Under the Act, “Personal Information” is defined as: “Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.”
1. ABOUT MBS
MBS is the graduate school in business and economics for the University of Melbourne (‘University’), and is jointly owned by the business community and the University. MBS is a tertiary education provider that specialises in Master of Business Administration (‘MBA’) programs and executive education.
MBS provides its’ services both physically on campus and through the distribution of educational content and services through online properties, assets and connected devices (together, ‘MBS Services’).
In providing the MBS Services, we are sensitive to Users’ concerns about the safety of their Personal
In essence, MBS will typically only:
- collect, use or share your Personal Information with your consent (unless it is not reasonable in the circumstances to obtain your consent and it is legally permissible for us to do so) or when required by a legal obligation; and
- interact with your Personal Information in order to: (a) provide you with the MBS Services and (b) help us improve and develop the MBS Services.
MBS has developed our privacy framework to assist Users, and to comply with privacy legislation and regulations applicable to us and our management of your Personal Information.
2. HOW MBS COLLECTS YOUR PERSONAL INFORMATION
MBS collects Personal Information from individuals in one of three main ways:
a) Directly from Users, when they interact with MBS (e.g. enquire about the MBS Services or attend an event on campus);
b) Passively from Users, when they interact with our website, online platforms and digital presence;
c) From third-parties in certain, specific circumstances (e.g. in assessing whether we think the MBS Services will be suitable for a particular individual).
The specifics of Personal Information collected in each situation is discussed further below.
3. WHEN MBS COLLECTS INFORMATION FROM USERS AND WHAT WE COLLECT
(a) Personal Information collected directly
When a User makes an enquiry or sends us an expression of interest on our website or other digital property we may collect the following types of Personal Information directly and consensually:
- Basic contact information, including your name, email, and phone number; and
- Enquiry information, such as an indication of when you would be interested in studying at MBS or contributing to the development of MBS Services, or other information provided by you regarding your enquiry.
When you apply for enrolment or registration in an MBA or executive education program we may collect the following types of Personal Information directly and consensually from you:
- Student information, such as your name, address, email, phone number and emergency contact information, and if applicable, curriculum vitae, passport or citizenship details;
- Enrolment information, such as applicable academic transcripts, referee reports, as well as details of your organisation (e.g. your employer), your professional capacity and your work history;
- Payment information that is required as part of the enrolment process (e.g. credit card information); and
- Health information, such as your dietary requirements or information relating to any health conditions we need to be aware of when providing you with the MBS Services.
When students/participants submit administrative applications (e.g. applications for special considerations, or enrolment overload requests), we may directly and consensually collect the Personal Information outlined in the relevant application.
When you register or purchase a ticket for information sessions or other events (e.g. networking events for students/participants or alumni) we may collect the following types of Personal Information directly and consensually from you:
- Basic contact information, including your name, email, and phone number; and
- Any event-appropriate health information, such as your dietary requirements.
When you make a donation to MBS we may collect the following types of Personal Information directly and consensually from you:
- Contact information, such as your name, address, email and phone details;
- Donation information, such as how you would like the donation to be used; and
- Payment information you have provided in order to make the donation.
When you respond to a survey we may directly and consensually collect the Personal Information disclaimed and explained on the survey form.
When you provide MBS with unsolicited feedback or otherwise interact with MBS on your own accord we may collect any contact information you provide (including Personal Information), as well as your feedback.
When you make an application for employment at MBS, we may collect any Personal Information provided within that application, such as the contents of a personal statement made in support of your application.
If you are successfully enrolled and commence studies at MBS we may collect Personal Information regarding your subject choices and academic performance.
(b) Personal Information collected passively
As you use the online and digital components of the MBS Services (e.g. accessing our website, logging into your account on the Learning Management System (‘LMS’), or interacting with our advertisements) we may collect the following types of Personal Information about your usage:
- Content that you post and submit, including posts on our social media accounts or on forum threads in the LMS, as well as similar content that is posted about you by others;
- The following types of browser, system and device information regarding MBS’ and other devices you use to access our digital content:
- Locational information, such as in the form of the IP address from which you access the MBS Services, particularly when accessing the internal;
- Web data tracking information, such as data from cookies stored on your device, including cookie IDs and settings, as well as logs of your usage of MBS’;
- System usage information, including logs of your access to educational resources such as LMS, “Web Print” or “UniWireless”.
(c) Personal Information collected from third-parties
In certain specific situations, MBS will collect Personal Information about you from third-parties. The types of Personal Information collected include:
- Academic information, such as graduate management admission test (‘GMAT’) and English proficiency test results;
- Web data tracking information that fit certain parameters of who we think could become MBS students/participants or clients (e.g. heat maps developed through Google Analytics which track patterns of user interactions with our web pages); and
- In some isolated circumstances, publicly available wealth screening information such as indications of your philanthropic interest and ability.
