RMIT values the privacy of every individual and is committed to the responsible handling of personal information.
This Privacy Statement explains what personal information we gather and details how that information is used.
Types of personal information:
- Personal information: Recorded information about a living identifiable or easily identifiable individual
- Sensitive information: Personal information about a living individual's race or ethnicity, political opinions, religious or philosophical beliefs, sexual preferences or practices, criminal record, or memberships details, such as trade union or professional, political or trade associations, genetic data and biometric data
- Health information: Information about a living or deceased individual's physical, mental or psychological health.
RMIT only collects information about you by lawful and fair means and in a non-intrusive way. RMIT collects personal, sensitive and health information as necessary for its core functions, including for educational, research, community and commercial purposes. We may collect personal information from:
- prospective and current students
- staff, including job applicants, as well as contractors
- alumni and donors
- research participants
- industry partners
- RMIT club and gym members
- staff, employees and volunteers from other organisations
- other members of the public who interact with us.
The information we collect depends on how you interact with us and the purpose of that interaction. RMIT may collect sensitive information, including health information, in certain limited circumstances and for a specific purpose. RMIT also uses specific collection statements in connection with your engagement with us, such as the staff privacy statement and the student privacy statement.
Where appropriate, examples of the usual parties that RMIT provides personal and health information to and for what purposes are captured in more detailed privacy collection statements, such statements are provided to you at the time your personal information is collected or as soon as practicable thereafter.
Your personal information is usually collected directly from you. In some cases, we may collect information from a third party, such as a government authority, agency, contractor, or other educational or research institutions. Where personal information is provided to us by a person other than you, it will be deleted or de-identified if not required, or you will receive a notice of its collection, its use and your rights as a data subject.
Where practicable, you may choose to remain anonymous when interacting with RMIT. However, remaining anonymous may affect your ability to access some RMIT services and systems. RMIT will let you know when this may affect your engagement with us.
RMIT uses personal and sensitive information to deliver our core functions, and comply with our obligations with respect to the provision education and research. We use your information for the primary purpose for which it was collected, a related secondary purpose that you may reasonably expect (with the exception of sensitive information), as required by law, or with your permission or consent.
The laws in some jurisdictions require us to tell you about the legal ground we rely on to use or share your personal information. These legal grounds may include, but are not limited to, meeting our contractual commitments to you, for a legitimate interest, to comply with law, or to perform a public task. We will always consider your rights when using your personal information.
We may use and process your information for the delivery of legitimate University business, including:
- Education and education support: admission, enrolment, content delivery and learning activities, assessment, graduation, services (e.g. library, wellbeing, support), handling disputes, investigations, audits, data analysis and improvements, general administration and enquiry management.
- Research and research support: including participant data, administration and commercialisation.
- Community engagement: website operation, addressing enquiries and requests, marketing, mailing lists and newsletters, alumni and donor relations.
- Industry engagement: news emails, event invitations.
- Employment and employee support: recruitment (including referees), payroll, health and safety, learning and development for staff and other Human Resources programs, contractors and volunteers.
- Operational management and finances: financial management, processing fees, IT security and management, data analysis, legal and professional services, analysing and improving our courses, educational opportunities, business and services.
- Infrastructure and facilities: access and management systems, CCTV, identity management, security and emergency response, including to lessen or prevent threats to safety.
- Transacting between RMIT entities to deliver and improve our services.
- For a secondary purpose or where otherwise permitted by law, such as the provision of information to government departments or agencies.
We may share your personal information with third parties where appropriate for the purposes set out above, including but not limited to:
- financial institutes for payment processing
- regulatory, investigative, law enforcement or government bodies
- referees whose details are provided to us by job applicants
- other educational institutes and educational partners, some of which are overseas, including educational agents
- pre-enrolment testing providers
- our contracted service providers or partners, including overseas and local agents, information technology service providers, venues and event organisers, marketing and communication agencies, research and statistical analysis providers, call centres, hard copy and electronic mailing houses, professional advisers (such as recruitment advisers, auditors, accountants, insurers, and lawyers), and externally hosted applications.
- as required or authorised by law
- otherwise with your consent.
These recipient organisations and contracted service providers are required to keep personal information confidential and provide the same privacy safeguards as we do. Some of these recipients may be located outside of Spain or Europe, which means that your personal information may be transferred interstate or overseas (trans-border), including but not limited to:
- countries in Europe
- the United States of America.
Where we transfer your personal information to a recipient outside of Europe, we take reasonable steps to ensure the recipient handles the information in accordance with this Privacy Statement, our Policies, and the relevant privacy and health information principles.
Where appropriate, examples of third parties that RMIT provides personal information to and for what purposes are captured in more detailed privacy collection statements, which are provided to you at the time your personal information is collected.
