CIS Privacy page

This page is maintained by Lee Naish, Privacy Liaison Officer for the Department of Computing and Information Systems, (and previously Computer Science and Software Engineering) University of Melbourne since June 2002. It contains resources concerning privacy issues in our department. Privacy issues are important, especially for computing professionals. Even if nobody in our department has any concerns about invasion of their privacy, raising awareness of privacy issues amongst both staff and students in our department is worthwhile. Any opinions expressed here are personal and should not be taken as official policy. This page was last updated on Wed May 22 12:02:14 EST 2013

Reporting Privacy Concerns

I am happy to hear any privacy concerns from students and staff in our department. My contact information is as follows.
My Office 7.23
E-mail lee (at unimelb etc)
Phone 8344 1343
Fax (department) 9349 4596
Since I work only part time, e-mail is probably the most easy and reliable way to contact me (though not necessarily the most private).

If you don't trust me, you may like to contact the head of department, the University Privacy Officer (see also the University privacy page) or the Victorian Privacy Commissioner.

If you don't trust the system administrators (I have reasonable trust in them) or the security of the system (which is not high), and/or want to remain anonymous, you should not send sensitive e-mail from a local machine. Use another account, for example, go to a cyber cafe, create a web-based e-mail account for yourself using a fake name and send e-mail from that. You may also send me e-mail encrypted with this PGP (or GPG) public key. Note that despite the 2048 bit "military grade" encryption, I'm likely to decrypt the message on a department machine and its possible (though not likely) the plain text may be seen by a sysadmin or hacker. Alternatively, somebody may have hacked the file containing the public key, allowing only them to decrypt your e-mail instead of me. Or the locally installed version of pgp might contain a key logger trojan, et cetera. Communicating by phone or letter is probably more secure. I am not disclosing my home address or phone number - thats private!

Why is the University concerned about privacy?

The cynical answer is that it must comply with the Victorian Information Privacy Act, 2000. Actually, for many of the activities of the university it has had to comply with the Commonwealth Privacy Act, 1988, so appointing a privacy officer was actually well overdue.

Privacy Issues

In this section I list some privacy issues which have been raised in our department. I occasionally update this section, but the chances are there are more recent issues which are not documented here.

Good news (finally) - Booking flu vaccinations

In 2010 the University outsourced coordination of staff/postgraduate student flu vaccinations. This involved staff and students entering personal information into an online form. The website had a privacy policy available (though you had to enable cookies and enter some information into a form in order to get to it) which said the purpose of the company collecting information is "to further its business purposes". It went on to say "You consent to the Company having an unrestricted right to use and store such information on the company's internal computer systems", amongst other thing. My objections lead to revision of their privacy policy and a review of how the University treats privacy in its external contracts. The standard "Acquisition of Services Agreement (Non-IT services)" was used in this case. Conditions apply to information provided by the University to the service provider but they do not necessarily cover information that individuals provide directly to the service provider. This is becoming increasingly common - where we previously provided information to an admin staff member employed by the university (or they looked it up for us), we now enter it into some online system, which may be outsourced to a company which values our private information more than our privacy.

In 2011 a different external service provider was used by the university for flu vaccination bookings, which was even worse in some respects. For example, there was no privacy policy displayed on the site and the site used Google Analytics, so Google could track people who registered for a flu shot. I complained again and was assured that the provider had signed the appropriate contract with the universty so our personal information would not be divulged by the service provider, and that the company would be asked to put a privacy policy on their site. In 2012 yet another external service provider was used, but this time they finally got it right - there was what I considered to be a very reasonable privacy policy linked to the booking page. I sent a congratulatory e-mail.

Other online booking issues

In November 2012 the department and NICTA announced two seminars to celebrate the Turing centenary. To attend it was necessary to register via a commercial events booking service which had no privacy policy. I registered using a fake name etc, downloaded my tickets, and complained to the organisers.

In October 2012 the university lauched the Melbourne School of Information (organised by the Melbourne School of Engineering). In order to attend, personal information had to be entered into a web form of a company which manages events. Under their privacy policy it said "We may use your Personal Data to contact you in the future for our marketing and advertising purposes" and by default, booking for the launch signed up attendees to their newsletter, which you could only avoid by creating an account with them and changing your e-mail preferences. I registered using a false name and e-mail address, and complained.

In January 2004 staff in Information Systems arranged for a massuer to visit our building for the benefit of staff and students. An web-based booking system was implemented on a web site run by a DIS staff member. The massage booking web site was designed to collect e-mail addresses and phone numbers but there was no information about who runs the web site, the purpose of collecting the information, how securely it is stored, who is given access to it et cetera. I don't think our students (or staff) should be encouraged to provide personal information to such a web site and requested that the site be updated to provide more information. A privacy page was added to the site quite promptly, providing information and the ability for users to view all information stored about them (password protected). The ability to book a massage by phone was also introduced.