4. WHY MBS COLLECTS YOUR PERSONAL INFORMATION AND WHAT WE USE IT FOR
Although MBS collects Personal Information from Users in a number of circumstances, MBS will only collect this information in order to provide and develop the MBS Services. Here are the main ways we use Personal Information to achieve these objectives:
Communicating with Users
MBS will use basic contact, enquiry and student/participant information in order to communicate with individuals about their enquiries, interest in events and for other administrative purposes related to the specific reason for which the Personal Information was collected.
If Users have consented, MBS will also use these types of Personal Information to share relevant news and updates about MBS and the MBS Services.
Finalising enrolment and registration purposes
MBS will use enrolment information and payment information to gauge the suitability of Users for MBS Services and to finalise the relevant processes. MBS may also use this information to coordinate and host events such as information sessions and alumni networking evenings.
Administration and delivery of MBS Services
MBS will use basic contact and student/participant information to engage with students/participants for administrative purposes (e.g. resetting account password or approving special consideration applications) and to effectively and efficiently provide them with the MBS Services (e.g. to set and receive assignments required under program syllabuses).
Health information is used to ensure MBS can adequately and appropriately respond to any specific needs Users might have (e.g. dietary requirements at events or special considerations for assignments).
Sometimes these types of information will also be used to facilitate student experiences such as educational trips, student exchanges or study abroad programs.
Ensuring User safety
MBS will use health and emergency information in order to ensure Users’ medical needs are appropriately met, when applicable.
MBS will also use any type of information collected to prevent and address risks to all Users (e.g. MBS will use information to investigate suspicious or threatening activity occurring on campus).
Research and development
MBS will use survey information to develop, test and improve the MBS Services. MBS’ preference will be to de-identify this information first, and then use it for this purpose in conjunction with de-identified enrolment information, and de-identified browser and device information (see section 6 below for an explanation of what we mean by “de-identified”).
MBS may also use basic contact, enquiry and past donation information to see if you would be interested in donating to the ongoing development of MBS and the MBS Services. In some cases, MBS may also use publicly available wealth screening information to assess the appropriateness of asking you whether you would like to donate or otherwise contribute to the development of MBS and the MBS Services.
If an individual wishes to make a donation, payment and donation information will be used to ensure donated funding is applied as intended. The specifics of such a donation to MBS may be used to assess the appropriateness of contacting you for future development initiatives.
Where Users have expressly consented, MBS will use basic contact, enquiry and student/participant information to provide Users with relevant marketing materials and offers. Users can always opt out of this through the functionality provided in each marketing communication (e.g. by clicking “unsubscribe” at the bottom of an email).
5. MBS’ DISCLOSURE OF PERSONAL INFORMATION
Generally, MBS does not disclose Personal Information to any third-parties except:
- Service providers MBS engages to help us provide and develop the MBS Services (e.g. cloud service providers or consultants);
- In some specific circumstances, Users’ employers (e.g. the companies they work for); and
- Law enforcement agencies, or another party that has a legitimate legal right to access the information.
Some of the third-parties MBS discloses Personal Information to are located overseas. This is particularly the case for our cloud service providers which are currently located in the United States and Ireland.
Sometimes we may also disclose students/participants’ Personal Information to other universities or educational organisations. Typically, the recipients of this information have been in the People’s Republic of China, the United States, New Zealand and Canada.
As with disclosures to third-party service providers, overseas disclosures are always made once MBS has taken all reasonable steps to determine the information will be treated as at least as favourably under the Act and other applicable privacy laws.
6. MBS’ TREATMENT AND STORAGE OF INFORMATION
MBS’ general approach
MBS will keep your Personal Information confidential and not sell or knowingly divulge User information to any external third-parties, unless:
- We believe, in good faith, that we are required to share the Personal Information with a third party in order to comply with legitimate legal obligations;
- The disclosure is to a third-party processor of Personal Information that acts on our behalf and/or under our instruction in order to enable us to deliver the MBS Services (e.g. a cloud service provider);
- Members of MBS (typically via the Board);
- Other entities which may acquire ownership or operation of MBS or the MBS Services; and/or
- To protect the safety of Users, and the security our MBS Services.
MBS seeks the informed and voluntary consent of individuals whenever it collects their information, or as soon as possible after.
Users can always refuse or revoke this consent, but sometimes this will affect MBS’ ability to provide them with the MBS Services. MBS will advise Users if this is the case.
De-identified information refers to information that cannot reasonably be used to identify a particular individual.
De-identified information that will never be able to personally identify particular individuals is referred to as anonymised information (e.g. statistics that show 90% of Users were happy with the MBS Services). Additionally, de-identified information that can identify individuals only if it is combined with another, separate piece of information is referred to as pseudonymised information (e.g. student/participant ID numbers).
Where possible MBS will aim to collect, store and use anonymised information as a first preference, and if not, then pseudonymised information.
However, sometimes it will be impractical for User information to be de-identified or treated in this way, and in this case, MBS will continue to use and hold the information in a personally identifiable state. For example, if MBS needs to reply to a User enquiry we will have to use the contact information provided.