RMIT applies safeguards and takes appropriate security measures to protect your personal information from misuse, loss, unauthorised access and disclosure.
Stored information is also archived in accordance with the Public Records Act 1973 (Vic), which determines when information should be retained or disposed. Reasonable steps are taken to destroy or permanently de-identify your personal information when it is no longer needed for any purpose.
Personal information may be stored in hard copy documents, as electronic data, or in RMIT software or systems, including cloud or other types of network or electronic storage. Some of the ways RMIT seeks to protect personal information include:
- privacy processes and the protection of information
- document storage and data security processes
- security measures for access to RMIT computer systems
- controlling access to RMIT premises
- website protection measures.
Where it is necessary to share your personal information with a contracted service provider or third-party, RMIT takes reasonable steps to ensure that there are appropriate safeguards in place to protect your personal information.
RMIT operates in Australia and overseas, including Spain and Vietnam. Accordingly, we may need to share some of your information we collect about you between RMIT entities in these jurisdictions. For example, this could include the transfer of your information from an EEA country to Australia, and vice-versa.
RMIT takes reasonable steps to ensure that personal information held is accurate, complete and up-to-date. RMIT relies on you to provide us with accurate and current information in the first instance, and to notify us when your circumstances or details change.
You have certain rights to seek access to personal information we hold about you (including, in some cases, in portable form), and to obtain its correction, update, amendment or deletion in appropriate circumstances, regardless of your location. You also have rights to withdraw your consent or request that we restrict how your information is used.
You may seek access to personal information we hold about you or to update and correct your information. In some instances, you will be able to access and update your personal information yourself through online portals such as myRMIT. Otherwise, you may access and/or correct your personal information by directly contacting the area of RMIT that has the information in the first instance, or if unknown:
- RMIT Connect for students
- HR Assist for staff
- the RMIT Privacy Office via email firstname.lastname@example.org
- RMIT Europe (Spain) via email email@example.com, where applicable.
In some situations, access will not be appropriate, and you may be required to make a formal Freedom of Information request, for example, if a third party’s privacy is involved. The Freedom of Information Act (Vic) provides that where a document relating to the personal affairs of a person is released that person is entitled to request a correction where the information is inaccurate, incomplete, or out of date. Information about the Freedom of Information process at RMIT is available at the following link: https://www.rmit.edu.au/about/governance-and-management.
In certain circumstances, you can:
- Rectify personal information held about you where it is incorrect or incomplete (right to rectification)
- Request that your personal information be deleted if certain grounds are met (right to erasure)
- Restrict or object to how your personal information is used (right to object and restrict processing); and
- Obtain a copy of your data in a commonly used electronic form, or request that we share your personal information with any person acting on your behalf (such as agents, guardians, employers, government departments) (right to portability).
To exercise these rights, please contact us. The rights and options described above are subject to limitations and exceptions under applicable law. In addition to those rights, you have the right to make a complaint. We encourage you to contact us first, and we do our very best to resolve your issue.
RMIT may make a record of your visits to RMIT websites and log information for statistical and system administration purposes, including but not limited to:
- your server address
- your domain name
- your IP address
- the date and time of the visit
- the pages accessed and documents downloaded
- the address of your last site visited
- the type of browser used.
A cookie is a small text file that is sent to your device by means of your web browser. The information stored can be re-sent to our servers during a next website visit. Cookies will not store personal information and cookies will not harm your computer.
Cookies may store the following information: session (numbered key) and duration. A numbered key is a unique server-generated number used to track your current session. The session key can be linked back to your login identification for authentication purposes and to improve security during your session online.
If you leave an RMIT website and visit a website operated by a third party, RMIT cannot be held responsible for the protection and privacy of any information that you provide to third party websites. Accordingly, we always encourage you to exercise caution and review the privacy statement applicable to the website you visit.
If you are concerned that RMIT may have breached its privacy obligations or this Privacy Statement, please contact us (see section 7). When contacting us, please provide as much detail as possible in relation to your issue or complaint.
RMIT takes privacy-related complaints very seriously and undertakes to resolve privacy complaints in a timely, fair and transparent way.
If you are not satisfied with our handling of your complaint, you may refer the issue to the Office of the Victorian Information Commissioner (at firstname.lastname@example.org), or in some circumstances, the relevant supervisory authority in another jurisdiction.
Please feel free to contact us on (+613) 9925 1161 or email email@example.com if you have any questions or concerns about this Privacy Statement or RMIT’s collection, use or disclosure of your personal information.
For EU residents:
For the purposes of EU data protection legislation, RMIT Europe is the controller of your personal information. Our Data Protection Officer can be contacted via email at firstname.lastname@example.org or by phone at +61 3 9925 1161.