Good news: DETYA report, Casual staff management, network and proxy monitoring...

In July 2004 staff in the Department were informed that an annual report to DETYA required information on "country of birth other than Australia" and "primary language spoken at home" for staff. The good news is our department manager also informed us that "No other personal information is disclosed".

In August 2004 I was approached about privacy aspects of requirements for a casual staff management system. Its is nice that the Department was pro-active on this matter rather than implementing the system then have someone mention there are privacy implications. There were some discussions in 2007 about what to do with comments made by students about individual casual staff.

In September 2005 I was approached about privacy aspects of testing a network intrusion detection system which collects data packets within the CSSE computer network. Some effort was put in place to ensure no personally identifiable information was retained.

In January 2006 I was approached about privacy aspects of collecting information from our web proxy. Information retrieval researchers in the department wanted to capture information about queries to search engines such as Google, and subsequent user behaviour (for example, which links they followed). Substantial thought was put into designing a system of filtering potentially sensitive queries, anonymising information, obtaining informed consent of users and allowing opt-out provisions. For example, it was initially considered that obtaining informed consent from undergraduates was impossible so only data from staff and postgraduates should be collected (I believe data from students may now be collected; I had some input into simplifying the language in the notice to students). Also any query containing a name of anyone in the department, plus various other key words, would be filtered out. The system has now been set up. In March an e-mail was sent reminding people of the system; the opt in/out part of the system appeared to still work.

After the University Open Day in 2007 staff were asked to complete a survey, and privacy issues were addressed in the request.

The final package of documentation for the 2009 ACS/EA accreditation of our courses was labelled

Confidential, may not be copied or circulated or used for any purpose other than the 2009 EA Accreditation Visit to the University of Melbourne.

RQF research spreadsheets and staff ids

In November 2007, as part of the Research Quality Framework "dry run" (the RQF was abandonned very soon after this), the employee numbers of all staff with research output involved in the RQF was put on a web site accessible to anyone with a Unimelb staff e-mail account. Employee numbers are used for authentication for various things, from the photocopier in our department to redirecting staff salaries to arbitrary bank accounts. In reply to my e-mails I was told "Thank you for expressing your concerns. Please be advised however that Employees numbers are not confidential". One problem (which I pointed out, and has not been rectified) is that the university does not make clear what is meant to be confidential and what isn't. Having expressed support for my stand, the head of department supressed employee number information on some handouts for a department meeting but failed to elsewhere (I didn't actually notice until he e-mailed me).

Access to student project submissions and other files

In March 2007 an academic from another university asked our head of department for copies of old student submissions to help with research on plagiarism detection. I recommended that we not provide the submissions, though we could offer to run experimental plagiarism detection software locally and provide some results. This was agreed to.

In late 2008 a UoM academic asked a sysadmin to provide all student files from a first year Informatics subject (not just files submitted for assessment), to look for evidence of plagiarism. After discussion with me and the HoD the request was refused.

Enrollment numbers and other unique IDs

Each student has a growing number of unique IDs, for example enrollment number, "unimelb" e-mail address, "csse" login ID, etc. What is the purpose of each of these IDs and what information can what people get from each one? What are legitimate reasons for staff to use an enrollment number to look up student records? In my experience our department behaves responsibly in this respect but it would be nice to have some guidelines.

There has long been a practice of publishing lists of academic results using enrollment numbers (rather than names). In our department it is common for project marks to be published on Web pages using enrollment numbers and in at least one subject in 2003 final results were published in this way. The (unstated) assumptions are that students have a right to privacy with respect to their results and enrollment numbers are also private. In contrast, "unimelb" e-mail addresses are not considered private, at least within the University (the university web site has an e-mail directory). The "private" nature of enrollment numbers is important and should be explicitly stated to all staff and students. This would reduce the chance of enrollment numbers being linked to other identifying information. For example, in the past I have seen lists of names, enrollment numbers and tutorial allocations displayed. In February 2004 I spotted such a list for one tutorial in our department, online in a place where all students could read it (it had been there for six months). Such lists were created routinely and still had enrollment numbers in second semester 2004 (and some were probably passed around classes so people could tick off their names). I reminded staff that they must be treated with care and requested enrollment numbers not be included in the future (I asked academics if they wanted them included and nobody replied). This has been done. However, there are now photo lists available as well, and as of March 2006 they included enrollment numbers. E-mail was sent to all academics requesting that this information be blacked out before distribution to tutors etc. and I hope the information can be avoided in the future (I even wrote a little shell script to doctor the Postscript files).