MBS is committed to information security. We will use all reasonable endeavours to keep the Personal Information we collect, hold and use in a secure environment. To this end we have implemented technical, organisational and physical security measures that are designed to protect Personal Information, and to respond appropriately if it is ever breached (e.g. MBS has developed an extensive Data Breach Response Plan which we use to prepare and respond to data breaches).
When information collected or used by MBS is stored on third-party service providers (e.g. Azure or AWS cloud servers), MBS takes reasonable steps to ensure these third-parties use industry standard security measures that meet the level of information security MBS owes Users.
As part of our privacy framework we endeavour to routinely review these security procedures and consider the appropriateness of new technologies and methods.
In the circumstances where MBS suffers a data breach that contains Personal Information, we will execute our Data Breach Response Plan and endeavour to take all necessary steps to comply with the Notifiable Data Breach Scheme outlined under the Act.
This means we will immediately make an objective assessment of whether a breach of Personal Information is likely to result in serious harm to individuals, and if this is the case, endeavour to notify the affected individual(s) and the Australian Information Commissioner.
7. MBS’ RETENTION OF INFORMATION
MBS retains Personal Information until it is no longer needed to provide or develop the MBS Services, or until the individual who the Personal Information concerns asks us to delete it, whichever comes first. It may take up to 30 days to delete Personal Information from our systems following a valid request for deletion.
However, MBS will retain:
- Personal Information in circumstances where we have legal and regulatory obligations to do so (e.g. for law enforcement purposes, employment law, corporate or tax record keeping, and where the information is relevant to legitimate legal proceedings, or in keeping with its’ requirements under other Australian record keeping legislation such as the Public Records Act 1973 (Vic)); and
- anonymised information for analytic and service development purposes.
8. SPECIFIC RIGHTS OF EUROPEAN RESIDENTS
Users who are habitually located in the European Union (‘EU Residents’) have additional rights in respect of their Personal Data (a term that is fundamentally interchangeable with Personal Information).
Users who are EU Residents should refer to Schedule 1 for more information regarding how MBS’ privacy practices in relation to their Personal Data.
9. MANAGING PERSONAL INFORMATION YOUR INFORMATION
Accessing and ensuring the accuracy of Personal Information
MBS takes reasonable steps to ensure that the Personal Information we collect and hold is accurate, up to date and complete.
Users have a right to access and request the correction of any of Personal Information we hold about them at any time. Any such requests should be made by directly contacting us at the details set out below. MBS will grant access to the extent required or authorised by the Act and applicable laws, and will take all reasonable steps to correct the relevant Personal Information where appropriate.
There may be circumstances in which MBS cannot provide Users with access to information. We will advise you of these reasons if this is the case.
MBS has appointed a Privacy Officer to be the first point of contact for all privacy related matters and to assist in ensuring our compliance with our privacy obligations.
Privacy Officer firstname.lastname@example.org
200 Leicester Street
Carlton VIC 3053
ABN: 80 007 268 233
If you have any queries or wish to make a complaint about a breach of this policy, the Act or the Health Records Act, you can contact or lodge a complaint to our Privacy Officer using the contact details above. You will need to provide sufficient details regarding your complaint as well as any supporting evidence and/or information.
The Privacy Offer will respond to your query or complaint as quickly as possible. MBS will contact you if we require any additional information from you and will notify you in writing (which includes electronic communication via email) of the relevant determination. If you are not satisfied with the determination you can contact us to discuss your concerns or complain to the Australian Privacy Commissioner via www.oaic.gov.au.
SPECIFIC RIGHTS OF EUROPEAN RESIDENTS
MBS is committed to ensuring its compliance with the European Union General Data Protection Regulation (‘GDPR’).
Under the GDPR, MBS is primarily a “controller” of Personal Data, as opposed to being a “processor”. As part of its’ GDPR compliance, MBS provides the MBS Services in a way that ensures:
Personal Data (i.e. Personal Information) is:
- processed fairly, lawfully and in a transparent manner; and
- collected and processed only for specified and lawful purposes.
Processed Personal Data (i.e. Personal Information that is used, held or disclosed by MBS) is:
- adequate, relevant and not excessive;
- accurate and, where necessary, kept up to date;
- kept secure, and not longer than necessary;
- not transferred to countries outside the European Union without adequate protection; and
- treated in accordance with individuals’ legal rights.
Whilst MBS strives to provide all Users with appropriate access and control over their data, individuals covered by the GDPR are also able to:
- Prescriptively restrict, limit or otherwise provide instructions to MBS regarding how we can use their Personal Data. This includes being able to object to how and why their Personal Data is used (e.g. by the removal of their consent for particular functions);
- Verbally request the erasure (i.e. deletion) of their information; and
- Request MBS provides all Personal Data held about them in a portable format, meaning in a way that is structured, commonly used and machine-readable. Users who exercise this right to data portability are also able to direct MBS to transmit this data to other entities who they intend to allow to process their Personal Data.
MBS will allow and assist Users that are EU Residents to exercise these rights, unless we have compelling and legitimate legal grounds not to (e.g. a legal obligation under Australian legislation, or if the Personal Data has been fully anonymised).