

European Union General Data Protection Regulation (GDPR) • Effective 25 May 2018, replacing earlier Directive • Has extra-territorial application in certain circumstances, particularly where you handle the “personal data” of individuals located in the EU • Applies if a business has an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU • Mandatory data breach notification within 72 hours for high risk cases. Penalties up to € 20 million or 4% annual turnover • The GDPR and the APPs / IPPs share many common requirements, but there are some key differences and enhanced individual rights under the GDPR • At present, Australia is not on the EU’s list of countries that are deemed to have equivalent privacy protection.

Application of the GDPR to the University GDPR has extraterritorial effect – based on the location of the individual whose data is being processed Applies where the University processes data from individuals in the EU. For example: • undertaking promotional activities directed to prospective students or alumni based in the EU; • collecting personal information from European students to facilitate exchange programs; • collecting personal information through delivery of online courses to persons in the EU; or • collecting research data from participants in the EU. 23

What is similar? General Data Protection Regulation Privacy and data protection - Victoria and Commonwealth • Personal data and sensitive data • Personal information and sensitive information • Data by design or default • Privacy by design • Data Protection Impact Assessments • Privacy Impact Assessments • Transparency • Collection notices • Notification of data breaches • Privacy breach handling includes notification, mandatory notification for Commonwealth 24

What is different? • Concept of controller and processor • ‘Legitimate interest’ • Consent must be explicit • Automated processing/profiling • Data subjects’ rights • Notification of breaches – deadlines and penalties 25

What next? • Understand your collection notices • Ensure all staff complete privacy training • Complete a PIA for any new or amended projects • Notify the Privacy Office immediately if you become aware of a potential breach • Contact the Privacy Office if you have any questions or concerns Privacy-Officer@unimelb. edu. au https: //www. unimelb. edu. au/governance/compliance/privacy

Thank you!

Agenda Welcome Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Records Service Update Lucy Davies, Manager, Records Services, Legal & Risk Changing Privacy Landscapes and the University Susan Maye, Manager, Regulatory Advisory Services, Legal & Risk Records Online Project Update Narelle Moorhouse, Organisational Change & Communications Manager, Records Online Project Thank You and Notice for the Next Meeting Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Networking/Morning Tea 28

29

Agenda Welcome Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Records Service Update Lucy Davies, Manager, Records Services, Legal & Risk Changing Privacy Landscapes and the University Susan Maye, Manager, Regulatory Advisory Services, Legal & Risk Records Online Project Update Narelle Moorhouse, Organisational Change & Communications Manager, Records Online Project Thank You and Notice for the Next Meeting Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Networking/Morning Tea 30

Agenda Welcome Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Records Service Update Lucy Davies, Manager, Records Services, Legal & Risk Changing Privacy Landscapes and the University Susan Maye, Manager, Regulatory Advisory Services, Legal & Risk Records Online Project Update Narelle Moorhouse, Organisational Change & Communications Manager, Records Online Project Thank You and Notice for the Next Meeting Lucy Davies, Acting Associate Director, Information Governance & Engagement/Manager, Records Services, Legal & Risk Networking/Morning Tea 31

Thank you Next meeting will be in February 2019 Best wishes for the holiday period. Identifier first line Legal & Risk • Second line Records Services