In May 2003 I also noted that the Computer Students Association required enrollment number and various personal information to join their mailing list. I suggested that this be discontinued and student IDs collected previously be deleted. The request for enrollment numbers was, thankfully, immediately removed and MU-CSA members have requested further discussions with me concerning privacy. In December 2003, a student also alerted me to the fact that for some group projects in CSSE students are requested to provide enrollment numbers of all students in the submission, allowing students to obtain enrollment numbers of other students. There are many subjects which have group projects, and in some the groups are quite large. Since academics in the department can easily convert from CSSE login ids to enrollment numbers, I see no strong reason for weakening privacy by asking for enrollment numbers instead. This issue was taken up with the department, eventually resulting in an official Department policy (a rare thing indeed), in March 2004. In September 2004 a brief audit revealed a couple of subjects which violated the policy and an e-mail was sent to all academic staff.

I have also raised some of these matters briefly with the University Privacy Officer. It was pointed out that as of September 1, 2002, forms requesting personal information need to state the purposes to which it will be put. However, this does not address the question of what happens to the information the University generates, such as academic results, for which privacy is expected.

The relationship between casual staff in our department and their concurrent or previous role as students has also been raised. There has been at least one instance in 2004 of an enrollment number being requested for the creation of an account for a casual, and the form requesting an account for casual staff asked for either student enrollment number or staff number. The form now asks for staff number and mentions enrollment numbers should be avoided for privacy reasons.

Staff CVs

Some years ago, CSSE staff were asked to provide CVs as part of a department review. Later these CVs were collated and distributed to all staff (and who knows where else) - not the purpose of collecting the data. Publications while employed at the University are collected and cited in the Research Report, but prior publications, employment and consulting history of staff should only be used for the purpose they were collected for unless staff give explicit permission. More recently there was a suggestion that staff provide CVs for the purpose of obtaining research funding from a particular source. I requested the information only be used for this purpose.

In June 2004 staff were again requested to provided CVs and required fill in a survey for the purpose of gaining ACS and IEAust accreditation for our courses. As well as not using the information for other purposes, some staff queried the University collecting personal information such as "membership of professional or other bodies" and "consulting work", despite arguably being at odds with the University privacy policy. Staff were (at least initially) given no assurances as to what would be done with the information. Some staff refused to supply some information. Some senior staff expressed disappointment - below is an extract of an e-mail response I made.

I agree the process and outcome have been disappointing from some perspectives. I have always favoured strongly encouraging people to provide as much information as they are comfortable with. However, people have been told they are required to supply certain information and some requested information includes such things as membership of organisations (not just professional organisations) and there were no assurances given concerning privacy. It wasn't as blunt as asking about race, religion, union membership or "are you a member of the communist party" (though the latter two are implicit in membership of organisations) but it was out of line with accepted community and university standards wrt privacy.

Some of our staff are rather sensitive about privacy (for reasonable reasons I believe) - certainly more sensitive than me, and they probably reacted negatively to this. I feel I have a duty to support their right to withhold such information, no matter what the reaction is at the faculty level or elsewhere.


I am proud our department is actively defending privacy! I'm not a member of ACS, but I have read their code of ethics. It would be ironic indeed if they deny us accreditation because we are adhering to their code of ethics! I imagine that raising these issues with them would be seen as a positive rather than a negative. I'm not sure about IEAust - they probably have less interest in privacy because engineers have done less to erode privacy (though the IEEE code of ethics mentions privacy I'm pretty sure). Both ACS and IEAust say they welcome feedback on their accreditation processes. It is my hope than we gain accreditation from both bodies and help them improve their processes.

Discussions about the whole process were initiated with the hope that such exercises would be more sensitive to staff privacy in the future. Ideally, accreditation bodies should be more pro-active in this respect. They are open to suggestions for their accreditation manuals and I have suggested that a section on privacy should be included. They should attempt to only request relevant information, make assurances regarding confidentiality and destruction of data and suggest that institutions do the same and communicate the policies and procedures to the staff whose privacy is at stake. Happily, we passed both accreditations with flying colours.

In March 2006 academics were again asked by the Faculty to supply their CVs, so preparations could be made for the transition to the Research Quality Framework. Concern was again expressed; CVs typically contain more than the necessary information. Some also noted that the University already expends considerable effort collecting and collating information about research output of all academic staff, so the request was questionable even ignoring privacy considerations.

In late 2008 the ACS and EA accreditation process began again. I e-mailed the following to CSSE academics and the person in charge of the process for the MSE:

Last time we did this, in 2004, there was a degree of insensitivity wrt privacy, and we have not had a great track record with collection of staff CVs in our department/Faculty - see

Let me make some suggestions to try to avoid any more unpleasantness this time around.

First, the School should undertake to only use this information for the purpose of this accreditation. Ideally the data should be destroyed once accreditation is granted, and Engineers Australia, at the request of the School, should do the same with any copies they have.

Second, academics should be encouraged *but not required* to include information which may be beneficial for the accreditation outcome but is not directly related to employment by the University. The memo as it is currently worded *requires* "Consulting record (2004 onwards)". Wearing my Privacy Liaison Officer hat, I think this is way out of line, especially considering there is nothing said about where the data might end up. To those academics who are sensitive about such information, I suggest you simply omit it (the same applies to Experience in professional practice and some of the other categories mentioned). The bottom line is that you should not feel compelled to include information not directly related to employment by the University.

This instigated a long discussion; here are a couple of snippets. From someone in the MSE:
I had not thought of the privacy angle and am sorry to hear that some people find some of the requests providing CV's as a concern. We have never had an issue about this in our department so this comes to me as a surprise.
From the Head of CSSE:
The critical requirement of a good privacy policy is to have in place assurances that data collected for one purpose -- the one for which it was supplied -- is not then deliberately or even inadvertentlt used for a different purpose. And, of course, dealing with information is an area of engineering the CSSE does have particular expertise in, which is why I am pleased that Lee thought to inject his comments...

With the strong support of the Head of CSSE (but apparently very little from the rest of the MSE) the eventual outcome was reasonable - see the good news section.

Intrusion Detection System

The department is considering installing an intrusion detection system for the department's computer systems. I have had some input into the proposal to ensure that privacy matters are approriately addressed.

University Audio-Visual Copyright Survey, 2003

The University (as part of the AVCC) has an arrangement which allows copying programs from TV etc. for teaching purposes. In return, staff are surveyed from time to time to find out what copying is done, so royalties can be distributed by Screenrights. In 2003 this survey was done by A C Neilsen. The forms, which the University instructed staff to complete, asked for name, signature and contact phone number. It was questioned whether this information was necessary for the purpose of the survey (wouldn't it be sufficient to provide aggregate information on what was copied, without linking it to personal information?). Furthermore, the forms did not make it clear who would have access to the information, who staff could contact to review and update information etc. The collection of only necessary information and stating who will have access to the information and who can be contacted to review and change information are important information privacy principles in Victorian and Federal law.

The matter was discussed with the University Privacy Officer, the University copyright officer, state and federal privacy offices and state and federal union offices. The response of the University Privacy Officer was disappointing. He said it was an issue for A C Neilsen to deal with, not him. According to the 2003 edition of the Melbourne University Magazine

The University of Melbourne is committed to protecting and using personal information about students, staff, alumni and benefactors in accordance with all relevant privacy laws.
This is a post-script to an article by Victorian Privacy Commissioner Paul Chadwick, in which he states
One of the most striking features of Privacy is the way is is over-venerated in summary form and then undervalued in the detail.

Privacy Victoria was helpful, but also somewhat disappointing. They have the power to act on a matter if someone complains that their privacy rights have been violated (and then the first step is conciliation), but can't be pro-active to avoid privacy violations. The union was not up to speed on privacy issues and was not able to be pro-active either.

Our department initially withheld all forms from A C Neilson. Eventually they were returned, though some staff chose to not to participate, or provided partial or imprecise information. There is a chance that our input will make the process better in the future.

Union Enterprise Bargaining Agreement

I suggested that the University's committment to protecting (as well as respecting) staff privacy be elevated from the pages of the Melbourne University Magazine to the 2003 EBA.


The university has posted signs around campus alerting people to the use of surveilance cameras in the area. I queried the use of surveilance cameras by the University in public areas (eg, Grattan St.) in a Departmental meeting. Surveilance is covered by separate legislation to "information privacy" and I have not (yet) read the legislation. The University claims to abide by the legislation. This does not necessarily imply it is "doing the right thing".

The department has also installed (at least one) camera. I have been involved with discussions about its orientation, to avoid the offices of staff-members being in the field of view, and appropriate signs.

Secure Document Destruction

When the department moved buildings late in 2002, tonnes of paper was thrown out of offices. So called "secure" bins were provided for sensitive information such as student records. Although (some of) these bins had chains and padlocks, the chains were not attached to the lids! The bins could simply be opened. They were also in a "public" area - a corridor with little traffic. Potentially, anyone could walk in and rummage through the bins. Many years ago (around 1980) the department put a large pile of exam script book in a public area, awaiting removal. I was free to rummage through the pile and collect several of mine. I also spotted several of students I knew, and even academic staff who had completed the Postgraduate Diploma in the department.

Staff home addresses

Staff need to provide the University their home address for taxation purposes. Melbourne Theatre Company (part of the corporate structure of the University) uses these addresses for marketing - arguably not part of the purpose of collecting this information from staff. Some staff are very concerned about who has access to their home address. This matter taken up with the University Privacy Officer. The response was that MTC is a University Department and thus permitted to have access to staff home addresses. This does not address the question of what is appropriate use of the information. Perhaps the University Privacy Officer would welcome junk mail from any university department but there are staff in our department who do not.